auth0-server-python 1.0.0b7__tar.gz → 1.0.0b9__tar.gz

{auth0_server_python-1.0.0b7 → auth0_server_python-1.0.0b9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: auth0-server-python
-Version: 1.0.0b7
+Version: 1.0.0b9
 Summary: Auth0 server-side Python SDK
 License: MIT
 License-File: LICENSE
@@ -18,7 +18,7 @@ Classifier: Programming Language :: Python :: 3.14
 Requires-Dist: authlib (>=1.2,<2.0)
 Requires-Dist: cryptography (>=43.0.1)
 Requires-Dist: httpx (>=0.28.1,<0.29.0)
-Requires-Dist: jwcrypto (>=1.5.6,<2.0.0)
+Requires-Dist: jwcrypto (>=1.5.7,<2.0.0)
 Requires-Dist: pydantic (>=2.10.6,<3.0.0)
 Requires-Dist: pyjwt (>=2.8.0)
 Description-Content-Type: text/markdown
@@ -129,6 +129,75 @@ async def callback(request: Request):
     return RedirectResponse(url="/")
 ```
 
+### 4. Login with Custom Token Exchange
+
+If you're migrating from a legacy authentication system or integrating with a custom identity provider, you can exchange external tokens for Auth0 tokens using the OAuth 2.0 Token Exchange specification (RFC 8693):
+
+```python
+from auth0_server_python.auth_types import LoginWithCustomTokenExchangeOptions
+
+# Exchange a custom token and establish a session
+result = await auth0.login_with_custom_token_exchange(
+    LoginWithCustomTokenExchangeOptions(
+        subject_token="your-custom-token",
+        subject_token_type="urn:acme:mcp-token",
+        audience="https://api.example.com"
+    ),
+    store_options={"request": request, "response": response}
+)
+
+# Access the user session
+user = result.state_data["user"]
+```
+
+For advanced token exchange scenarios (without creating a session), use `custom_token_exchange()` directly:
+
+```python
+from auth0_server_python.auth_types import CustomTokenExchangeOptions
+
+# Exchange a custom token for Auth0 tokens
+response = await auth0.custom_token_exchange(
+    CustomTokenExchangeOptions(
+        subject_token="your-custom-token",
+        subject_token_type="urn:acme:mcp-token",
+        audience="https://api.example.com",
+        scope="read:data write:data"
+    )
+)
+
+print(response.access_token)
+```
+
+For more details and examples, see [examples/CustomTokenExchange.md](examples/CustomTokenExchange.md).
+
+### 5. Multiple Custom Domains (MCD)
+
+For applications that use multiple custom domains on the same Auth0 tenant, pass a domain resolver function instead of a static domain string:
+
+```python
+from auth0_server_python.auth_server.server_client import ServerClient
+from auth0_server_python.auth_types import DomainResolverContext
+
+async def domain_resolver(context: DomainResolverContext) -> str:
+    host = context.request_headers.get('host', '').split(':')[0]
+    domain_map = {
+        "acme.yourapp.com": "acme.auth0.com",
+        "globex.yourapp.com": "globex.auth0.com",
+    }
+    return domain_map.get(host, "default.auth0.com")
+
+auth0 = ServerClient(
+    domain=domain_resolver,  # Callable enables MCD mode
+    client_id='<AUTH0_CLIENT_ID>',
+    client_secret='<AUTH0_CLIENT_SECRET>',
+    secret='<AUTH0_SECRET>',
+)
+```
+
+The SDK handles per-domain OIDC discovery, JWKS fetching, issuer validation, and session isolation automatically. Static string domains continue to work unchanged.
+
+For more details and examples, see [examples/MultipleCustomDomains.md](examples/MultipleCustomDomains.md).
+
 ## Feedback
 
 ### Contributing

{auth0_server_python-1.0.0b7 → auth0_server_python-1.0.0b9}/README.md

@@ -104,6 +104,75 @@ async def callback(request: Request):
     return RedirectResponse(url="/")
 ```
 
+### 4. Login with Custom Token Exchange
+
+If you're migrating from a legacy authentication system or integrating with a custom identity provider, you can exchange external tokens for Auth0 tokens using the OAuth 2.0 Token Exchange specification (RFC 8693):
+
+```python
+from auth0_server_python.auth_types import LoginWithCustomTokenExchangeOptions
+
+# Exchange a custom token and establish a session
+result = await auth0.login_with_custom_token_exchange(
+    LoginWithCustomTokenExchangeOptions(
+        subject_token="your-custom-token",
+        subject_token_type="urn:acme:mcp-token",
+        audience="https://api.example.com"
+    ),
+    store_options={"request": request, "response": response}
+)
+
+# Access the user session
+user = result.state_data["user"]
+```
+
+For advanced token exchange scenarios (without creating a session), use `custom_token_exchange()` directly:
+
+```python
+from auth0_server_python.auth_types import CustomTokenExchangeOptions
+
+# Exchange a custom token for Auth0 tokens
+response = await auth0.custom_token_exchange(
+    CustomTokenExchangeOptions(
+        subject_token="your-custom-token",
+        subject_token_type="urn:acme:mcp-token",
+        audience="https://api.example.com",
+        scope="read:data write:data"
+    )
+)
+
+print(response.access_token)
+```
+
+For more details and examples, see [examples/CustomTokenExchange.md](examples/CustomTokenExchange.md).
+
+### 5. Multiple Custom Domains (MCD)
+
+For applications that use multiple custom domains on the same Auth0 tenant, pass a domain resolver function instead of a static domain string:
+
+```python
+from auth0_server_python.auth_server.server_client import ServerClient
+from auth0_server_python.auth_types import DomainResolverContext
+
+async def domain_resolver(context: DomainResolverContext) -> str:
+    host = context.request_headers.get('host', '').split(':')[0]
+    domain_map = {
+        "acme.yourapp.com": "acme.auth0.com",
+        "globex.yourapp.com": "globex.auth0.com",
+    }
+    return domain_map.get(host, "default.auth0.com")
+
+auth0 = ServerClient(
+    domain=domain_resolver,  # Callable enables MCD mode
+    client_id='<AUTH0_CLIENT_ID>',
+    client_secret='<AUTH0_CLIENT_SECRET>',
+    secret='<AUTH0_SECRET>',
+)
+```
+
+The SDK handles per-domain OIDC discovery, JWKS fetching, issuer validation, and session isolation automatically. Static string domains continue to work unchanged.
+
+For more details and examples, see [examples/MultipleCustomDomains.md](examples/MultipleCustomDomains.md).
+
 ## Feedback
 
 ### Contributing

{auth0_server_python-1.0.0b7 → auth0_server_python-1.0.0b9}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "auth0-server-python"
-version = "1.0.0.b7"
+version = "1.0.0b9"
 description = "Auth0 server-side Python SDK"
 readme = "README.md"
 authors = ["Auth0 <support@okta.com>"]
@@ -17,7 +17,7 @@ pyjwt = ">=2.8.0"
 authlib = "^1.2"
 httpx = "^0.28.1"
 pydantic = "^2.10.6"
-jwcrypto = "^1.5.6"
+jwcrypto = "^1.5.7"
 
 [tool.poetry.group.dev.dependencies]
 pytest = "^7.2"
@@ -25,7 +25,7 @@ pytest-cov = "^4.0"
 pytest-asyncio = ">=0.20.3,<0.24.0"
 pytest-mock = "^3.14.0"
 twine = "^6.1.0"
-ruff = "^0.1.0"
+ruff = ">=0.1"
 
 [tool.pytest.ini_options]
 addopts = "--cov=auth0_server_python --cov-report=term-missing:skip-covered --cov-report=xml"

auth0_server_python-1.0.0b9/src/auth0_server_python/auth_server/my_account_client.py

@@ -0,0 +1,335 @@
+
+from typing import Optional
+
+import httpx
+
+from auth0_server_python.auth_schemes.bearer_auth import BearerAuth
+from auth0_server_python.auth_types import (
+    CompleteConnectAccountRequest,
+    CompleteConnectAccountResponse,
+    ConnectAccountRequest,
+    ConnectAccountResponse,
+    ListConnectedAccountConnectionsResponse,
+    ListConnectedAccountsResponse,
+)
+from auth0_server_python.error import (
+    ApiError,
+    InvalidArgumentError,
+    MissingRequiredArgumentError,
+    MyAccountApiError,
+)
+
+
+class MyAccountClient:
+    """
+    Client for interacting with the Auth0 MyAccount API.
+    """
+
+    def __init__(self, domain: str):
+        """
+        Initialize the MyAccount API client.
+
+        Args:
+            domain: Auth0 domain (e.g., '<tenant>.<locality>.auth0.com')
+        """
+        self._domain = domain
+
+    @property
+    def audience(self):
+        """
+        Get the MyAccount API audience URL.
+
+        Returns:
+            The audience URL for the MyAccount API
+        """
+        return f"https://{self._domain}/me/"
+
+    async def connect_account(
+        self,
+        access_token: str,
+        request: ConnectAccountRequest
+    ) -> ConnectAccountResponse:
+        """
+        Initiate the connected account flow.
+
+        Args:
+            access_token: User's access token for authentication
+            request: Request containing connection details and configuration
+
+        Returns:
+            Response containing the connect URI and authentication session details
+
+        Raises:
+            MyAccountApiError: If the API returns an error response
+            ApiError: If the request fails due to network or other issues
+        """
+        try:
+            async with httpx.AsyncClient() as client:
+                response = await client.post(
+                    url=f"{self.audience}v1/connected-accounts/connect",
+                    json=request.model_dump(exclude_none=True),
+                    auth=BearerAuth(access_token)
+                )
+
+                if response.status_code != 201:
+                    error_data = response.json()
+                    raise MyAccountApiError(
+                        title=error_data.get("title", None),
+                        type=error_data.get("type", None),
+                        detail=error_data.get("detail", None),
+                        status=error_data.get("status", None),
+                        validation_errors=error_data.get("validation_errors", None)
+                    )
+
+                data = response.json()
+
+                return ConnectAccountResponse.model_validate(data)
+
+        except Exception as e:
+            if isinstance(e, MyAccountApiError):
+                raise
+            raise ApiError(
+                "connect_account_error",
+                f"Connected Accounts connect request failed: {str(e) or 'Unknown error'}",
+                e
+            )
+
+    async def complete_connect_account(
+        self,
+        access_token: str,
+        request: CompleteConnectAccountRequest
+    ) -> CompleteConnectAccountResponse:
+        """
+        Complete the connected account flow after user authorization.
+
+        Args:
+            access_token: User's access token for authentication
+            request: Request containing the auth session, connect code, and redirect URI
+
+        Returns:
+            Response containing the connected account details including ID, connection, and scopes
+
+        Raises:
+            MyAccountApiError: If the API returns an error response
+            ApiError: If the request fails due to network or other issues
+        """
+        try:
+            async with httpx.AsyncClient() as client:
+                response = await client.post(
+                    url=f"{self.audience}v1/connected-accounts/complete",
+                    json=request.model_dump(exclude_none=True),
+                    auth=BearerAuth(access_token)
+                )
+
+                if response.status_code != 201:
+                    error_data = response.json()
+                    raise MyAccountApiError(
+                        title=error_data.get("title", None),
+                        type=error_data.get("type", None),
+                        detail=error_data.get("detail", None),
+                        status=error_data.get("status", None),
+                        validation_errors=error_data.get("validation_errors", None)
+                    )
+
+                data = response.json()
+
+                return CompleteConnectAccountResponse.model_validate(data)
+
+        except Exception as e:
+            if isinstance(e, MyAccountApiError):
+                raise
+            raise ApiError(
+                "connect_account_error",
+                f"Connected Accounts complete request failed: {str(e) or 'Unknown error'}",
+                e
+            )
+
+    async def list_connected_accounts(
+        self,
+        access_token: str,
+        connection: Optional[str] = None,
+        from_param: Optional[str] = None,
+        take: Optional[int] = None
+    ) -> ListConnectedAccountsResponse:
+        """
+        List connected accounts for the authenticated user.
+
+        Args:
+            access_token: User's access token for authentication
+            connection: Optional filter to list accounts for a specific connection
+            from_param: Optional pagination cursor for fetching next page of results
+            take: Optional number of results to return (must be a positive integer)
+
+        Returns:
+            Response containing the list of connected accounts and pagination details
+
+        Raises:
+            MissingRequiredArgumentError: If access_token is not provided
+            InvalidArgumentError: If take parameter is not a positive integer
+            MyAccountApiError: If the API returns an error response
+            ApiError: If the request fails due to network or other issues
+        """
+        if access_token is None:
+            raise MissingRequiredArgumentError("access_token")
+
+        if take is not None and (not isinstance(take, int) or take < 1):
+            raise InvalidArgumentError("take", "The 'take' parameter must be a positive integer.")
+
+        try:
+            async with httpx.AsyncClient() as client:
+                params = {}
+                if connection:
+                    params["connection"] = connection
+                if from_param:
+                    params["from"] = from_param
+                if take:
+                    params["take"] = take
+
+                response = await client.get(
+                    url=f"{self.audience}v1/connected-accounts/accounts",
+                    params=params,
+                    auth=BearerAuth(access_token)
+                )
+
+                if response.status_code != 200:
+                    error_data = response.json()
+                    raise MyAccountApiError(
+                        title=error_data.get("title", None),
+                        type=error_data.get("type", None),
+                        detail=error_data.get("detail", None),
+                        status=error_data.get("status", None),
+                        validation_errors=error_data.get("validation_errors", None)
+                    )
+
+                data = response.json()
+
+                return ListConnectedAccountsResponse.model_validate(data)
+
+        except Exception as e:
+            if isinstance(e, MyAccountApiError):
+                raise
+            raise ApiError(
+                "connect_account_error",
+                f"Connected Accounts list request failed: {str(e) or 'Unknown error'}",
+                e
+            )
+
+
+    async def delete_connected_account(
+        self,
+        access_token: str,
+        connected_account_id: str
+    ) -> None:
+        """
+        Delete a connected account for the authenticated user.
+
+        Args:
+            access_token: User's access token for authentication
+            connected_account_id: ID of the connected account to delete
+
+        Returns:
+            None
+
+        Raises:
+            MissingRequiredArgumentError: If access_token or connected_account_id is not provided
+            MyAccountApiError: If the API returns an error response
+            ApiError: If the request fails due to network or other issues
+        """
+
+        if access_token is None:
+            raise MissingRequiredArgumentError("access_token")
+
+        if connected_account_id is None:
+            raise MissingRequiredArgumentError("connected_account_id")
+
+        try:
+            async with httpx.AsyncClient() as client:
+                response = await client.delete(
+                    url=f"{self.audience}v1/connected-accounts/accounts/{connected_account_id}",
+                    auth=BearerAuth(access_token)
+                )
+
+                if response.status_code != 204:
+                    error_data = response.json()
+                    raise MyAccountApiError(
+                        title=error_data.get("title", None),
+                        type=error_data.get("type", None),
+                        detail=error_data.get("detail", None),
+                        status=error_data.get("status", None),
+                        validation_errors=error_data.get("validation_errors", None)
+                    )
+
+        except Exception as e:
+            if isinstance(e, MyAccountApiError):
+                raise
+            raise ApiError(
+                "connect_account_error",
+                f"Connected Accounts delete request failed: {str(e) or 'Unknown error'}",
+                e
+            )
+
+    async def list_connected_account_connections(
+        self,
+        access_token: str,
+        from_param: Optional[str] = None,
+        take: Optional[int] = None
+    ) -> ListConnectedAccountConnectionsResponse:
+        """
+        List available connections that support connected accounts.
+
+        Args:
+            access_token: User's access token for authentication
+            from_param: Optional pagination cursor for fetching next page of results
+            take: Optional number of results to return (must be a positive integer)
+
+        Returns:
+            Response containing the list of available connections and pagination details
+
+        Raises:
+            MissingRequiredArgumentError: If access_token is not provided
+            InvalidArgumentError: If take parameter is not a positive integer
+            MyAccountApiError: If the API returns an error response
+            ApiError: If the request fails due to network or other issues
+        """
+        if access_token is None:
+            raise MissingRequiredArgumentError("access_token")
+
+        if take is not None and (not isinstance(take, int) or take < 1):
+            raise InvalidArgumentError("take", "The 'take' parameter must be a positive integer.")
+
+        try:
+            async with httpx.AsyncClient() as client:
+                params = {}
+                if from_param:
+                    params["from"] = from_param
+                if take:
+                    params["take"] = take
+
+                response = await client.get(
+                    url=f"{self.audience}v1/connected-accounts/connections",
+                    params=params,
+                    auth=BearerAuth(access_token)
+                )
+
+                if response.status_code != 200:
+                    error_data = response.json()
+                    raise MyAccountApiError(
+                        title=error_data.get("title", None),
+                        type=error_data.get("type", None),
+                        detail=error_data.get("detail", None),
+                        status=error_data.get("status", None),
+                        validation_errors=error_data.get("validation_errors", None)
+                    )
+
+                data = response.json()
+
+                return ListConnectedAccountConnectionsResponse.model_validate(data)
+
+        except Exception as e:
+            if isinstance(e, MyAccountApiError):
+                raise
+            raise ApiError(
+                "connect_account_error",
+                f"Connected Accounts list connections request failed: {str(e) or 'Unknown error'}",
+                e
+            )