coreason-identity 0.4.1__tar.gz

coreason_identity-0.4.1/LICENSE

@@ -0,0 +1,57 @@
+# The Prosperity Public License 3.0.0
+
+Contributor: CoReason, Inc.
+
+Source Code: https://github.com/CoReason-AI/coreason_identity
+
+## Purpose
+
+This license allows you to use and share this software for noncommercial purposes for free and to try this software for commercial purposes for thirty days.
+
+## Agreement
+
+In order to receive this license, you have to agree to its rules.  Those rules are both obligations under that agreement and conditions to your license.  Don't do anything with this software that triggers a rule you can't or won't follow.
+
+## Notices
+
+Make sure everyone who gets a copy of any part of this software from you, with or without changes, also gets the text of this license and the contributor and source code lines above.
+
+## Commercial Trial
+
+Limit your use of this software for commercial purposes to a thirty-day trial period.  If you use this software for work, your company gets one trial period for all personnel, not one trial per person.
+
+## Contributions Back
+
+Developing feedback, changes, or additions that you contribute back to the contributor on the terms of a standardized public software license such as [the Blue Oak Model License 1.0.0](https://blueoakcouncil.org/license/1.0.0), [the Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0.html), [the MIT license](https://spdx.org/licenses/MIT.html), or [the two-clause BSD license](https://spdx.org/licenses/BSD-2-Clause.html) doesn't count as use for a commercial purpose.
+
+## Personal Uses
+
+Personal use for research, experiment, and testing for the benefit of public knowledge, personal study, private entertainment, hobby projects, amateur pursuits, or religious observance, without any anticipated commercial application, doesn't count as use for a commercial purpose.
+
+## Noncommercial Organizations
+
+Use by any charitable organization, educational institution, public research organization, public safety or health organization, environmental protection organization, or government institution doesn't count as use for a commercial purpose regardless of the source of funding or obligations resulting from the funding.
+
+## Defense
+
+Don't make any legal claim against anyone accusing this software, with or without changes, alone or with other technology, of infringing any patent.
+
+## Copyright
+
+The contributor licenses you to do everything with this software that would otherwise infringe their copyright in it.
+
+## Patent
+
+The contributor licenses you to do everything with this software that would otherwise infringe any patents they can license or become able to license.
+
+## Reliability
+
+The contributor can't revoke this license.
+
+## Excuse
+
+You're excused for unknowingly breaking [Notices](#notices) if you take all practical steps to comply within thirty days of learning you broke the rule.
+
+## No Liability
+
+***As far as the law allows, this software comes as is, without any warranty or condition, and the contributor won't be liable to anyone for any damages related to this software or this license, under any kind of legal claim.***

coreason_identity-0.4.1/NOTICE

@@ -0,0 +1,8 @@
+Copyright (c) 2025 CoReason, Inc.. All Rights Reserved
+
+This software is licensed under the Prosperity Public License 3.0.0.
+The issuer of the Prosperity Public License for this software is CoReason, Inc..
+
+For a commercial version of this software, please contact us at gowtham.rao@coreason.ai.
+
+GENESIS COMMIT: Initializing repository coreason_identity per CoReason Clean Room Protocol PIP-001. This repository is established as an independently created De Novo development environment, commencing on 2026-01-01. I, Gowtham A Rao certify that this date is subsequent to my individual Temporal Firewall Date.

coreason_identity-0.4.1/PKG-INFO

@@ -0,0 +1,107 @@
+Metadata-Version: 2.4
+Name: coreason_identity
+Version: 0.4.1
+Summary: Decoupled authentication middleware, abstracting OIDC and OAuth2 protocols from the main application.
+License: Prosperity-3.0
+License-File: LICENSE
+License-File: NOTICE
+Author: Gowtham A Rao
+Author-email: gowtham.rao@coreason.ai
+Requires-Python: >=3.11, <3.15
+Classifier: License :: Other/Proprietary License
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Operating System :: OS Independent
+Requires-Dist: aiofiles (>=23.0.0,<24.0.0)
+Requires-Dist: anyio (>=4.12.1,<5.0.0)
+Requires-Dist: authlib (>=1.6.6,<2.0.0)
+Requires-Dist: email-validator (>=2.3.0,<3.0.0)
+Requires-Dist: httpx (>=0.28.1,<0.29.0)
+Requires-Dist: loguru (>=0.7.2,<0.8.0)
+Requires-Dist: opentelemetry-api (>=1.39.1,<2.0.0)
+Requires-Dist: pydantic (>=2.12.5,<3.0.0)
+Requires-Dist: pydantic-settings (>=2.12.0,<3.0.0)
+Requires-Dist: types-aiofiles (>=23.0.0,<24.0.0)
+Project-URL: Documentation, https://github.com/CoReason-AI/coreason_identity
+Project-URL: Homepage, https://github.com/CoReason-AI/coreason_identity
+Project-URL: Repository, https://github.com/CoReason-AI/coreason_identity
+Description-Content-Type: text/markdown
+
+# coreason-identity
+
+Decoupled authentication middleware, abstracting OIDC and OAuth2 protocols from the main application.
+
+[![Organization](https://img.shields.io/badge/org-CoReason--AI-blue)](https://github.com/CoReason-AI)
+[![License](https://img.shields.io/badge/license-Prosperity%203.0-blue)](https://img.shields.io/badge/license-Prosperity%203.0-blue)
+[![Build Status](https://github.com/CoReason-AI/coreason_identity/actions/workflows/build.yml/badge.svg)](https://github.com/CoReason-AI/coreason_identity/actions)
+[![Code Style: Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)
+[![Documentation](https://img.shields.io/badge/docs-Product%20Requirements-green)](docs/product_requirements.md)
+
+## Overview
+
+`coreason-identity` ("The Bouncer") handles all Authentication (AuthN) and Role-Based Access Control (AuthZ) for the CoReason platform. It enforces a strict "Bouncer" philosophy: it checks IDs and checks lists but does not issue IDs.
+
+The package standardizes:
+*   **Protocol:** OIDC (OpenID Connect).
+*   **Identity Provider:** Auth0 or Keycloak.
+*   **Library:** Authlib.
+
+## Features
+
+Based on the [Product Requirements](docs/product_requirements.md):
+
+*   **OIDCProvider:** Fetches and caches JWKS from the OIDC Discovery URL (LRU Cache).
+*   **TokenValidator:** Validates JWT signatures, standard claims (`exp`, `iss`, `aud`), and enforces strict audience checks to prevent "Confused Deputy" attacks.
+*   **IdentityMapper:** Maps IdP claims to a standardized `UserContext` model, handling project context extraction and group-to-permission mapping.
+*   **DeviceFlowClient:** Implements RFC 8628 OAuth 2.0 Device Authorization Grant for headless CLI authentication.
+*   **Observability:** Emits OpenTelemetry spans and secure logs (PII hashed).
+
+## Installation
+
+```bash
+pip install coreason-identity
+```
+
+## Usage
+
+```python
+from coreason_identity import IdentityManager, CoreasonIdentityConfig, InvalidTokenError
+
+# 1. Initialize (The Borrowing)
+config = CoreasonIdentityConfig(domain="auth.coreason.com", audience="api://coreason")
+identity = IdentityManager(config)
+
+# 2. Validate (The Bouncer)
+try:
+    # Validate a raw Bearer token
+    user_context = identity.validate_token(auth_header="Bearer eyJ...")
+
+    # Access canonical Identity Passport fields
+    print(f"User {user_context.user_id} ({user_context.email}) is active.")
+
+    # Check groups for Row-Level Security
+    if "admin" in user_context.groups:
+        print("Admin access granted.")
+
+    # Access extended attributes
+    project = user_context.claims.get("project_context")
+    print(f"Authorized for project: {project}")
+
+except InvalidTokenError:
+    # Handle invalid tokens (expired, bad signature, wrong audience, etc.)
+    print("Access denied.")
+
+# 3. CLI Login (The Device Flow)
+# Initiate the flow
+flow = identity.start_device_login()
+print(f"Go to {flow.verification_uri} and enter {flow.user_code}")
+
+# Poll for tokens
+try:
+    tokens = identity.await_device_token(flow)
+    print("Login successful!")
+    print(f"Access Token: {tokens['access_token']}")
+except Exception as e:
+    print(f"Login failed: {e}")
+```
+

coreason_identity-0.4.1/README.md

@@ -0,0 +1,77 @@
+# coreason-identity
+
+Decoupled authentication middleware, abstracting OIDC and OAuth2 protocols from the main application.
+
+[![Organization](https://img.shields.io/badge/org-CoReason--AI-blue)](https://github.com/CoReason-AI)
+[![License](https://img.shields.io/badge/license-Prosperity%203.0-blue)](https://img.shields.io/badge/license-Prosperity%203.0-blue)
+[![Build Status](https://github.com/CoReason-AI/coreason_identity/actions/workflows/build.yml/badge.svg)](https://github.com/CoReason-AI/coreason_identity/actions)
+[![Code Style: Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)
+[![Documentation](https://img.shields.io/badge/docs-Product%20Requirements-green)](docs/product_requirements.md)
+
+## Overview
+
+`coreason-identity` ("The Bouncer") handles all Authentication (AuthN) and Role-Based Access Control (AuthZ) for the CoReason platform. It enforces a strict "Bouncer" philosophy: it checks IDs and checks lists but does not issue IDs.
+
+The package standardizes:
+*   **Protocol:** OIDC (OpenID Connect).
+*   **Identity Provider:** Auth0 or Keycloak.
+*   **Library:** Authlib.
+
+## Features
+
+Based on the [Product Requirements](docs/product_requirements.md):
+
+*   **OIDCProvider:** Fetches and caches JWKS from the OIDC Discovery URL (LRU Cache).
+*   **TokenValidator:** Validates JWT signatures, standard claims (`exp`, `iss`, `aud`), and enforces strict audience checks to prevent "Confused Deputy" attacks.
+*   **IdentityMapper:** Maps IdP claims to a standardized `UserContext` model, handling project context extraction and group-to-permission mapping.
+*   **DeviceFlowClient:** Implements RFC 8628 OAuth 2.0 Device Authorization Grant for headless CLI authentication.
+*   **Observability:** Emits OpenTelemetry spans and secure logs (PII hashed).
+
+## Installation
+
+```bash
+pip install coreason-identity
+```
+
+## Usage
+
+```python
+from coreason_identity import IdentityManager, CoreasonIdentityConfig, InvalidTokenError
+
+# 1. Initialize (The Borrowing)
+config = CoreasonIdentityConfig(domain="auth.coreason.com", audience="api://coreason")
+identity = IdentityManager(config)
+
+# 2. Validate (The Bouncer)
+try:
+    # Validate a raw Bearer token
+    user_context = identity.validate_token(auth_header="Bearer eyJ...")
+
+    # Access canonical Identity Passport fields
+    print(f"User {user_context.user_id} ({user_context.email}) is active.")
+
+    # Check groups for Row-Level Security
+    if "admin" in user_context.groups:
+        print("Admin access granted.")
+
+    # Access extended attributes
+    project = user_context.claims.get("project_context")
+    print(f"Authorized for project: {project}")
+
+except InvalidTokenError:
+    # Handle invalid tokens (expired, bad signature, wrong audience, etc.)
+    print("Access denied.")
+
+# 3. CLI Login (The Device Flow)
+# Initiate the flow
+flow = identity.start_device_login()
+print(f"Go to {flow.verification_uri} and enter {flow.user_code}")
+
+# Poll for tokens
+try:
+    tokens = identity.await_device_token(flow)
+    print("Login successful!")
+    print(f"Access Token: {tokens['access_token']}")
+except Exception as e:
+    print(f"Login failed: {e}")
+```

coreason_identity-0.4.1/pyproject.toml

@@ -0,0 +1,74 @@
+[project]
+name = "coreason_identity"
+version = "0.4.1"
+description = "Decoupled authentication middleware, abstracting OIDC and OAuth2 protocols from the main application."
+readme = "README.md"
+requires-python = ">=3.11, <3.15"
+authors = [
+    { name = "Gowtham A Rao", email = "gowtham.rao@coreason.ai" },
+]
+license = {text = "Prosperity-3.0"}
+classifiers = [
+    "License :: Other/Proprietary License",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Operating System :: OS Independent",
+]
+dependencies = [
+    "loguru>=0.7.2,<0.8.0",
+    "authlib>=1.6.6,<2.0.0",
+    "pydantic>=2.12.5,<3.0.0",
+    "pydantic-settings>=2.12.0,<3.0.0",
+    "httpx>=0.28.1,<0.29.0",
+    "email-validator>=2.3.0,<3.0.0",
+    "opentelemetry-api>=1.39.1,<2.0.0",
+    "anyio>=4.12.1,<5.0.0",
+    "aiofiles>=23.0.0,<24.0.0",
+    "types-aiofiles>=23.0.0,<24.0.0",
+]
+
+[project.urls]
+Homepage = "https://github.com/CoReason-AI/coreason_identity"
+Repository = "https://github.com/CoReason-AI/coreason_identity"
+Documentation = "https://github.com/CoReason-AI/coreason_identity"
+
+[tool.poetry]
+packages = [{include = "coreason_identity", from = "src"}]
+include = [{ path = "NOTICE", format = ["sdist", "wheel"] }]
+
+[tool.poetry.group.dev.dependencies]
+pytest = "^8.2.2"
+ruff = "^0.14.14"
+pre-commit = "^3.7.1"
+pytest-cov = "^5.0.0"
+mkdocs = "^1.6.0"
+mkdocs-material = "^9.5.26"
+opentelemetry-sdk = "^1.39.1"
+mypy = "^1.19.1"
+pytest-asyncio = "^1.3.0"
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"
+
+[tool.ruff]
+line-length = 120
+target-version = "py311"
+
+[tool.ruff.lint]
+select = ["E", "F", "B", "I"]
+ignore = []
+
+[tool.mypy]
+python_version = "3.11"
+strict = true
+ignore_missing_imports = true
+plugins = ["pydantic.mypy"]
+
+[tool.pytest.ini_options]
+addopts = "--cov=src --cov-report=term-missing --cov-fail-under=100"
+testpaths = ["tests"]
+asyncio_mode = "auto"
+
+[tool.coverage.run]
+omit = ["tests/*"]

coreason_identity-0.4.1/src/coreason_identity/__init__.py

@@ -0,0 +1,44 @@
+# Copyright (c) 2025 CoReason, Inc.
+#
+# This software is proprietary and dual-licensed.
+# Licensed under the Prosperity Public License 3.0 (the "License").
+# A copy of the license is available at https://prosperitylicense.com/versions/3.0.0
+# For details, see the LICENSE file.
+# Commercial use beyond a 30-day trial requires a separate license.
+#
+# Source Code: https://github.com/CoReason-AI/coreason_identity
+
+"""
+Coreason Identity SDK
+"""
+
+from coreason_identity.config import CoreasonIdentityConfig
+from coreason_identity.exceptions import (
+    CoreasonIdentityError,
+    InsufficientPermissionsError,
+    InvalidAudienceError,
+    InvalidTokenError,
+    SignatureVerificationError,
+    TokenExpiredError,
+)
+from coreason_identity.manager import IdentityManager, IdentityManagerAsync
+from coreason_identity.models import DeviceFlowResponse, TokenResponse, UserContext
+
+__version__ = "0.3.0"
+__author__ = "Gowtham A Rao"
+__email__ = "gowtham.rao@coreason.ai"
+
+__all__ = [
+    "CoreasonIdentityConfig",
+    "IdentityManager",
+    "IdentityManagerAsync",
+    "UserContext",
+    "TokenResponse",
+    "DeviceFlowResponse",
+    "CoreasonIdentityError",
+    "InvalidTokenError",
+    "InvalidAudienceError",
+    "SignatureVerificationError",
+    "TokenExpiredError",
+    "InsufficientPermissionsError",
+]

coreason_identity-0.4.1/src/coreason_identity/config.py

@@ -0,0 +1,59 @@
+# Copyright (c) 2025 CoReason, Inc.
+#
+# This software is proprietary and dual-licensed.
+# Licensed under the Prosperity Public License 3.0 (the "License").
+# A copy of the license is available at https://prosperitylicense.com/versions/3.0.0
+# For details, see the LICENSE file.
+# Commercial use beyond a 30-day trial requires a separate license.
+#
+# Source Code: https://github.com/CoReason-AI/coreason_identity
+
+"""
+Configuration for the coreason-identity package.
+"""
+
+from typing import Optional
+from urllib.parse import urlparse
+
+from pydantic import field_validator
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+
+class CoreasonIdentityConfig(BaseSettings):
+    """
+    Configuration settings for coreason-identity.
+
+    Attributes:
+        domain (str): The domain of the Identity Provider (e.g. auth.coreason.com).
+        audience (str): The expected audience for the token.
+        client_id (Optional[str]): The OIDC Client ID (required for device flow).
+    """
+
+    model_config = SettingsConfigDict(
+        env_prefix="COREASON_AUTH_",
+        case_sensitive=False,
+    )
+
+    domain: str
+    audience: str
+    client_id: Optional[str] = None
+
+    @field_validator("domain")
+    @classmethod
+    def normalize_domain(cls, v: str) -> str:
+        """
+        Ensures domain is just the hostname (e.g. auth.coreason.com).
+        Strips scheme and path if present.
+
+        Args:
+            v: The domain string to normalize.
+
+        Returns:
+            The normalized hostname string.
+        """
+        v = v.strip().lower()
+        if "://" not in v:
+            v = f"https://{v}"
+
+        parsed = urlparse(v)
+        return parsed.netloc or v

coreason_identity-0.4.1/src/coreason_identity/device_flow_client.py

@@ -0,0 +1,213 @@
+# Copyright (c) 2025 CoReason, Inc.
+#
+# This software is proprietary and dual-licensed.
+# Licensed under the Prosperity Public License 3.0 (the "License").
+# A copy of the license is available at https://prosperitylicense.com/versions/3.0.0
+# For details, see the LICENSE file.
+# Commercial use beyond a 30-day trial requires a separate license.
+#
+# Source Code: https://github.com/CoReason-AI/coreason_identity
+
+"""
+DeviceFlowClient component for handling OAuth 2.0 Device Authorization Grant.
+"""
+
+import time
+from typing import Dict, Optional
+from urllib.parse import urljoin
+
+import anyio
+import httpx
+from pydantic import ValidationError
+
+from coreason_identity.exceptions import CoreasonIdentityError
+from coreason_identity.models import DeviceFlowResponse, TokenResponse
+from coreason_identity.utils.logger import logger
+
+
+class DeviceFlowClient:
+    """
+    Handles the OAuth 2.0 Device Authorization Grant flow (RFC 8628).
+
+    Attributes:
+        client_id (str): The OIDC Client ID.
+        idp_url (str): The base URL of the Identity Provider.
+        scope (str): The scopes to request.
+    """
+
+    def __init__(
+        self, client_id: str, idp_url: str, client: httpx.AsyncClient, scope: str = "openid profile email"
+    ) -> None:
+        """
+        Initialize the DeviceFlowClient.
+
+        Args:
+            client_id: The OIDC Client ID.
+            idp_url: The base URL of the Identity Provider (e.g., https://my-tenant.auth0.com).
+            client: The async HTTP client to use for requests.
+            scope: The scopes to request (default: "openid profile email").
+        """
+        self.client_id = client_id
+        self.idp_url = idp_url.rstrip("/")
+        self.client = client
+        self.scope = scope
+        self._endpoints: Optional[Dict[str, str]] = None
+
+    async def _get_endpoints(self) -> Dict[str, str]:
+        """
+        Discover OIDC endpoints from the IdP.
+
+        Returns:
+            A dictionary containing the discovered endpoints.
+
+        Raises:
+            CoreasonIdentityError: If OIDC discovery fails.
+        """
+        if self._endpoints:
+            return self._endpoints
+
+        discovery_url = f"{self.idp_url}/.well-known/openid-configuration"
+
+        try:
+            response = await self.client.get(discovery_url)
+            response.raise_for_status()
+            try:
+                config = response.json()
+            except ValueError as e:
+                raise CoreasonIdentityError(f"Invalid JSON response from OIDC discovery: {e}") from e
+
+            # Fallback to standard Auth0 paths if not in config
+            device_endpoint = config.get(
+                "device_authorization_endpoint", urljoin(f"{self.idp_url}/", "oauth/device/code")
+            )
+            token_endpoint = config.get("token_endpoint", urljoin(f"{self.idp_url}/", "oauth/token"))
+
+            self._endpoints = {
+                "device_authorization_endpoint": device_endpoint,
+                "token_endpoint": token_endpoint,
+            }
+            return self._endpoints
+        except httpx.HTTPError as e:
+            raise CoreasonIdentityError(f"Failed to discover OIDC endpoints: {e}") from e
+
+    async def initiate_flow(self, audience: Optional[str] = None) -> DeviceFlowResponse:
+        """
+        Initiates the Device Authorization Flow.
+
+        Args:
+            audience: Optional audience for the token.
+
+        Returns:
+            DeviceFlowResponse containing device_code, user_code, verification_uri, etc.
+
+        Raises:
+            CoreasonIdentityError: If the flow initiation fails or the response is invalid.
+        """
+        endpoints = await self._get_endpoints()
+        url = endpoints["device_authorization_endpoint"]
+
+        data = {
+            "client_id": self.client_id,
+            "scope": self.scope,
+        }
+        if audience:
+            data["audience"] = audience
+
+        try:
+            response = await self.client.post(url, data=data)
+            response.raise_for_status()
+            try:
+                resp_data = response.json()
+            except ValueError as e:
+                raise CoreasonIdentityError(f"Invalid JSON response from initiate flow: {e}") from e
+            return DeviceFlowResponse(**resp_data)
+        except httpx.HTTPError as e:
+            logger.error(f"Device flow initiation failed: {e}")
+            raise CoreasonIdentityError(f"Failed to initiate device flow: {e}") from e
+        except ValidationError as e:
+            logger.error(f"Invalid response from device flow init: {e}")
+            raise CoreasonIdentityError(f"Invalid response from IdP: {e}") from e
+
+    async def poll_token(self, device_response: DeviceFlowResponse) -> TokenResponse:
+        """
+        Polls the token endpoint until the user authorizes the device or the code expires.
+
+        Args:
+            device_response: The response from initiate_flow.
+
+        Returns:
+            TokenResponse containing access_token, refresh_token, etc.
+
+        Raises:
+            CoreasonIdentityError: If polling fails, times out, or the request is denied.
+        """
+        endpoints = await self._get_endpoints()
+        url = endpoints["token_endpoint"]
+        device_code = device_response.device_code
+        interval = device_response.interval
+        expires_in = device_response.expires_in
+
+        start_time = time.time()
+        end_time = start_time + expires_in
+
+        logger.info(f"Polling for token. Expires in {expires_in}s. Interval: {interval}s")
+
+        while time.time() < end_time:
+            data = {
+                "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
+                "device_code": device_code,
+                "client_id": self.client_id,
+            }
+
+            try:
+                response = await self.client.post(url, data=data)
+
+                if response.status_code == 200:
+                    try:
+                        logger.info("Token retrieved successfully.")
+                        return TokenResponse(**response.json())
+                    except ValidationError as e:
+                        raise CoreasonIdentityError(f"Received invalid token response structure: {e}") from e
+                    except ValueError as e:
+                        raise CoreasonIdentityError(f"Received invalid JSON response on 200 OK: {e}") from e
+
+                # Handle errors
+                try:
+                    error_resp = response.json()
+                except ValueError as e:
+                    # Non-JSON response, likely a server error or proxy issue
+                    response.raise_for_status()
+                    raise CoreasonIdentityError(f"Received invalid response: {response.text}") from e
+
+                if not isinstance(error_resp, dict):
+                    raise CoreasonIdentityError(f"Received invalid JSON response: {error_resp}")
+
+                error = error_resp.get("error")
+
+                if error == "authorization_pending":
+                    pass  # Continue polling
+                elif error == "slow_down":
+                    interval += 5  # Increase interval as per spec
+                    logger.debug("Received slow_down, increasing interval.")
+                elif error == "expired_token":
+                    raise CoreasonIdentityError("Device code expired.")
+                elif error == "access_denied":
+                    raise CoreasonIdentityError("User denied access.")
+                else:
+                    response.raise_for_status()  # Raise for other 4xx/5xx
+
+            except httpx.HTTPStatusError as e:
+                logger.error(f"Polling failed with status {e.response.status_code}: {e}")
+                raise CoreasonIdentityError(f"Polling failed: {e}") from e
+
+            except Exception as e:
+                if isinstance(e, CoreasonIdentityError):
+                    raise
+                logger.warning(f"Polling attempt failed: {e}")
+                # Continue polling unless it's a critical error
+                pass
+
+            # Use anyio.sleep for async non-blocking sleep
+            await anyio.sleep(interval)
+
+        raise CoreasonIdentityError("Polling timed out.")