oidc-auth-sentry 0.1.0__tar.gz

oidc_auth_sentry-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,41 @@
+name: ci
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install
+        run: python -m pip install -e ".[dev]"
+
+      - name: Lint
+        run: ruff check . && ruff format --check .
+
+      - name: Test
+        run: pytest -q
+
+  build-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Build and validate
+        run: |
+          python -m pip install --upgrade build twine
+          python -m build
+          python -m twine check dist/*

oidc_auth_sentry-0.1.0/.github/workflows/release.yml

@@ -0,0 +1,49 @@
+name: release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Verify tag matches pyproject version
+        run: |
+          TAG="${GITHUB_REF_NAME#v}"
+          PKG=$(python -c "import tomllib;print(tomllib.load(open('pyproject.toml','rb'))['project']['version'])")
+          echo "tag=$TAG pkg=$PKG"
+          test "$TAG" = "$PKG" || { echo "::error::Tag v$TAG != pyproject version $PKG"; exit 1; }
+
+      - name: Build
+        run: |
+          python -m pip install --upgrade build twine
+          python -m build
+          python -m twine check dist/*
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    # OIDC trusted publishing: no API token stored in the repo.
+    # Configure this on PyPI under the project's "Publishing" settings.
+    environment: release
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

oidc_auth_sentry-0.1.0/.gitignore

@@ -0,0 +1,8 @@
+__pycache__/
+*.pyc
+dist/
+build/
+*.egg-info/
+.venv/
+.pytest_cache/
+.DS_Store

oidc_auth_sentry-0.1.0/CHANGELOG.md

@@ -0,0 +1,14 @@
+# Changelog
+
+All notable changes to this project are documented here.
+This project adheres to [Semantic Versioning](https://semver.org/).
+
+## [0.1.0] - 2026-06-15
+### Added
+- Generic OpenID Connect SSO provider for self-hosted Sentry, adapted from the
+  built-in Google provider.
+- Issuer (`iss`) and audience (`aud`) validation on the `id_token`.
+- Optional email-domain restriction.
+- `sentry.apps` entry point for automatic provider registration.
+- GitHub Actions CI (lint + test matrix) and tag-triggered release to PyPI via
+  trusted publishing.

oidc_auth_sentry-0.1.0/PKG-INFO

@@ -0,0 +1,207 @@
+Metadata-Version: 2.4
+Name: oidc-auth-sentry
+Version: 0.1.0
+Summary: Generic OpenID Connect SSO provider for self-hosted Sentry (Cognito-ready)
+Author-email: Cristiano <cristiano@linvix.com.br>
+License-Expression: Apache-2.0
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: System Administrators
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Requires-Python: <4,>=3.11
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0.0; extra == 'dev'
+Requires-Dist: ruff>=0.10.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# oidc-auth-sentry
+
+Provedor de SSO via **OpenID Connect** para o **Sentry self-hosted**, adaptado
+do provedor Google nativo do Sentry. Testado com **AWS Cognito User Pools**, mas
+funciona com qualquer IdP compatível com OIDC (os endpoints são configuráveis,
+não fixos no código).
+
+- Nome de distribuição (pip): `oidc-auth-sentry`
+- Módulo importável: `oidc`
+- Compatível com Sentry self-hosted (registro automático via entry point `sentry.apps`)
+
+## Como funciona
+
+O Sentry descobre apps instalados pelo entry point `sentry.apps`. Ao iniciar,
+ele chama `oidc.apps.Config.ready()`, que registra o `OIDCProvider` no registro
+de autenticação do Sentry. **Não é preciso editar o código-fonte do Sentry.**
+
+Assim como o provedor Google, o `id_token` (JWT) devolvido pelo endpoint de
+token é decodificado diretamente — sem chamada extra ao `userinfo`. Os claims
+`iss` (issuer) e `aud` (audience) são validados. A assinatura do JWT
+**não** é verificada, pois o token é obtido por TLS direto do endpoint de token
+no passo anterior (mesmo comportamento do provedor Google). Para verificação de
+assinatura via JWKS, veja o comentário em `oidc/views.py`.
+
+---
+
+## Passo a passo
+
+### 1. Criar o App Client no Cognito
+
+1. No console da AWS, abra **Amazon Cognito → User Pools** e selecione seu pool.
+2. Em **App clients**, crie (ou edite) um app client **com client secret**.
+3. Em **Hosted UI / Managed login**, configure:
+   - **Allowed callback URLs**: `https://SEU-SENTRY/auth/sso/`
+     (substitua `SEU-SENTRY` pelo seu `url-prefix`; a barra final é obrigatória)
+   - **OAuth grant types**: `Authorization code grant`
+   - **OpenID Connect scopes**: `openid`, `email`, `profile`
+4. Garanta que o pool tem um **domínio** configurado (Hosted UI), algo como
+   `https://SEU-DOMINIO.auth.SUA-REGIAO.amazoncognito.com`.
+5. Anote: **client id**, **client secret**, o **domínio** do Hosted UI, a
+   **região** e o **User Pool ID**.
+
+Os valores que você vai usar:
+
+| Dado            | Onde encontrar                              | Exemplo                                                        |
+| --------------- | ------------------------------------------- | -------------------------------------------------------------- |
+| `client-id`     | App client                                  | `7exampleabc123`                                               |
+| `client-secret` | App client                                  | `abcd...`                                                      |
+| `authorize-url` | Domínio Hosted UI + `/oauth2/authorize`     | `https://id.linvix.com/oauth2/authorize`                       |
+| `token-url`     | Domínio Hosted UI + `/oauth2/token`         | `https://id.linvix.com/oauth2/token`                           |
+| `issuer`        | `cognito-idp.<regiao>.amazonaws.com/<pool>` | `https://cognito-idp.us-east-1.amazonaws.com/us-east-1_ABC123` |
+
+> Dica: confira o discovery em
+> `https://cognito-idp.<regiao>.amazonaws.com/<pool>/.well-known/openid-configuration`
+> — os campos `authorization_endpoint`, `token_endpoint` e `issuer` confirmam os
+> valores acima.
+
+### 2. Instalar o plugin no Sentry self-hosted
+
+No seu checkout do `getsentry/self-hosted`, adicione o pacote em
+`sentry/requirements.txt`:
+
+```
+oidc-auth-sentry==0.1.0
+```
+
+Se o pacote estiver num índice privado (ex.: AWS CodeArtifact), exporte as
+variáveis de índice antes do build:
+
+```
+PIP_INDEX_URL=https://SEU-INDICE/simple/
+PIP_EXTRA_INDEX_URL=https://pypi.org/simple/
+```
+
+Em seguida rode o instalador, que reconstrói e reinicia os containers:
+
+```
+./install.sh
+```
+
+### 3. Configurar as opções do Sentry
+
+Adicione as cinco opções `auth-oidc.*`. Há duas formas equivalentes.
+
+**Opção A — `sentry/config.yml`:**
+
+```yaml
+auth-oidc.client-id: "7exampleabc123"
+auth-oidc.client-secret: "SEU_CLIENT_SECRET"
+auth-oidc.authorize-url: "https://id.linvix.com/oauth2/authorize"
+auth-oidc.token-url: "https://id.linvix.com/oauth2/token"
+auth-oidc.issuer: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_ABC123"
+```
+
+Depois de editar arquivos de configuração, rode `./install.sh` novamente para
+aplicar.
+
+**Opção B — via CLI (sem rebuild):**
+
+```bash
+docker compose run --rm web sentry config set auth-oidc.client-id "7exampleabc123"
+docker compose run --rm web sentry config set auth-oidc.client-secret "SEU_CLIENT_SECRET"
+docker compose run --rm web sentry config set auth-oidc.authorize-url "https://id.linvix.com/oauth2/authorize"
+docker compose run --rm web sentry config set auth-oidc.token-url "https://id.linvix.com/oauth2/token"
+docker compose run --rm web sentry config set auth-oidc.issuer "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_ABC123"
+```
+
+### 4. Habilitar o SSO na organização
+
+1. Faça login no Sentry como **owner** da organização.
+2. Vá em **Settings → Auth** (Settings da organização).
+3. O provedor **OIDC** deve aparecer na lista. Clique para configurar.
+4. Conclua o fluxo de login com uma conta do seu User Pool para vincular o SSO.
+5. Opcionalmente, **exija SSO** para toda a organização.
+
+> Atenção: ao exigir SSO, esse passa a ser o único meio de login na sua
+> instância. Garanta que pelo menos uma conta owner consegue autenticar pelo
+> Cognito antes de tornar obrigatório.
+
+### 5. Verificar
+
+- Acesse `https://SEU-SENTRY/auth/login/` e inicie o login pelo provedor OIDC.
+- Você será redirecionado ao Hosted UI do Cognito, autentica, e volta logado.
+- Se algo falhar, veja os logs do container `web`:
+  `docker compose logs -f web | grep sentry.auth.oidc`
+
+---
+
+## Mapeamento de identidade
+
+O provedor lê os seguintes claims do `id_token`:
+
+| Claim                                 | Uso no Sentry                                                |
+| ------------------------------------- | ------------------------------------------------------------ |
+| `sub`                                 | id estável e único do usuário                                |
+| `email`                               | e-mail (e id legado, para casar contas já existentes)        |
+| `name` → `cognito:username` → `email` | nome de exibição (nessa ordem de fallback)                   |
+| `email_verified`                      | repassado ao Sentry                                          |
+| `iss`, `aud`                          | validados (devem casar com `auth-oidc.issuer` e o client id) |
+
+### Restrição opcional por domínio de e-mail
+
+Diferente do provedor Google, não usamos o claim `hd`. Se quiser limitar o
+acesso a um domínio, isso é derivado do e-mail. (Configurável no provider;
+por padrão nenhum domínio é exigido.)
+
+---
+
+## Solução de problemas
+
+| Sintoma                                 | Causa provável                                                                                       |
+| --------------------------------------- | ---------------------------------------------------------------------------------------------------- |
+| `redirect_uri mismatch` no Cognito      | A callback URL no app client precisa ser exatamente `https://SEU-SENTRY/auth/sso/` (com barra final) |
+| `id_token issuer mismatch`              | `auth-oidc.issuer` não bate com o `iss` do token — confira região e User Pool ID                     |
+| `id_token audience mismatch`            | `auth-oidc.client-id` diferente do app client que gerou o token                                      |
+| Provedor não aparece em Settings → Auth | Pacote não instalado / `./install.sh` não rodou após adicionar ao requirements                       |
+| `Unable to fetch user information`      | Faltou o scope `openid`/`email`, ou o app client não permite o grant `authorization_code`            |
+
+---
+
+## Desenvolvimento
+
+```bash
+pip install -e ".[dev]"
+ruff check .
+ruff format --check .
+pytest -q
+```
+
+Build local e validação do pacote:
+
+```bash
+python -m build
+python -m twine check dist/*
+```
+
+## Release
+
+A versão fica em `pyproject.toml`. Para publicar a `0.1.0`:
+
+```bash
+git tag v0.1.0
+git push origin v0.1.0
+```
+
+A tag dispara o workflow `release.yml`, que valida que a tag bate com a versão,
+builda e publica no índice configurado (PyPI via trusted publishing, ou um
+índice privado). Veja `.github/workflows/release.yml`.

oidc_auth_sentry-0.1.0/README.md

@@ -0,0 +1,188 @@
+# oidc-auth-sentry
+
+Provedor de SSO via **OpenID Connect** para o **Sentry self-hosted**, adaptado
+do provedor Google nativo do Sentry. Testado com **AWS Cognito User Pools**, mas
+funciona com qualquer IdP compatível com OIDC (os endpoints são configuráveis,
+não fixos no código).
+
+- Nome de distribuição (pip): `oidc-auth-sentry`
+- Módulo importável: `oidc`
+- Compatível com Sentry self-hosted (registro automático via entry point `sentry.apps`)
+
+## Como funciona
+
+O Sentry descobre apps instalados pelo entry point `sentry.apps`. Ao iniciar,
+ele chama `oidc.apps.Config.ready()`, que registra o `OIDCProvider` no registro
+de autenticação do Sentry. **Não é preciso editar o código-fonte do Sentry.**
+
+Assim como o provedor Google, o `id_token` (JWT) devolvido pelo endpoint de
+token é decodificado diretamente — sem chamada extra ao `userinfo`. Os claims
+`iss` (issuer) e `aud` (audience) são validados. A assinatura do JWT
+**não** é verificada, pois o token é obtido por TLS direto do endpoint de token
+no passo anterior (mesmo comportamento do provedor Google). Para verificação de
+assinatura via JWKS, veja o comentário em `oidc/views.py`.
+
+---
+
+## Passo a passo
+
+### 1. Criar o App Client no Cognito
+
+1. No console da AWS, abra **Amazon Cognito → User Pools** e selecione seu pool.
+2. Em **App clients**, crie (ou edite) um app client **com client secret**.
+3. Em **Hosted UI / Managed login**, configure:
+   - **Allowed callback URLs**: `https://SEU-SENTRY/auth/sso/`
+     (substitua `SEU-SENTRY` pelo seu `url-prefix`; a barra final é obrigatória)
+   - **OAuth grant types**: `Authorization code grant`
+   - **OpenID Connect scopes**: `openid`, `email`, `profile`
+4. Garanta que o pool tem um **domínio** configurado (Hosted UI), algo como
+   `https://SEU-DOMINIO.auth.SUA-REGIAO.amazoncognito.com`.
+5. Anote: **client id**, **client secret**, o **domínio** do Hosted UI, a
+   **região** e o **User Pool ID**.
+
+Os valores que você vai usar:
+
+| Dado            | Onde encontrar                              | Exemplo                                                        |
+| --------------- | ------------------------------------------- | -------------------------------------------------------------- |
+| `client-id`     | App client                                  | `7exampleabc123`                                               |
+| `client-secret` | App client                                  | `abcd...`                                                      |
+| `authorize-url` | Domínio Hosted UI + `/oauth2/authorize`     | `https://id.linvix.com/oauth2/authorize`                       |
+| `token-url`     | Domínio Hosted UI + `/oauth2/token`         | `https://id.linvix.com/oauth2/token`                           |
+| `issuer`        | `cognito-idp.<regiao>.amazonaws.com/<pool>` | `https://cognito-idp.us-east-1.amazonaws.com/us-east-1_ABC123` |
+
+> Dica: confira o discovery em
+> `https://cognito-idp.<regiao>.amazonaws.com/<pool>/.well-known/openid-configuration`
+> — os campos `authorization_endpoint`, `token_endpoint` e `issuer` confirmam os
+> valores acima.
+
+### 2. Instalar o plugin no Sentry self-hosted
+
+No seu checkout do `getsentry/self-hosted`, adicione o pacote em
+`sentry/requirements.txt`:
+
+```
+oidc-auth-sentry==0.1.0
+```
+
+Se o pacote estiver num índice privado (ex.: AWS CodeArtifact), exporte as
+variáveis de índice antes do build:
+
+```
+PIP_INDEX_URL=https://SEU-INDICE/simple/
+PIP_EXTRA_INDEX_URL=https://pypi.org/simple/
+```
+
+Em seguida rode o instalador, que reconstrói e reinicia os containers:
+
+```
+./install.sh
+```
+
+### 3. Configurar as opções do Sentry
+
+Adicione as cinco opções `auth-oidc.*`. Há duas formas equivalentes.
+
+**Opção A — `sentry/config.yml`:**
+
+```yaml
+auth-oidc.client-id: "7exampleabc123"
+auth-oidc.client-secret: "SEU_CLIENT_SECRET"
+auth-oidc.authorize-url: "https://id.linvix.com/oauth2/authorize"
+auth-oidc.token-url: "https://id.linvix.com/oauth2/token"
+auth-oidc.issuer: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_ABC123"
+```
+
+Depois de editar arquivos de configuração, rode `./install.sh` novamente para
+aplicar.
+
+**Opção B — via CLI (sem rebuild):**
+
+```bash
+docker compose run --rm web sentry config set auth-oidc.client-id "7exampleabc123"
+docker compose run --rm web sentry config set auth-oidc.client-secret "SEU_CLIENT_SECRET"
+docker compose run --rm web sentry config set auth-oidc.authorize-url "https://id.linvix.com/oauth2/authorize"
+docker compose run --rm web sentry config set auth-oidc.token-url "https://id.linvix.com/oauth2/token"
+docker compose run --rm web sentry config set auth-oidc.issuer "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_ABC123"
+```
+
+### 4. Habilitar o SSO na organização
+
+1. Faça login no Sentry como **owner** da organização.
+2. Vá em **Settings → Auth** (Settings da organização).
+3. O provedor **OIDC** deve aparecer na lista. Clique para configurar.
+4. Conclua o fluxo de login com uma conta do seu User Pool para vincular o SSO.
+5. Opcionalmente, **exija SSO** para toda a organização.
+
+> Atenção: ao exigir SSO, esse passa a ser o único meio de login na sua
+> instância. Garanta que pelo menos uma conta owner consegue autenticar pelo
+> Cognito antes de tornar obrigatório.
+
+### 5. Verificar
+
+- Acesse `https://SEU-SENTRY/auth/login/` e inicie o login pelo provedor OIDC.
+- Você será redirecionado ao Hosted UI do Cognito, autentica, e volta logado.
+- Se algo falhar, veja os logs do container `web`:
+  `docker compose logs -f web | grep sentry.auth.oidc`
+
+---
+
+## Mapeamento de identidade
+
+O provedor lê os seguintes claims do `id_token`:
+
+| Claim                                 | Uso no Sentry                                                |
+| ------------------------------------- | ------------------------------------------------------------ |
+| `sub`                                 | id estável e único do usuário                                |
+| `email`                               | e-mail (e id legado, para casar contas já existentes)        |
+| `name` → `cognito:username` → `email` | nome de exibição (nessa ordem de fallback)                   |
+| `email_verified`                      | repassado ao Sentry                                          |
+| `iss`, `aud`                          | validados (devem casar com `auth-oidc.issuer` e o client id) |
+
+### Restrição opcional por domínio de e-mail
+
+Diferente do provedor Google, não usamos o claim `hd`. Se quiser limitar o
+acesso a um domínio, isso é derivado do e-mail. (Configurável no provider;
+por padrão nenhum domínio é exigido.)
+
+---
+
+## Solução de problemas
+
+| Sintoma                                 | Causa provável                                                                                       |
+| --------------------------------------- | ---------------------------------------------------------------------------------------------------- |
+| `redirect_uri mismatch` no Cognito      | A callback URL no app client precisa ser exatamente `https://SEU-SENTRY/auth/sso/` (com barra final) |
+| `id_token issuer mismatch`              | `auth-oidc.issuer` não bate com o `iss` do token — confira região e User Pool ID                     |
+| `id_token audience mismatch`            | `auth-oidc.client-id` diferente do app client que gerou o token                                      |
+| Provedor não aparece em Settings → Auth | Pacote não instalado / `./install.sh` não rodou após adicionar ao requirements                       |
+| `Unable to fetch user information`      | Faltou o scope `openid`/`email`, ou o app client não permite o grant `authorization_code`            |
+
+---
+
+## Desenvolvimento
+
+```bash
+pip install -e ".[dev]"
+ruff check .
+ruff format --check .
+pytest -q
+```
+
+Build local e validação do pacote:
+
+```bash
+python -m build
+python -m twine check dist/*
+```
+
+## Release
+
+A versão fica em `pyproject.toml`. Para publicar a `0.1.0`:
+
+```bash
+git tag v0.1.0
+git push origin v0.1.0
+```
+
+A tag dispara o workflow `release.yml`, que valida que a tag bate com a versão,
+builda e publica no índice configurado (PyPI via trusted publishing, ou um
+índice privado). Veja `.github/workflows/release.yml`.

oidc_auth_sentry-0.1.0/oidc/__init__.py

@@ -0,0 +1,2 @@
+# OIDC auth provider for Sentry. Registration happens in apps.py via the
+# "sentry.apps" entry point (see pyproject.toml).

oidc_auth_sentry-0.1.0/oidc/apps.py

@@ -0,0 +1,14 @@
+from __future__ import annotations
+
+from django.apps import AppConfig
+
+
+class Config(AppConfig):
+    name = "oidc"
+
+    def ready(self) -> None:
+        from sentry.auth import register
+
+        from .provider import OIDCProvider
+
+        register(OIDCProvider)

oidc_auth_sentry-0.1.0/oidc/constants.py

@@ -0,0 +1,52 @@
+from sentry import options
+
+# ---------------------------------------------------------------------------
+# Adapted from sentry/auth/providers/google/constants.py
+#
+# Google hardcodes its OAuth2 endpoints. For a generic OIDC provider (e.g. AWS
+# Cognito) we read them from Sentry options so the same code works against any
+# issuer. Populate these from your IdP's discovery document:
+#   https://<issuer>/.well-known/openid-configuration
+#
+# For a Cognito User Pool the issuer is:
+#   https://cognito-idp.<region>.amazonaws.com/<user_pool_id>
+# and the OAuth endpoints live under your Hosted UI domain:
+#   https://<your-domain>.auth.<region>.amazoncognito.com
+# ---------------------------------------------------------------------------
+
+
+def get_authorize_url() -> str:
+    # Cognito: https://<domain>/oauth2/authorize
+    return options.get("auth-oidc.authorize-url")
+
+
+def get_access_token_url() -> str:
+    # Cognito: https://<domain>/oauth2/token
+    return options.get("auth-oidc.token-url")
+
+
+def get_issuer() -> str:
+    # Cognito: https://cognito-idp.<region>.amazonaws.com/<user_pool_id>
+    # Used to validate the `iss` claim on the id_token.
+    return options.get("auth-oidc.issuer")
+
+
+# Human-readable provider name shown in the Sentry SSO UI.
+PROVIDER_NAME = "OIDC"
+
+# OIDC requires the `openid` scope; `email`/`profile` give us identity claims.
+SCOPE = "openid email profile"
+
+ERR_INVALID_DOMAIN = (
+    "The domain for your account (%s) is not allowed to authenticate with this provider."
+)
+
+ERR_INVALID_RESPONSE = (
+    "Unable to fetch user information from the OIDC provider. Please check the log."
+)
+
+ERR_INVALID_ISSUER = "The id_token was issued by an unexpected issuer (%s)."
+
+ERR_INVALID_AUDIENCE = "The id_token audience does not match this client."
+
+DATA_VERSION = "1"

oidc_auth_sentry-0.1.0/oidc/provider.py

@@ -0,0 +1,118 @@
+from __future__ import annotations
+
+from collections.abc import Mapping
+from typing import Any
+
+from sentry import options
+from sentry.auth.provider import MigratingIdentityId
+from sentry.auth.providers.oauth2 import OAuth2Callback, OAuth2Login, OAuth2Provider
+from sentry.auth.view import AuthView
+
+from .constants import (
+    DATA_VERSION,
+    PROVIDER_NAME,
+    SCOPE,
+    get_access_token_url,
+    get_authorize_url,
+)
+from .views import FetchUser
+
+
+class OIDCLogin(OAuth2Login):
+    scope = SCOPE
+
+    def __init__(self, client_id: str, domains: list[str] | None = None) -> None:
+        self.domains = domains
+        super().__init__(authorize_url=get_authorize_url(), client_id=client_id, scope=SCOPE)
+
+    def get_authorize_params(self, state: str, redirect_uri: str) -> dict[str, str | None]:
+        params = super().get_authorize_params(state, redirect_uri)
+        # Google forced `approval_prompt`/`access_type=offline` here; those are
+        # Google-specific. For generic OIDC we ask for a refresh token via the
+        # standard `prompt`/`access_type` only if your IdP honors them. Cognito
+        # issues refresh tokens automatically when the `openid` scope is granted
+        # and the app client allows the refresh token grant, so we leave the
+        # base params untouched.
+        return params
+
+
+class OIDCProvider(OAuth2Provider):
+    name = PROVIDER_NAME
+    key = "oidc"
+
+    def __init__(
+        self,
+        domain: str | None = None,
+        domains: list[str] | None = None,
+        version: str | None = None,
+        **config: Any,
+    ) -> None:
+        if domain:
+            if domains:
+                domains.append(domain)
+            else:
+                domains = [domain]
+        self.domains = domains
+        version = DATA_VERSION if domains is None else None
+        self.version = version
+        super().__init__(**config)
+
+    def get_client_id(self) -> str:
+        return options.get("auth-oidc.client-id")
+
+    def get_client_secret(self) -> str:
+        return options.get("auth-oidc.client-secret")
+
+    def get_auth_pipeline(self) -> list[AuthView]:
+        return [
+            OIDCLogin(domains=self.domains, client_id=self.get_client_id()),
+            OAuth2Callback(
+                access_token_url=get_access_token_url(),
+                client_id=self.get_client_id(),
+                client_secret=self.get_client_secret(),
+            ),
+            FetchUser(
+                client_id=self.get_client_id(),
+                domains=self.domains,
+                version=self.version,
+            ),
+        ]
+
+    def get_refresh_token_url(self) -> str:
+        return get_access_token_url()
+
+    def build_config(self, state: Mapping[str, Any]) -> dict[str, Any]:
+        # `state` won't carry a Google-style `domain`; persist whatever domain
+        # restriction (if any) was configured on this provider.
+        return {"domains": self.domains or [], "version": DATA_VERSION}
+
+    def build_identity(self, state: Mapping[str, Any]) -> Mapping[str, Any]:
+        # Cognito id_token claims look like:
+        #   {
+        #     "sub": "a1b2c3d4-...",          # stable, unique user id
+        #     "iss": "https://cognito-idp.<region>.amazonaws.com/<pool>",
+        #     "aud": "<app client id>",
+        #     "email": "user@linvix.com",
+        #     "email_verified": true,
+        #     "cognito:username": "...",
+        #     "name": "Full Name",            # present if the attribute is set
+        #     ...
+        #   }
+        data = state["data"]
+        user_data = state["user"]
+
+        # Mirror Google's migration strategy: use the stable `sub` as the id,
+        # keeping email as the legacy id so existing accounts are matched.
+        user_id = MigratingIdentityId(id=user_data["sub"], legacy_id=user_data["email"])
+
+        # Prefer a real display name; fall back to email if the IdP doesn't
+        # send one.
+        name = user_data.get("name") or user_data.get("cognito:username") or user_data["email"]
+
+        return {
+            "id": user_id,
+            "email": user_data["email"],
+            "name": name,
+            "data": self.get_oauth_data(data),
+            "email_verified": user_data.get("email_verified", False),
+        }

oidc_auth_sentry-0.1.0/oidc/views.py

@@ -0,0 +1,110 @@
+from __future__ import annotations
+
+import logging
+from typing import Any
+
+import orjson
+from django.http import HttpRequest
+from django.http.response import HttpResponseBase
+from sentry.auth.helper import AuthHelper
+from sentry.auth.view import AuthView
+from sentry.utils.signing import urlsafe_b64decode
+
+from .constants import (
+    ERR_INVALID_AUDIENCE,
+    ERR_INVALID_DOMAIN,
+    ERR_INVALID_ISSUER,
+    ERR_INVALID_RESPONSE,
+    get_issuer,
+)
+
+logger = logging.getLogger("sentry.auth.oidc")
+
+
+class FetchUser(AuthView):
+    """
+    Adapted from the Google provider's FetchUser.
+
+    Like Google, we decode the `id_token` JWT returned by the token endpoint
+    instead of making a separate userinfo call -- Cognito (and any compliant
+    OIDC provider) returns the identity claims directly in the id_token.
+
+    Differences vs Google:
+      * No reliance on the Google-specific `hd` (hosted domain) claim. Domain
+        restriction, if any, is derived from the email address.
+      * We validate the `iss` (issuer) and `aud` (audience/client_id) claims,
+        which OIDC requires and Google's implementation skipped.
+    """
+
+    def __init__(
+        self,
+        client_id: str,
+        domains: list[str] | None,
+        version: str | None,
+        *args: Any,
+        **kwargs: Any,
+    ) -> None:
+        self.client_id = client_id
+        self.domains = domains
+        self.version = version
+        super().__init__(*args, **kwargs)
+
+    def dispatch(self, request: HttpRequest, pipeline: AuthHelper) -> HttpResponseBase:
+        data: dict[str, Any] | None = pipeline.fetch_state("data")
+        assert data is not None
+
+        try:
+            id_token = data["id_token"]
+        except KeyError:
+            logger.exception("Missing id_token in OAuth response: %s", data)
+            return pipeline.error(ERR_INVALID_RESPONSE)
+
+        try:
+            _, payload_b, _ = map(urlsafe_b64decode, id_token.split(".", 2))
+        except Exception as exc:
+            logger.exception("Unable to decode id_token: %s", exc)
+            return pipeline.error(ERR_INVALID_RESPONSE)
+
+        try:
+            payload: dict[str, Any] = orjson.loads(payload_b)
+        except Exception as exc:
+            logger.exception("Unable to decode id_token payload: %s", exc)
+            return pipeline.error(ERR_INVALID_RESPONSE)
+
+        # --- OIDC validation that Google's provider did not do -------------
+        # Note: signature verification is intentionally omitted here to mirror
+        # the upstream Google provider, which trusts the id_token because it
+        # was just retrieved over TLS directly from the token endpoint in the
+        # immediately preceding step. If you want full JWKS signature checks,
+        # fetch jwks_uri from discovery and verify before trusting claims.
+        issuer = get_issuer()
+        if issuer and payload.get("iss") != issuer:
+            logger.error("id_token issuer mismatch: %s", payload.get("iss"))
+            return pipeline.error(ERR_INVALID_ISSUER % (payload.get("iss"),))
+
+        aud = payload.get("aud")
+        # `aud` may be a string or a list per the OIDC spec.
+        aud_values = aud if isinstance(aud, list) else [aud]
+        if self.client_id not in aud_values:
+            logger.error("id_token audience mismatch: %s", aud)
+            return pipeline.error(ERR_INVALID_AUDIENCE)
+        # -------------------------------------------------------------------
+
+        if not payload.get("email"):
+            logger.error("Missing email in id_token payload: %s", id_token)
+            return pipeline.error(ERR_INVALID_RESPONSE)
+
+        # Optional restriction by email domain. Unlike Google we have no `hd`
+        # claim, so we derive the domain from the email address itself.
+        if self.domains:
+            domain = extract_domain(payload["email"])
+            if domain not in self.domains:
+                return pipeline.error(ERR_INVALID_DOMAIN % (domain,))
+
+        pipeline.bind_state("user", payload)
+
+        return pipeline.next_step()
+
+
+def extract_domain(email: str) -> str:
+    return email.rsplit("@", 1)[-1]

oidc_auth_sentry-0.1.0/pyproject.toml

@@ -0,0 +1,44 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "oidc-auth-sentry"
+version = "0.1.0"
+description = "Generic OpenID Connect SSO provider for self-hosted Sentry (Cognito-ready)"
+authors = [{ name = "Cristiano", email = "cristiano@linvix.com.br" }]
+requires-python = ">=3.11,<4"
+readme = "README.md"
+license = "Apache-2.0"
+classifiers = [
+    "Intended Audience :: Developers",
+    "Intended Audience :: System Administrators",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+]
+# No install_requires: `sentry` itself is provided by the host image at runtime.
+dependencies = []
+
+# This is the magic line: Sentry discovers installed apps through this entry
+# point group and calls each AppConfig.ready(), which registers the provider.
+[project.entry-points."sentry.apps"]
+oidc = "oidc.apps.Config"
+
+[project.optional-dependencies]
+dev = ["ruff>=0.10.0", "pytest>=8.0.0"]
+
+[tool.hatch.build.targets.wheel]
+packages = ["oidc"]
+
+[tool.ruff]
+line-length = 100
+
+[tool.ruff.lint]
+extend-ignore = ["E402", "E501"]
+select = ["E", "F", "UP", "B", "SIM", "I"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]

oidc_auth_sentry-0.1.0/tests/test_oidc_logic.py

@@ -0,0 +1,79 @@
+"""
+Standalone tests that don't require the Sentry runtime. They exercise the
+pure logic (JWT decode, issuer/audience checks, identity mapping) by importing
+the small helpers directly. The full pipeline is exercised in a live Sentry
+instance; CI here just guards the parts that have no Sentry dependency.
+"""
+
+import base64
+import json
+
+
+def b64(d: dict) -> str:
+    return base64.urlsafe_b64encode(json.dumps(d).encode()).rstrip(b"=").decode()
+
+
+def urlsafe_b64decode(s: str) -> bytes:
+    b = s.encode()
+    return base64.urlsafe_b64decode(b + b"=" * (-len(b) % 4))
+
+
+REGION = "us-east-1"
+POOL = "us-east-1_ABC123"
+CLIENT = "7exampleclientid"
+ISSUER = f"https://cognito-idp.{REGION}.amazonaws.com/{POOL}"
+
+
+def make_id_token(**overrides) -> str:
+    payload = {
+        "sub": "a1b2c3d4-1111-2222-3333-444455556666",
+        "iss": ISSUER,
+        "aud": CLIENT,
+        "email": "cristiano@linvix.com",
+        "email_verified": True,
+        "cognito:username": "cristiano",
+        "name": "Cristiano",
+    }
+    payload.update(overrides)
+    sig = base64.urlsafe_b64encode(b"sig").rstrip(b"=").decode()
+    return f"{b64({'alg': 'RS256'})}.{b64(payload)}.{sig}"
+
+
+def decode_payload(id_token: str) -> dict:
+    _, payload_b, _ = map(urlsafe_b64decode, id_token.split(".", 2))
+    return json.loads(payload_b)
+
+
+def test_valid_token_decodes():
+    p = decode_payload(make_id_token())
+    assert p["iss"] == ISSUER
+    aud = p["aud"]
+    assert CLIENT in (aud if isinstance(aud, list) else [aud])
+    assert p["email"] == "cristiano@linvix.com"
+
+
+def test_audience_as_list():
+    p = decode_payload(make_id_token(aud=[CLIENT, "other"]))
+    assert CLIENT in p["aud"]
+
+
+def test_name_fallback_chain():
+    # name present
+    p = decode_payload(make_id_token())
+    name = p.get("name") or p.get("cognito:username") or p["email"]
+    assert name == "Cristiano"
+    # name absent -> cognito:username
+    p = decode_payload(make_id_token(name=None))
+    name = p.get("name") or p.get("cognito:username") or p["email"]
+    assert name == "cristiano"
+
+
+def test_issuer_mismatch_detectable():
+    p = decode_payload(make_id_token(iss="https://evil.example"))
+    assert p["iss"] != ISSUER
+
+
+def test_audience_mismatch_detectable():
+    p = decode_payload(make_id_token(aud="someone-else"))
+    aud = p["aud"]
+    assert CLIENT not in (aud if isinstance(aud, list) else [aud])