fastapi-sso 0.17.0__tar.gz → 0.18.0__tar.gz

{fastapi_sso-0.17.0 → fastapi_sso-0.18.0}/PKG-INFO

@@ -1,16 +1,14 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.3
 Name: fastapi-sso
-Version: 0.17.0
+Version: 0.18.0
 Summary: FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)
-Home-page: https://tomasvotava.github.io/fastapi-sso/
 License: MIT
 Keywords: fastapi,sso,oauth,google,facebook,spotify,linkedin
 Author: Tomas Votava
 Author-email: info@tomasvotava.eu
-Requires-Python: >=3.8,<4.0
+Requires-Python: >=3.9,<4.0
 Classifier: License :: OSI Approved :: MIT License
 Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.8
 Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
@@ -20,8 +18,10 @@ Requires-Dist: fastapi (>=0.80)
 Requires-Dist: httpx (>=0.23.0)
 Requires-Dist: oauthlib (>=3.1.0)
 Requires-Dist: pydantic[email] (>=1.8.0)
+Requires-Dist: pyjwt (>=2.10.1,<3.0.0)
 Requires-Dist: typing-extensions (>=4.12.2,<5.0.0) ; python_version < "3.10"
 Project-URL: Documentation, https://tomasvotava.github.io/fastapi-sso/
+Project-URL: Homepage, https://tomasvotava.github.io/fastapi-sso/
 Project-URL: Repository, https://github.com/tomasvotava/fastapi-sso
 Description-Content-Type: text/markdown
 

{fastapi_sso-0.17.0 → fastapi_sso-0.18.0}/fastapi_sso/pkce.py

@@ -3,7 +3,6 @@
 import base64
 import hashlib
 import os
-from typing import Tuple
 
 
 def get_code_verifier(length: int = 96) -> str:
@@ -13,7 +12,7 @@ def get_code_verifier(length: int = 96) -> str:
     return base64.urlsafe_b64encode(os.urandom(bytes_length)).decode("utf-8").replace("=", "")[:length]
 
 
-def get_pkce_challenge_pair(verifier_length: int = 96) -> Tuple[str, str]:
+def get_pkce_challenge_pair(verifier_length: int = 96) -> tuple[str, str]:
     """Get tuple of (verifier, challenge) for PKCE challenge."""
     code_verifier = get_code_verifier(verifier_length)
     code_challenge = (

{fastapi_sso-0.17.0 → fastapi_sso-0.18.0}/fastapi_sso/sso/base.py

@@ -7,9 +7,10 @@ import os
 import sys
 import warnings
 from types import TracebackType
-from typing import Any, ClassVar, Dict, List, Literal, Optional, Type, TypedDict, TypeVar, Union, overload
+from typing import Any, ClassVar, Literal, Optional, TypedDict, TypeVar, Union, overload
 
 import httpx
+import jwt
 import pydantic
 from oauthlib.oauth2 import WebApplicationClient
 from starlette.exceptions import HTTPException
@@ -33,6 +34,10 @@ T = TypeVar("T")
 P = ParamSpec("P")
 
 
+def _decode_id_token(id_token: str, verify: bool = False) -> dict:
+    return jwt.decode(id_token, options={"verify_signature": verify})
+
+
 class DiscoveryDocument(TypedDict):
     """Discovery document."""
 
@@ -95,10 +100,11 @@ class SSOBase:
     client_id: str = NotImplemented
     client_secret: str = NotImplemented
     redirect_uri: Optional[Union[pydantic.AnyHttpUrl, str]] = NotImplemented
-    scope: ClassVar[List[str]] = []
-    additional_headers: ClassVar[Optional[Dict[str, Any]]] = None
+    scope: ClassVar[list[str]] = []
+    additional_headers: ClassVar[Optional[dict[str, Any]]] = None
     uses_pkce: bool = False
     requires_state: bool = False
+    use_id_token_for_user_info: ClassVar[bool] = False
 
     _pkce_challenge_length: int = 96
 
@@ -109,7 +115,7 @@ class SSOBase:
         redirect_uri: Optional[Union[pydantic.AnyHttpUrl, str]] = None,
         allow_insecure_http: bool = False,
         use_state: bool = False,
-        scope: Optional[List[str]] = None,
+        scope: Optional[list[str]] = None,
     ):
         """Base class (mixin) for all SSO providers."""
         self.client_id: str = client_id
@@ -224,6 +230,18 @@ class SSOBase:
         """
         raise NotImplementedError(f"Provider {self.provider} not supported")
 
+    async def openid_from_token(self, id_token: dict, session: Optional[httpx.AsyncClient] = None) -> OpenID:
+        """Converts an ID token from the provider's token endpoint to an OpenID object.
+
+        Args:
+            id_token (dict): The id token data retrieved from the token endpoint.
+            session: (Optional[httpx.AsyncClient]): The HTTPX AsyncClient session.
+
+        Returns:
+            OpenID: The user information in a standardized format.
+        """
+        raise NotImplementedError(f"Provider {self.provider} not supported")
+
     async def get_discovery_document(self) -> DiscoveryDocument:
         """Retrieves the discovery document containing useful URLs.
 
@@ -257,14 +275,14 @@ class SSOBase:
         self,
         *,
         redirect_uri: Optional[Union[pydantic.AnyHttpUrl, str]] = None,
-        params: Optional[Dict[str, Any]] = None,
+        params: Optional[dict[str, Any]] = None,
         state: Optional[str] = None,
     ) -> str:
         """Generates and returns the prepared login URL.
 
         Args:
             redirect_uri (Optional[str]): Overrides the `redirect_uri` specified on this instance.
-            params (Optional[Dict[str, Any]]): Additional query parameters to add to the login request.
+            params (Optional[dict[str, Any]]): Additional query parameters to add to the login request.
             state (Optional[str]): The state parameter for the OAuth 2.0 authorization request.
 
         Raises:
@@ -304,14 +322,14 @@ class SSOBase:
         self,
         *,
         redirect_uri: Optional[str] = None,
-        params: Optional[Dict[str, Any]] = None,
+        params: Optional[dict[str, Any]] = None,
         state: Optional[str] = None,
     ) -> RedirectResponse:
         """Constructs and returns a redirect response to the login page of OAuth SSO provider.
 
         Args:
             redirect_uri (Optional[str]): Overrides the `redirect_uri` specified on this instance.
-            params (Optional[Dict[str, Any]]): Additional query parameters to add to the login request.
+            params (Optional[dict[str, Any]]): Additional query parameters to add to the login request.
             state (Optional[str]): The state parameter for the OAuth 2.0 authorization request.
 
         Returns:
@@ -330,8 +348,8 @@ class SSOBase:
         self,
         request: Request,
         *,
-        params: Optional[Dict[str, Any]] = None,
-        headers: Optional[Dict[str, Any]] = None,
+        params: Optional[dict[str, Any]] = None,
+        headers: Optional[dict[str, Any]] = None,
         redirect_uri: Optional[str] = None,
         convert_response: Literal[True] = True,
     ) -> Optional[OpenID]: ...
@@ -341,28 +359,28 @@ class SSOBase:
         self,
         request: Request,
         *,
-        params: Optional[Dict[str, Any]] = None,
-        headers: Optional[Dict[str, Any]] = None,
+        params: Optional[dict[str, Any]] = None,
+        headers: Optional[dict[str, Any]] = None,
         redirect_uri: Optional[str] = None,
         convert_response: Literal[False],
-    ) -> Optional[Dict[str, Any]]: ...
+    ) -> Optional[dict[str, Any]]: ...
 
     @requires_async_context
     async def verify_and_process(
         self,
         request: Request,
         *,
-        params: Optional[Dict[str, Any]] = None,
-        headers: Optional[Dict[str, Any]] = None,
+        params: Optional[dict[str, Any]] = None,
+        headers: Optional[dict[str, Any]] = None,
         redirect_uri: Optional[str] = None,
         convert_response: Union[Literal[True], Literal[False]] = True,
-    ) -> Union[Optional[OpenID], Optional[Dict[str, Any]]]:
+    ) -> Union[Optional[OpenID], Optional[dict[str, Any]]]:
         """Processes the login given a FastAPI (Starlette) Request object. This should be used for the /callback path.
 
         Args:
             request (Request): FastAPI or Starlette request object.
-            params (Optional[Dict[str, Any]]): Additional query parameters to pass to the provider.
-            headers (Optional[Dict[str, Any]]): Additional headers to pass to the provider.
+            params (Optional[dict[str, Any]]): Additional query parameters to pass to the provider.
+            headers (Optional[dict[str, Any]]): Additional headers to pass to the provider.
             redirect_uri (Optional[str]): Overrides the `redirect_uri` specified on this instance.
             convert_response (bool): If True, userinfo response is converted to OpenID object.
 
@@ -371,7 +389,7 @@ class SSOBase:
 
         Returns:
             Optional[OpenID]: User information as OpenID instance (if convert_response == True)
-            Optional[Dict[str, Any]]: The original JSON response from the API.
+            Optional[dict[str, Any]]: The original JSON response from the API.
         """
         headers = headers or {}
         code = request.query_params.get("code")
@@ -433,7 +451,7 @@ class SSOBase:
 
     async def __aexit__(
         self,
-        _exc_type: Optional[Type[BaseException]],
+        _exc_type: Optional[type[BaseException]],
         _exc_val: Optional[BaseException],
         _exc_tb: Optional[TracebackType],
     ) -> None:
@@ -442,14 +460,14 @@ class SSOBase:
 
     def __exit__(
         self,
-        _exc_type: Optional[Type[BaseException]],
+        _exc_type: Optional[type[BaseException]],
         _exc_val: Optional[BaseException],
         _exc_tb: Optional[TracebackType],
     ) -> None:
         return None
 
     @property
-    def _extra_query_params(self) -> Dict:
+    def _extra_query_params(self) -> dict:
         return {}
 
     @overload
@@ -458,8 +476,8 @@ class SSOBase:
         code: str,
         request: Request,
         *,
-        params: Optional[Dict[str, Any]] = None,
-        additional_headers: Optional[Dict[str, Any]] = None,
+        params: Optional[dict[str, Any]] = None,
+        additional_headers: Optional[dict[str, Any]] = None,
         redirect_uri: Optional[str] = None,
         pkce_code_verifier: Optional[str] = None,
         convert_response: Literal[True] = True,
@@ -471,12 +489,12 @@ class SSOBase:
         code: str,
         request: Request,
         *,
-        params: Optional[Dict[str, Any]] = None,
-        additional_headers: Optional[Dict[str, Any]] = None,
+        params: Optional[dict[str, Any]] = None,
+        additional_headers: Optional[dict[str, Any]] = None,
         redirect_uri: Optional[str] = None,
         pkce_code_verifier: Optional[str] = None,
         convert_response: Literal[False],
-    ) -> Optional[Dict[str, Any]]: ...
+    ) -> Optional[dict[str, Any]]: ...
 
     @requires_async_context
     async def process_login(
@@ -484,20 +502,20 @@ class SSOBase:
         code: str,
         request: Request,
         *,
-        params: Optional[Dict[str, Any]] = None,
-        additional_headers: Optional[Dict[str, Any]] = None,
+        params: Optional[dict[str, Any]] = None,
+        additional_headers: Optional[dict[str, Any]] = None,
         redirect_uri: Optional[str] = None,
         pkce_code_verifier: Optional[str] = None,
         convert_response: Union[Literal[True], Literal[False]] = True,
-    ) -> Union[Optional[OpenID], Optional[Dict[str, Any]]]:
+    ) -> Union[Optional[OpenID], Optional[dict[str, Any]]]:
         """Processes login from the callback endpoint to verify the user and request user info endpoint.
         It's a lower-level method, typically, you should use `verify_and_process` instead.
 
         Args:
             code (str): The authorization code.
             request (Request): FastAPI or Starlette request object.
-            params (Optional[Dict[str, Any]]): Additional query parameters to pass to the provider.
-            additional_headers (Optional[Dict[str, Any]]): Additional headers to be added to all requests.
+            params (Optional[dict[str, Any]]): Additional query parameters to pass to the provider.
+            additional_headers (Optional[dict[str, Any]]): Additional headers to be added to all requests.
             redirect_uri (Optional[str]): Overrides the `redirect_uri` specified on this instance.
             pkce_code_verifier (Optional[str]): A PKCE code verifier sent to the server to verify the login request.
             convert_response (bool): If True, userinfo response is converted to OpenID object.
@@ -507,7 +525,7 @@ class SSOBase:
 
         Returns:
             Optional[OpenID]: User information in OpenID format if the login was successful (convert_response == True).
-            Optional[Dict[str, Any]]: Original userinfo API endpoint response.
+            Optional[dict[str, Any]]: Original userinfo API endpoint response.
         """
         if self._oauth_client is not None:  # pragma: no cover
             self._oauth_client = None
@@ -565,5 +583,9 @@ class SSOBase:
             response = await session.get(uri)
             content = response.json()
             if convert_response:
+                if self.use_id_token_for_user_info:
+                    if not self._id_token:
+                        raise SSOLoginError(401, f"Provider {self.provider!r} did not return id token.")
+                    return await self.openid_from_token(_decode_id_token(self._id_token), session)
                 return await self.openid_from_response(content, session)
             return content

{fastapi_sso-0.17.0 → fastapi_sso-0.18.0}/fastapi_sso/sso/bitbucket.py

@@ -1,6 +1,6 @@
 """BitBucket SSO Oauth Helper class"""
 
-from typing import TYPE_CHECKING, ClassVar, List, Optional, Union
+from typing import TYPE_CHECKING, ClassVar, Optional, Union
 
 import pydantic
 
@@ -23,7 +23,7 @@ class BitbucketSSO(SSOBase):
         client_secret: str,
         redirect_uri: Optional[Union[pydantic.AnyHttpUrl, str]] = None,
         allow_insecure_http: bool = False,
-        scope: Optional[List[str]] = None,
+        scope: Optional[list[str]] = None,
     ):
         super().__init__(
             client_id=client_id,

{fastapi_sso-0.17.0 → fastapi_sso-0.18.0}/fastapi_sso/sso/discord.py

@@ -1,6 +1,6 @@
 """Discord SSO Oauth Helper class"""
 
-from typing import TYPE_CHECKING, ClassVar, List, Optional, Union
+from typing import TYPE_CHECKING, ClassVar, Optional, Union
 
 import pydantic
 
@@ -22,7 +22,7 @@ class DiscordSSO(SSOBase):
         client_secret: str,
         redirect_uri: Optional[Union[pydantic.AnyHttpUrl, str]] = None,
         allow_insecure_http: bool = False,
-        scope: Optional[List[str]] = None,
+        scope: Optional[list[str]] = None,
     ):
         super().__init__(
             client_id=client_id,

{fastapi_sso-0.17.0 → fastapi_sso-0.18.0}/fastapi_sso/sso/generic.py

@@ -3,7 +3,7 @@ with close to no code.
 """
 
 import logging
-from typing import TYPE_CHECKING, Any, Callable, Dict, List, Optional, Type, Union
+from typing import TYPE_CHECKING, Any, Callable, Optional, Union
 
 from fastapi_sso.sso.base import DiscoveryDocument, OpenID, SSOBase
 
@@ -16,10 +16,10 @@ logger = logging.getLogger(__name__)
 def create_provider(
     *,
     name: str = "generic",
-    default_scope: Optional[List[str]] = None,
+    default_scope: Optional[list[str]] = None,
     discovery_document: Union[DiscoveryDocument, Callable[[SSOBase], DiscoveryDocument]],
-    response_convertor: Optional[Callable[[Dict[str, Any], Optional["httpx.AsyncClient"]], OpenID]] = None
-) -> Type[SSOBase]:
+    response_convertor: Optional[Callable[[dict[str, Any], Optional["httpx.AsyncClient"]], OpenID]] = None
+) -> type[SSOBase]:
     """A factory to create a generic OAuth client usable with almost any OAuth provider.
     Returns a class.
 

{fastapi_sso-0.17.0 → fastapi_sso-0.18.0}/fastapi_sso/sso/gitlab.py

@@ -1,6 +1,6 @@
 """Gitlab SSO Oauth Helper class."""
 
-from typing import TYPE_CHECKING, ClassVar, List, Optional, Tuple, Union
+from typing import TYPE_CHECKING, ClassVar, Optional, Union
 from urllib.parse import urljoin
 
 import pydantic
@@ -26,7 +26,7 @@ class GitlabSSO(SSOBase):
         redirect_uri: Optional[Union[pydantic.AnyHttpUrl, str]] = None,
         allow_insecure_http: bool = False,
         use_state: bool = False,  # TODO: Remove use_state argument
-        scope: Optional[List[str]] = None,
+        scope: Optional[list[str]] = None,
         base_endpoint_url: Optional[str] = None,
     ) -> None:
         super().__init__(
@@ -47,7 +47,7 @@ class GitlabSSO(SSOBase):
             "userinfo_endpoint": urljoin(self.base_endpoint_url, "/api/v4/user"),
         }
 
-    def _parse_name(self, full_name: Optional[str]) -> Tuple[Union[str, None], Union[str, None]]:
+    def _parse_name(self, full_name: Optional[str]) -> tuple[Union[str, None], Union[str, None]]:
         """Parses the full name from Gitlab into the first and last name."""
         if not full_name or not isinstance(full_name, str):
             return None, None

{fastapi_sso-0.17.0 → fastapi_sso-0.18.0}/fastapi_sso/sso/linkedin.py

@@ -1,6 +1,6 @@
 """LinkedIn SSO Oauth Helper class."""
 
-from typing import TYPE_CHECKING, ClassVar, Dict, Optional
+from typing import TYPE_CHECKING, ClassVar, Optional
 
 from fastapi_sso.sso.base import DiscoveryDocument, OpenID, SSOBase
 
@@ -14,9 +14,10 @@ class LinkedInSSO(SSOBase):
     provider = "linkedin"
     scope: ClassVar = ["openid", "profile", "email"]
     additional_headers: ClassVar = {"accept": "application/json"}
+    use_id_token_for_user_info: ClassVar = True
 
     @property
-    def _extra_query_params(self) -> Dict:
+    def _extra_query_params(self) -> dict:
         return {"client_secret": self.client_secret}
 
     async def get_discovery_document(self) -> DiscoveryDocument:
@@ -26,6 +27,9 @@ class LinkedInSSO(SSOBase):
             "userinfo_endpoint": "https://api.linkedin.com/v2/userinfo",
         }
 
+    async def openid_from_token(self, id_token: dict, session: Optional["httpx.AsyncClient"] = None) -> OpenID:
+        return await self.openid_from_response(id_token, session)
+
     async def openid_from_response(self, response: dict, session: Optional["httpx.AsyncClient"] = None) -> OpenID:
         return OpenID(
             email=response.get("email"),

{fastapi_sso-0.17.0 → fastapi_sso-0.18.0}/fastapi_sso/sso/microsoft.py

@@ -1,6 +1,6 @@
 """Microsoft SSO Oauth Helper class."""
 
-from typing import TYPE_CHECKING, ClassVar, List, Optional, Union
+from typing import TYPE_CHECKING, ClassVar, Optional, Union
 
 import pydantic
 
@@ -25,7 +25,7 @@ class MicrosoftSSO(SSOBase):
         redirect_uri: Optional[Union[pydantic.AnyHttpUrl, str]] = None,
         allow_insecure_http: bool = False,
         use_state: bool = False,  # TODO: Remove use_state argument
-        scope: Optional[List[str]] = None,
+        scope: Optional[list[str]] = None,
         tenant: Optional[str] = None,
     ):
         super().__init__(

{fastapi_sso-0.17.0 → fastapi_sso-0.18.0}/fastapi_sso/sso/naver.py

@@ -1,6 +1,6 @@
 """Naver SSO Oauth Helper class."""
 
-from typing import TYPE_CHECKING, ClassVar, List, Optional
+from typing import TYPE_CHECKING, ClassVar, Optional
 
 from fastapi_sso.sso.base import DiscoveryDocument, OpenID, SSOBase
 
@@ -12,7 +12,7 @@ class NaverSSO(SSOBase):
     """Class providing login using Naver OAuth."""
 
     provider = "naver"
-    scope: ClassVar[List[str]] = []
+    scope: ClassVar[list[str]] = []
     additional_headers: ClassVar = {"accept": "application/json"}
 
     async def get_discovery_document(self) -> DiscoveryDocument:

{fastapi_sso-0.17.0 → fastapi_sso-0.18.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "fastapi-sso"
-version = "0.17.0"
+version = "0.18.0"
 description = "FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)"
 authors = ["Tomas Votava <info@tomasvotava.eu>"]
 readme = "README.md"
@@ -36,7 +36,7 @@ addopts = [
 line-length = 120
 
 [tool.ruff]
-target-version = "py38"
+target-version = "py39"
 line-length = 120
 
 [tool.ruff.lint]
@@ -97,21 +97,22 @@ markdown-include = "^0.8.1"
 mkdocs-material = { extras = ["imaging"], version = "^9.3.2" }
 mkdocstrings = { extras = ["python"], version = ">=0.23,<0.27" }
 mypy = "^1"
-poethepoet = ">=0.21.1,<0.30.0"
+poethepoet = ">=0.21.1,<0.31.0"
 pre-commit = "^3"
 pytest = ">=7,<9"
 pytest-asyncio = "^0.24"
 pytest-cov = ">=4,<6"
 uvicorn = ">=0.23.1"
-ruff = ">=0.4.2,<0.8.0"
+ruff = ">=0.4.2,<0.12.0"
 
 [tool.poetry.dependencies]
 fastapi = ">=0.80"
 httpx = ">=0.23.0"
 oauthlib = ">=3.1.0"
 pydantic = { extras = ["email"], version = ">=1.8.0" }
-python = ">=3.8,<4.0"
+python = ">=3.9,<4.0"
 typing-extensions = { version = "^4.12.2", python = "<3.10" }
+pyjwt = "^2.10.1"
 
 [build-system]
 requires = ["poetry-core>=1.0.0"]

{fastapi_sso-0.17.0 → fastapi_sso-0.18.0}/fastapi_sso/__init__.py

@@ -22,12 +22,10 @@ from .sso.spotify import SpotifySSO
 from .sso.twitter import TwitterSSO
 
 __all__ = [
-    "OpenID",
-    "SSOBase",
-    "SSOLoginError",
+    "BitbucketSSO",
+    "DiscordSSO",
     "FacebookSSO",
     "FitbitSSO",
-    "create_provider",
     "GithubSSO",
     "GitlabSSO",
     "GoogleSSO",
@@ -37,8 +35,10 @@ __all__ = [
     "MicrosoftSSO",
     "NaverSSO",
     "NotionSSO",
+    "OpenID",
+    "SSOBase",
+    "SSOLoginError",
     "SpotifySSO",
     "TwitterSSO",
-    "BitbucketSSO",
-    "DiscordSSO",
+    "create_provider",
 ]