iglobals-auth 1.0.0__tar.gz

iglobals_auth-1.0.0/PKG-INFO

@@ -0,0 +1,16 @@
+Metadata-Version: 2.4
+Name: iglobals-auth
+Version: 1.0.0
+Summary: iGlobals Central Auth SDK for Python
+Author-email: iGlobals <engineering@iglobals.com>
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: requests>=2.28.0
+Requires-Dist: PyJWT[crypto]>=2.8.0
+Provides-Extra: fastapi
+Requires-Dist: fastapi>=0.100.0; extra == "fastapi"
+Provides-Extra: flask
+Requires-Dist: Flask>=2.0.0; extra == "flask"
+
+# iglobals-auth
+Python SDK for iGlobals Central Auth.

iglobals_auth-1.0.0/README.md

@@ -0,0 +1,2 @@
+# iglobals-auth
+Python SDK for iGlobals Central Auth.

iglobals_auth-1.0.0/iglobals_auth/__init__.py

@@ -0,0 +1,12 @@
+from .client import IGlobalsAuth
+from .errors import ICAError
+from .types import TokenSet, UserInfoClaims
+from .pkce import generate_pkce
+
+__all__ = [
+    "IGlobalsAuth",
+    "ICAError",
+    "TokenSet",
+    "UserInfoClaims",
+    "generate_pkce",
+]

iglobals_auth-1.0.0/iglobals_auth/client.py

@@ -0,0 +1,103 @@
+import requests
+from urllib.parse import urlencode
+from typing import List, Optional
+
+from .types import TokenSet, UserInfoClaims
+from .errors import ICAError
+from .pkce import generate_pkce
+from .jwks import JWKSService
+
+class IGlobalsAuth:
+    def __init__(self, client_id: str, redirect_uri: str, base_url: str, client_secret: Optional[str] = None, scopes: Optional[List[str]] = None):
+        if not client_id:
+            raise ValueError('client_id is required')
+        if not redirect_uri:
+            raise ValueError('redirect_uri is required')
+        if not base_url:
+            raise ValueError('base_url is required')
+            
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.redirect_uri = redirect_uri
+        self.base_url = base_url.rstrip('/')
+        self.scopes = scopes or ['openid', 'profile', 'email']
+        
+        self.jwks_service = JWKSService(f"{self.base_url}/api/oauth/jwks")
+
+    def get_authorization_url(self, state: str, code_challenge: str) -> str:
+        params = {
+            'client_id': self.client_id,
+            'redirect_uri': self.redirect_uri,
+            'response_type': 'code',
+            'scope': ' '.join(self.scopes),
+            'state': state,
+            'code_challenge': code_challenge,
+            'code_challenge_method': 'S256',
+        }
+        return f"{self.base_url}/api/oauth/authorize?{urlencode(params)}"
+
+    def generate_pkce(self) -> dict:
+        return generate_pkce()
+
+    def _request_token(self, payload: dict) -> TokenSet:
+        payload['client_id'] = self.client_id
+        if self.client_secret:
+            payload['client_secret'] = self.client_secret
+            
+        res = requests.post(f"{self.base_url}/api/oauth/token", json=payload)
+        data = res.json()
+        
+        if not res.ok:
+            raise ICAError(data.get('error', 'request_failed'), data.get('error_description', 'Failed to fetch token'), res.status_code)
+            
+        return TokenSet(
+            access_token=data['access_token'],
+            token_type=data['token_type'],
+            expires_in=data['expires_in'],
+            refresh_token=data['refresh_token'],
+            scope=data['scope'],
+            id_token=data.get('id_token')
+        )
+
+    def exchange_code(self, code: str, code_verifier: str) -> TokenSet:
+        return self._request_token({
+            'grant_type': 'authorization_code',
+            'code': code,
+            'redirect_uri': self.redirect_uri,
+            'code_verifier': code_verifier,
+        })
+
+    def refresh_access_token(self, refresh_token: str) -> TokenSet:
+        return self._request_token({
+            'grant_type': 'refresh_token',
+            'refresh_token': refresh_token,
+        })
+
+    def get_user_info(self, access_token: str) -> UserInfoClaims:
+        res = requests.get(
+            f"{self.base_url}/api/oauth/userinfo",
+            headers={"Authorization": f"Bearer {access_token}"}
+        )
+        data = res.json()
+        if not res.ok:
+            raise ICAError(data.get('error', 'request_failed'), data.get('error_description', 'Failed to fetch userinfo'), res.status_code)
+            
+        return UserInfoClaims(**data)
+
+    def verify_token(self, jwt_token: str) -> dict:
+        return self.jwks_service.verify_token(jwt_token, self.client_id, self.base_url)
+
+    def revoke_token(self, refresh_token: str) -> bool:
+        payload = {
+            'token': refresh_token,
+            'client_id': self.client_id
+        }
+        if self.client_secret:
+            payload['client_secret'] = self.client_secret
+            
+        res = requests.post(f"{self.base_url}/api/oauth/revoke", json=payload)
+        data = res.json()
+        if not res.ok:
+            raise ICAError(data.get('error', 'request_failed'), data.get('error_description', 'Failed to revoke token'), res.status_code)
+            
+        return data.get('revoked', False)

iglobals_auth-1.0.0/iglobals_auth/errors.py

@@ -0,0 +1,6 @@
+class ICAError(Exception):
+    def __init__(self, error: str, error_description: str, status: int = None):
+        super().__init__(f"{error}: {error_description}")
+        self.error = error
+        self.error_description = error_description
+        self.status = status

iglobals_auth-1.0.0/iglobals_auth/fastapi.py

@@ -0,0 +1,31 @@
+from typing import Callable
+from .client import IGlobalsAuth
+from .errors import ICAError
+
+try:
+    from fastapi import Request, HTTPException, status
+except ImportError:
+    pass  # Allow import if FastAPI is not installed, fail at runtime if used
+
+def require_auth(ica: IGlobalsAuth) -> Callable:
+    async def auth_dependency(request: Request) -> dict:
+        auth_header = request.headers.get("Authorization")
+        if not auth_header or not auth_header.startswith("Bearer "):
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Bearer token missing or malformed.",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+        
+        token = auth_header.split(" ")[1]
+        try:
+            payload = ica.verify_token(token)
+            return payload
+        except ICAError as e:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail=str(e),
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+            
+    return auth_dependency

iglobals_auth-1.0.0/iglobals_auth/flask.py

@@ -0,0 +1,28 @@
+from functools import wraps
+from typing import Callable
+from .client import IGlobalsAuth
+from .errors import ICAError
+
+try:
+    from flask import request, jsonify, g
+except ImportError:
+    pass
+
+def auth_required(ica: IGlobalsAuth) -> Callable:
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            auth_header = request.headers.get("Authorization")
+            if not auth_header or not auth_header.startswith("Bearer "):
+                return jsonify({"error": "unauthorized", "error_description": "Bearer token missing or malformed.", "status": 401}), 401
+            
+            token = auth_header.split(" ")[1]
+            try:
+                payload = ica.verify_token(token)
+                g.ica_user = payload
+            except ICAError as e:
+                return jsonify({"error": "unauthorized", "error_description": str(e), "status": 401}), 401
+                
+            return f(*args, **kwargs)
+        return decorated_function
+    return decorator

iglobals_auth-1.0.0/iglobals_auth/jwks.py

@@ -0,0 +1,24 @@
+import jwt
+from typing import Dict, Any
+from jwt import PyJWKClient
+
+from .errors import ICAError
+
+class JWKSService:
+    def __init__(self, jwks_uri: str):
+        # PyJWKClient provides caching out of the box
+        self.jwks_client = PyJWKClient(jwks_uri, cache_keys=True)
+
+    def verify_token(self, token: str, expected_aud: str, expected_iss: str) -> Dict[str, Any]:
+        try:
+            signing_key = self.jwks_client.get_signing_key_from_jwt(token)
+            payload = jwt.decode(
+                token,
+                signing_key.key,
+                algorithms=["RS256"],
+                audience=expected_aud,
+                issuer=expected_iss,
+            )
+            return payload
+        except jwt.PyJWTError as e:
+            raise ICAError('invalid_token', str(e), 401)

iglobals_auth-1.0.0/iglobals_auth/pkce.py

@@ -0,0 +1,12 @@
+import os
+import hashlib
+import base64
+
+def generate_pkce() -> dict:
+    code_verifier = base64.urlsafe_b64encode(os.urandom(32)).decode('utf-8').rstrip('=')
+    digest = hashlib.sha256(code_verifier.encode('utf-8')).digest()
+    code_challenge = base64.urlsafe_b64encode(digest).decode('utf-8').rstrip('=')
+    return {
+        "code_verifier": code_verifier,
+        "code_challenge": code_challenge
+    }

iglobals_auth-1.0.0/iglobals_auth/types.py

@@ -0,0 +1,28 @@
+from dataclasses import dataclass
+from typing import Optional, TypedDict, Any
+
+@dataclass
+class TokenSet:
+    access_token: str
+    token_type: str
+    expires_in: int
+    refresh_token: str
+    scope: str
+    id_token: Optional[str] = None
+
+class AddressClaims(TypedDict, total=False):
+    street_address: str
+    locality: str
+    region: str
+    postal_code: str
+    country: str
+
+class UserInfoClaims(TypedDict, total=False):
+    sub: str
+    given_name: str
+    family_name: str
+    email: str
+    email_verified: bool
+    phone_number: str
+    phone_number_verified: bool
+    address: AddressClaims

iglobals_auth-1.0.0/iglobals_auth.egg-info/PKG-INFO

@@ -0,0 +1,16 @@
+Metadata-Version: 2.4
+Name: iglobals-auth
+Version: 1.0.0
+Summary: iGlobals Central Auth SDK for Python
+Author-email: iGlobals <engineering@iglobals.com>
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: requests>=2.28.0
+Requires-Dist: PyJWT[crypto]>=2.8.0
+Provides-Extra: fastapi
+Requires-Dist: fastapi>=0.100.0; extra == "fastapi"
+Provides-Extra: flask
+Requires-Dist: Flask>=2.0.0; extra == "flask"
+
+# iglobals-auth
+Python SDK for iGlobals Central Auth.

iglobals_auth-1.0.0/iglobals_auth.egg-info/SOURCES.txt

@@ -0,0 +1,15 @@
+README.md
+pyproject.toml
+iglobals_auth/__init__.py
+iglobals_auth/client.py
+iglobals_auth/errors.py
+iglobals_auth/fastapi.py
+iglobals_auth/flask.py
+iglobals_auth/jwks.py
+iglobals_auth/pkce.py
+iglobals_auth/types.py
+iglobals_auth.egg-info/PKG-INFO
+iglobals_auth.egg-info/SOURCES.txt
+iglobals_auth.egg-info/dependency_links.txt
+iglobals_auth.egg-info/requires.txt
+iglobals_auth.egg-info/top_level.txt

iglobals_auth-1.0.0/iglobals_auth.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

iglobals_auth-1.0.0/iglobals_auth.egg-info/requires.txt

@@ -0,0 +1,8 @@
+requests>=2.28.0
+PyJWT[crypto]>=2.8.0
+
+[fastapi]
+fastapi>=0.100.0
+
+[flask]
+Flask>=2.0.0

iglobals_auth-1.0.0/iglobals_auth.egg-info/top_level.txt

@@ -0,0 +1 @@
+iglobals_auth

iglobals_auth-1.0.0/pyproject.toml

@@ -0,0 +1,24 @@
+[project]
+name = "iglobals-auth"
+version = "1.0.0"
+description = "iGlobals Central Auth SDK for Python"
+authors = [
+    {name = "iGlobals", email = "engineering@iglobals.com"}
+]
+readme = "README.md"
+requires-python = ">=3.9"
+dependencies = [
+    "requests>=2.28.0",
+    "PyJWT[crypto]>=2.8.0",
+]
+
+[project.optional-dependencies]
+fastapi = ["fastapi>=0.100.0"]
+flask = ["Flask>=2.0.0"]
+
+[build-system]
+requires = ["setuptools>=61.0"]
+build-backend = "setuptools.build_meta"
+
+[tool.setuptools]
+packages = ["iglobals_auth"]

iglobals_auth-1.0.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+