kinde-python-sdk 2.0.7__py3-none-any.whl → 2.0.9__py3-none-any.whl

kinde_fastapi/examples/example_app.py

@@ -9,6 +9,8 @@ import logging
 from kinde_sdk.auth.oauth import OAuth
 from kinde_sdk.auth import claims, feature_flags, permissions, tokens
 from kinde_sdk.management import ManagementClient;
+from kinde_sdk.management.management_token_manager import ManagementTokenManager
+import requests
 
 logger = logging.getLogger(__name__)
 
@@ -78,6 +80,7 @@ async def home(request: Request):
                 <p>tokens: {tokens.get_token_manager().get_access_token()}</p>
                 <p>users: {user_count} user(s) found</p>
                 <p>You are logged in.</p>
+                <a href="/call_management_users">Call Management Users</a>
                 <a href="/logout">Logout</a>
             </body>
         </html>
@@ -92,6 +95,36 @@ async def home(request: Request):
     </html>
     """
 
+@app.get("/call_management_users")
+async def call_management_users():
+    if not kinde_oauth.is_authenticated():
+        return {"error": "Not authenticated"}
+    
+    domain = os.getenv("KINDE_DOMAIN")
+    client_id = os.getenv("KINDE_MANAGEMENT_CLIENT_ID")
+    client_secret = os.getenv("KINDE_MANAGEMENT_CLIENT_SECRET")
+    
+    if not all([domain, client_id, client_secret]):
+        return {"error": "Missing management credentials"}
+    
+    try:
+        token_manager = ManagementTokenManager(
+            domain=domain,
+            client_id=client_id,
+            client_secret=client_secret
+        )
+        access_token = token_manager.get_access_token()
+        
+        headers = {
+            "Authorization": f"Bearer {access_token}"
+        }
+        response = requests.get("http://localhost:8000/management/users", headers=headers)
+        response.raise_for_status()
+        return response.json()
+    except Exception as e:
+        logger.error(f"Failed to call management users: {e}")
+        return {"error": str(e)}
+
 if __name__ == "__main__":
     import uvicorn
     uvicorn.run(app, host="127.0.0.1", port=5000) 

kinde_fastapi/examples/management_token_example.py

@@ -0,0 +1,119 @@
+from fastapi import FastAPI, Depends, HTTPException, status
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+import os
+import requests
+from dotenv import load_dotenv
+from kinde_sdk.management.management_token_manager import ManagementTokenManager
+from kinde_sdk.management import ManagementClient
+from typing import Dict, Any
+import time
+
+import logging
+
+# Load environment variables
+load_dotenv()
+
+# Setup logging
+logging.basicConfig(level=logging.DEBUG)
+logger = logging.getLogger(__name__)
+
+# Initialize FastAPI app
+app = FastAPI(title="Kinde Management Token Example with Introspection")
+
+# Security scheme for bearer token
+security = HTTPBearer()
+
+# Extract, introspect, and validate management token from header
+def get_management_token(credentials: HTTPAuthorizationCredentials = Depends(security)) -> ManagementTokenManager:
+    logger.debug("Starting token validation")
+    bearer_token = credentials.credentials
+    logger.debug(f"Received bearer token (first 20 chars): {bearer_token[:20]}...")
+    
+    # SDK config from env
+    domain = os.getenv("KINDE_HOST", "https://app.kinde.com")
+    logger.debug(f"Raw domain from env: {domain}")
+    if domain.startswith(('http://', 'https://')):
+        domain = domain.split('://', 1)[1]
+    logger.debug(f"Normalized domain: {domain}")
+    client_id = os.getenv("KINDE_MANAGEMENT_CLIENT_ID")
+    client_secret = os.getenv("KINDE_MANAGEMENT_CLIENT_SECRET")
+    logger.debug(f"Client ID: {client_id}")
+    # Not logging secret for security
+    
+    if not all([domain, client_id, client_secret]):
+        logger.error("Missing Kinde management credentials")
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="Missing Kinde management credentials in environment"
+        )
+    
+    try:
+        token_manager = ManagementTokenManager(
+            domain=domain,
+            client_id=client_id,
+            client_secret=client_secret
+        )
+        logger.debug(f"ManagementTokenManager instantiated {bearer_token}")
+        
+        introspection_result = token_manager.validate_and_set_via_introspection(bearer_token)
+        logger.debug(f"Introspection result: {introspection_result}")
+        
+        access_token = token_manager.get_access_token()
+        if not access_token:
+            logger.error("No access token after introspection")
+            raise ValueError("Invalid management token after introspection")
+        logger.debug("Access token obtained successfully")
+        
+        return token_manager
+    
+    except ValueError as e:
+        logger.error(f"ValueError in token validation: {str(e)}")
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=str(e),
+            headers={"WWW-Authenticate": "Bearer"}
+        )
+    except Exception as e:
+        logger.error(f"Exception in token validation: {str(e)}", exc_info=True)
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=f"Token introspection failed: {str(e)}",
+            headers={"WWW-Authenticate": "Bearer"}
+        )
+
+# Example route using the validated management token
+@app.get("/management/users")
+async def get_users(token_manager: ManagementTokenManager = Depends(get_management_token)):
+    logger.debug("Entering get_users endpoint")
+    try:
+        # Create ManagementClient with the token manager
+        management_client = ManagementClient(
+            domain=token_manager.domain,
+            client_id=token_manager.client_id,
+            client_secret=token_manager.client_secret
+        )
+        logger.debug("ManagementClient created")
+        
+        # Fetch users (example API call)
+        users_response = management_client.get_users()
+        
+        # Get the user count from the response
+        user_count = len(users_response.users) if users_response.users else 0
+        logger.debug(f"Fetched {user_count} users")
+        
+        return {
+            "message": "Users fetched successfully",
+            "user_count": user_count,
+            "users": users_response.users if users_response.users else []  # In production, filter sensitive data
+        }
+    except Exception as e:
+        logger.error(f"Error in get_users: {str(e)}", exc_info=True)
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail=f"Failed to fetch users: {str(e)}"
+        ) from e
+
+# Run the app
+if __name__ == "__main__":
+    import uvicorn
+    uvicorn.run(app, host="0.0.0.0", port=8000) 

{kinde_python_sdk-2.0.7.dist-info → kinde_python_sdk-2.0.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: kinde-python-sdk
-Version: 2.0.7
+Version: 2.0.9
 Summary: Connect your app to the Kinde platform
 Author-email: Kinde Engineering <engineering@kinde.com>
 Project-URL: Homepage, https://github.com/kinde-oss/kinde-python-sdk

{kinde_python_sdk-2.0.7.dist-info → kinde_python_sdk-2.0.9.dist-info}/RECORD

@@ -1,5 +1,6 @@
 kinde_fastapi/__init__.py,sha256=FzB0zDBbzaLLvGZBPrBZN94I6LRZdkT4RSmGUsbh3mA,470
-kinde_fastapi/examples/example_app.py,sha256=OVJDFKzT3Qv_tA4GgizW2DmjoE0hm_9O4H_DKIGYNeQ,3057
+kinde_fastapi/examples/example_app.py,sha256=c29SsAytpDs75CVJuiaInLK8lnqMLmoDDvExtRI-SYM,4270
+kinde_fastapi/examples/management_token_example.py,sha256=keO-eKBrrMUTcIom154Mmn7BLRSZ45jYvQPwT-Jeoqw,4580
 kinde_fastapi/examples/session.py,sha256=WblGM7TM2JCKdSFsd2OmSP0daexZ7E6ZS1xgTQY_etY,2472
 kinde_fastapi/framework/__init__.py,sha256=tpTI84q7HCHMlREslMrngIlKwC8CDog9bEMI_ydhCUs,181
 kinde_fastapi/framework/fastapi_framework.py,sha256=-MiBFddfY3NiB9BE_b8BBYAxfGbhOQKO-RXUsCu4a3U,6767
@@ -13,7 +14,7 @@ kinde_flask/framework/flask_framework.py,sha256=I4dVWmkyd0FBqjAkOyftebm7_qpI9uxk
 kinde_flask/framework/flask_framework_factory.py,sha256=ALpsj-cHBox3ktRxi-CyZ5Q6EOvacfdu4pvlTYkuviA,802
 kinde_flask/middleware/framework_middleware.py,sha256=XFK6kgMDuHkrawDJ0_MMgLO7es0YQVjlVDDRDgwlCJ0,1012
 kinde_flask/storage/flask_storage_factory.py,sha256=MitOUbfCbfvSQFFoUbbnbXLEOL_qajS29Mlsn0TyTsY,2562
-kinde_python_sdk-2.0.7.dist-info/licenses/LICENSE,sha256=iT6AIO6NJn_mo0kDD5mpz2zp9GpzH6YdhqOmkCBg-kQ,1385
+kinde_python_sdk-2.0.9.dist-info/licenses/LICENSE,sha256=iT6AIO6NJn_mo0kDD5mpz2zp9GpzH6YdhqOmkCBg-kQ,1385
 kinde_sdk/__init__.py,sha256=Mh3eVcnJDk-KdQfxVUsF19NgBYexoJCwG5iAbD1LEdQ,1052
 kinde_sdk/api_client.py,sha256=GEb1BIjvIrUe8mFIr7hppp2PO604BiSlAr0_TYBfuy4,58496
 kinde_sdk/configuration.py,sha256=oqZGvKEf4kNNURbI1pip2ZVVcDyRTSmmnjXWziH4s80,15765
@@ -109,7 +110,7 @@ kinde_sdk/apis/tags/users_api.py,sha256=06qeWo8ZNNZvKQ5hl0ImtPvNSbzDKkceZj7ACrlu
 kinde_sdk/apis/tags/webhooks_api.py,sha256=AmLDLeW6aLz3lnqUGGd2dpVxuVKxW1KgIW2rdtUNJmw,925
 kinde_sdk/auth/__init__.py,sha256=czQs-NJ3R22EXkcnszl3YJKmjsB-mVpJ4T11zbRb_4Y,379
 kinde_sdk/auth/base_auth.py,sha256=hV-xjaGa35YMDFpmEWQgTNM7w6ZHskLm_p5cnXSSLJY,1253
-kinde_sdk/auth/claims.py,sha256=g0vlQtHBNyuELCNSTuahr3ZhBma4Htp2KjKCtKq1f90,1540
+kinde_sdk/auth/claims.py,sha256=sS4cvtEYQyTlT4WacibyKzp-5eTTH4JbMnDabMTX31w,1560
 kinde_sdk/auth/config_loader.py,sha256=L01kqmzUMKQ0X_PA9MYcWSeJiVoDfrB4RANQGWS76UA,879
 kinde_sdk/auth/enums.py,sha256=Xbk7jwXtq_TViZSfBy6h9lon8VEA5v6ssUl-3yKp8Zk,538
 kinde_sdk/auth/feature_flags.py,sha256=VSqfyqNmYLo3Q74nyo4L8W8jt8msZ_v-45Y7pW_48VA,3810
@@ -117,7 +118,7 @@ kinde_sdk/auth/login_options.py,sha256=3Fvbo-rjLzbV14Np48Ogw0HieThjlRtfP4VHztJtG
 kinde_sdk/auth/oauth.py,sha256=bXWM6Mo7H8EgrD2GSOfhibvwz6MVMPe7-wM1PaL6_6o,26136
 kinde_sdk/auth/permissions.py,sha256=A9BmGt3OokuvS-4twveCZdCPFY-QobyzqlgGVo8eSoI,1913
 kinde_sdk/auth/portals.py,sha256=Z3goLvio-Xw7VjTRrQZXKOFkTMvtF78nKzFF5-u4rkY,4530
-kinde_sdk/auth/token_manager.py,sha256=uG9TFcJ_K4hbgFEP9gy_S1xRUBpzD5ZYT37LzMWoWHA,7182
+kinde_sdk/auth/token_manager.py,sha256=HSfyKmc4kyoQz2NeRPVWtpY4E4rtf2w6SWArRlQ7-5s,8278
 kinde_sdk/auth/tokens.py,sha256=eZKJTTw764FrzvxurWNee1_ZX1Q2FQjJUXBlsMlp2A0,2367
 kinde_sdk/auth/user_session.py,sha256=CmFotC9ONzHwPMRJy4SOT7tOI_63dHv_ttpdNHssH8Y,7657
 kinde_sdk/core/__init__.py,sha256=ejO0P_oXuiO5V-MJVRqKu6y0fAWKyi4iL2UIRGXhLy0,358
@@ -141,7 +142,7 @@ kinde_sdk/management/api_response.py,sha256=eMxw1mpmJcoGZ3gs9z6jM4oYoZ10Gjk333s9
 kinde_sdk/management/configuration.py,sha256=icAfQBYmokmspDa_ELha2Qfeq_IkgAp6COdmw1ZpL2Q,18909
 kinde_sdk/management/exceptions.py,sha256=I_xzvCXjHszPUrUr4dNsE9Pg-nH58YszF075NvjSRMA,6780
 kinde_sdk/management/management_client.py,sha256=_GErLV96nTbWw58fscCrDe_UOVk25u4Vlx0amFp3g6Y,31467
-kinde_sdk/management/management_token_manager.py,sha256=uEYQBiN5mNqZujTSYcU2sl2Sk51YwSe9_b-XkDq4uAI,9853
+kinde_sdk/management/management_token_manager.py,sha256=KP1UVjTFdjJlLMRYn2fzJOS2QgEuaQaTg56EmQs22uE,12106
 kinde_sdk/management/rest.py,sha256=7kMCS7NAOYCI4hrThABWpV-AN0Y-LuCjMnJ404CJdq8,9783
 kinde_sdk/management/schemas.py,sha256=6tg1tEh8IL-9UuZiWFVe-0Pu-TD-CYW37soeQ6AyspA,97671
 kinde_sdk/management/api/__init__.py,sha256=-LP_IUIY_BztruZ5aTT7WoTgolTlSxOgppthL4I2l8A,2018
@@ -722,7 +723,7 @@ kinde_sdk/test/test_models/test_user_profile_v2.py,sha256=QzYjvjtTGa1ktE5ruyGBm_
 kinde_sdk/test/test_models/test_users.py,sha256=wJQR5K7dsfHQQsOQp4mrHWQynFPHwL-gDtbgVifNfMs,537
 kinde_sdk/test/test_models/test_users_response.py,sha256=BCcKxe9GctDrOXOzw0Q7O1ijKy_93Oj3E2wHW00y624,869
 kinde_sdk/test/test_models/test_webhook.py,sha256=KNfR8sKAK5H2vX_cXYGT5EfgaVP7_egC39uY6-s-4qo,544
-kinde_python_sdk-2.0.7.dist-info/METADATA,sha256=hfaFwDNTTOdeJhG8N1f_T2cwvtq9UP_5pee2R_VZXvw,23482
-kinde_python_sdk-2.0.7.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-kinde_python_sdk-2.0.7.dist-info/top_level.txt,sha256=TUU3EVjV6O4brF-mooQr6pnTk-jXJphmIWRHCIdyIgI,36
-kinde_python_sdk-2.0.7.dist-info/RECORD,,
+kinde_python_sdk-2.0.9.dist-info/METADATA,sha256=-T2f9gM_AfnugRp4TestVW7eWIeB3Te9rsXRr57CNDs,23482
+kinde_python_sdk-2.0.9.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+kinde_python_sdk-2.0.9.dist-info/top_level.txt,sha256=TUU3EVjV6O4brF-mooQr6pnTk-jXJphmIWRHCIdyIgI,36
+kinde_python_sdk-2.0.9.dist-info/RECORD,,

kinde_sdk/auth/claims.py

@@ -24,7 +24,7 @@ class Claims(BaseAuth):
                 "value": None
             }
 
-        claims = token_manager.get_claims()
+        claims = token_manager.get_claims(token_type)
         value = claims.get(claim_name)
 
         return {
@@ -46,7 +46,7 @@ class Claims(BaseAuth):
         if not token_manager:
             return {}
 
-        return token_manager.get_claims()
+        return token_manager.get_claims(token_type)
 
 # Create a singleton instance
 claims = Claims() 

kinde_sdk/auth/token_manager.py

@@ -153,17 +153,46 @@ class TokenManager:
         """Get the ID token if available."""
         return self.tokens.get("id_token")
         
-    def get_claims(self):
-        """Get the claims from the access token if available, falling back to ID token claims."""
-        # First try to get claims from access token
-        claims = self.tokens.get("access_token_claims", {})
+    def get_claims(self, token_type: str = "access_token"):
+        """Get the claims from the specified token type.
+        
+        Args:
+            token_type (str): The type of token to get claims from. 
+                            Valid values are "access_token" or "id_token".
+                            
+        Returns:
+            dict: The claims from the specified token, or empty dict if not available.
+        """
+        # Validate token type
+        valid_token_types = ["access_token", "id_token"]
+        if token_type not in valid_token_types:
+            logging.warning(f"Invalid token_type '{token_type}'. Valid types are: {valid_token_types}")
+            return {}
+        
+        # Use f-string for safer string formatting
+        claims_key = f"{token_type}_claims"
+        claims = self.tokens.get(claims_key, {})
+        
         if not claims:
-            # Fall back to ID token claims if access token claims are not available
-            claims = self.tokens.get("id_token_claims", {})
-            if not claims:
-                logging.warning("No claims available in token manager")
+            logging.warning(f"No claims available for token type: {token_type}")
+            
         return claims
     
+    def get_claim(self, key: str, token_type: str = "access_token"):
+        """Get a specific claim from the specified token type.
+        
+        Args:
+            key (str): The claim key to retrieve
+            token_type (str): The type of token to get the claim from.
+                            Valid values are "access_token" or "id_token".
+                            
+        Returns:
+            dict: Dictionary containing the claim name and value, or empty dict if not found.
+        """
+        claims = self.get_claims(token_type)
+        value = claims.get(key)
+        return {"name": key, "value": value}
+    
     def revoke_token(self):
         """ Revoke the current access token. """
         if "access_token" not in self.tokens:

kinde_sdk/management/management_token_manager.py

@@ -209,13 +209,15 @@ class ManagementTokenManager:
     def set_tokens(self, token_data: Dict[str, Any]):
         """ Store tokens with expiration. """
         with self.lock:
-            # Handle None values by using default
-            expires_in = token_data.get("expires_in") or 3600
+            # Handle None values by using default, but allow 0
+            expires_in = token_data.get("expires_in")
+            if expires_in is None:
+                expires_in = 3600
             token_type = token_data.get("token_type") or "Bearer"
             self.tokens = {
-            "access_token": token_data.get("access_token"),
-            "expires_at": time.time() + expires_in,
-            "token_type": token_type
+                "access_token": token_data.get("access_token"),
+                "expires_at": time.time() + expires_in,
+                "token_type": token_type
             }
 
     def get_access_token(self):
@@ -265,9 +267,64 @@ class ManagementTokenManager:
         except requests.exceptions.Timeout:
             raise Exception(f"Token request timed out after 30 seconds for domain {self.domain}")
         except requests.exceptions.RequestException as e:
-            raise Exception(f"Token request failed for domain {self.domain}: {str(e)}")
+            raise Exception(f"Token request failed for domain {self.domain}: {str(e)}") from e
 
     def clear_tokens(self):
         """ Clear stored tokens. """
         with self.lock:
-            self.tokens = {}
+            self.tokens = {}
+
+    def validate_and_set_via_introspection(self, bearer_token: str) -> Dict[str, Any]:
+        """
+        Validate a bearer token via introspection and set it if valid.
+        
+        Args:
+            bearer_token: The bearer token to introspect and validate.
+        
+        Returns:
+            Dict: The introspection result if valid.
+        
+        Raises:
+            Exception: If introspection fails or token is invalid.
+        """
+        # First, get a management token using client credentials
+        management_token = self.get_access_token()
+        
+        introspection_url = f"https://{self.domain}/oauth2/introspect"
+        introspect_data = {
+            "token": bearer_token
+        }
+        
+        try:
+            response = requests.post(
+                introspection_url, 
+                data=introspect_data,
+                headers={
+                    "Content-Type": "application/x-www-form-urlencoded",
+                    "Authorization": f"Bearer {management_token}",
+                    "Kinde-SDK": self._generate_tracking_header()
+                },
+                timeout=30
+            )
+            response.raise_for_status()
+            introspection_result = response.json()
+            
+            if not introspection_result.get("active", False):
+                raise ValueError("Token is inactive or invalid")
+            
+            # Set the validated token - calculate proper expiration
+            exp_time = introspection_result.get("exp")
+            expires_in = max(0, exp_time - int(time.time())) if exp_time else 3600
+            
+            token_data = {
+                "access_token": bearer_token,
+                "expires_in": expires_in
+            }
+            self.set_tokens(token_data)
+            
+            return introspection_result
+            
+        except requests.exceptions.Timeout:
+            raise Exception(f"Introspection request timed out after 30 seconds for domain {self.domain}") from None
+        except requests.exceptions.RequestException as e:
+            raise Exception(f"Introspection request failed for domain {self.domain}: {str(e)}") from e