PyPI - open-shield-python - Versions diffs - 0.2.6__tar.gz → 0.2.7__tar.gz - Mend

open-shield-python 0.2.6tar.gz → 0.2.7tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

open_shield_python-0.2.7/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,47 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+## [v0.2.7] - 2026-03-06
+### Changed
+- **Documentation**: Restructured README to prioritize architecture diagrams for better impact on PyPI and GitHub.
+## [v0.2.6] - 2026-03-06
+### Added
+- **Architecture Diagram**: High-level architecture image showing how Open Shield SDK sits between identity providers and Python backends.
+- **Sequence Diagram**: Request authentication flow diagram illustrating the step-by-step processing of each incoming request.
+### Changed
+- **Documentation**: Completely overhauled the Architecture section in README with visual diagrams and detailed explanations.
+- **Images**: Organized documentation images into `docs/images/` directory.
+### Project Maintenance
+- **Git Identity Cleaned**: Rewrote entire repository history to unify all commits under the `avinash-singh-io` identity with a verified email.
+- **Collaborator Cleanup**: Pruned legacy collaborator access and stale remote tracking branches.
+- **Release Synchronization**: Synchronized GitHub tags and releases with the new clean history.
+## [v0.2.0] - 2026-02-16
+### Added
+- **Configurable Claim Mapping**: Map any JWT claim to user/tenant/role fields via environment variables — zero code changes when switching providers.
+- **3-Step Tenant Resolution Cascade**: Support for individual users (`sub` fallback), SaaS organizations (org claim), and M2M service accounts (`TenantResolverPort`).
+- **Actor Type Inference**: Automatic detection of `user`, `service`, and `agent` actor types.
+- **Tenant Resolution Metadata**: Every resolved tenant includes traceability (`m2m_lookup`, `claim`, `sub_fallback`).
+- **Optional Authentication**: `get_optional_user_context` dependency for routes that work with or without auth.
+### Changed
+- **Configuration**: Added environment variables for claim mapping (`OPEN_SHIELD_USER_ID_CLAIM`, `OPEN_SHIELD_TENANT_ID_CLAIM`, etc.).
+- **Open Source Readiness**: Added `CODE_OF_CONDUCT.md`, `SECURITY.md`, `CONTRIBUTING.md`, and comprehensive project metadata.
+## [v0.1.0] - 2026-02-12
+### Added
+- **Core Domain**: Implemented `TokenService`, `AuthorizationService`, and core entities (`User`, `Token`).
+- **Adapters**: Added `PyJWTValidator` for token validation and `OIDCDiscoKeyProvider` for JWKS fetching.
+- **FastAPI Integration**: Added `OpenShieldMiddleware` and dependencies (`get_user_context`, `RequireScope`, `RequireRole`).
+- **Configuration**: `Pydantic` based configuration loading from environment variables.
+- **Documentation**: Comprehensive `README.md` and `CONTRIBUTING.md`.
+- **Testing**: Integration tests for adapters and API layer.

{open_shield_python-0.2.6 → open_shield_python-0.2.7}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: open-shield-python
-Version: 0.2.6
+Version: 0.2.7
 Summary: Vendor-agnostic authentication and authorization enforcement SDK
 Project-URL: Homepage, https://github.com/avinash-singh-io/open-shield-python
 Project-URL: Repository, https://github.com/avinash-singh-io/open-shield-python
@@ -32,6 +32,39 @@ Vendor-agnostic authentication and authorization enforcement SDK for Python.
 Open Shield lets you enforce authentication (AuthN) and authorization (AuthZ) in your Python applications without coupling to a specific identity provider. Works with **Logto**, **Keycloak**, **Auth0**, **Entra ID**, **Cognito**, or any OIDC-compliant provider.
+---
+## Architecture
+Open Shield sits as a **thin, powerful layer** between your identity provider and your Python backend — handling all the complexity of token validation, claim extraction, tenant resolution, and authorization enforcement so you don't have to.
+![How Open Shield Works](https://raw.githubusercontent.com/avinash-singh-io/open-shield-python/main/docs/images/architecture.png)
+### How It Works
+1. **Any OIDC Identity Provider** (Logto, Auth0, Keycloak, Azure Entra ID, AWS Cognito, or your own) issues a JWT token when a user or service authenticates.
+2. **Open Shield SDK** intercepts the incoming request in your Python application and:
+   - **Validates the token** — verifies the signature using auto-fetched JWKS keys from the provider's OIDC discovery endpoint.
+   - **Maps claims** — extracts user ID, email, tenant, scopes, and roles from the JWT using your configurable claim mapping (every provider names claims differently — Open Shield normalizes them).
+   - **Resolves the tenant** — determines tenant isolation using the 3-step cascade (M2M lookup → org claim → sub fallback).
+   - **Detects actor type** — classifies the caller as `user`, `service`, or `agent`.
+   - **Enforces authorization** — checks scopes and roles before the request reaches your handler.
+3. **Your Python service** receives a clean, verified `UserContext` object — ready to use. No JWT parsing, no OIDC plumbing, no provider-specific code.
+### Request Authentication Flow
+![Request Authentication Flow](https://raw.githubusercontent.com/avinash-singh-io/open-shield-python/main/docs/images/sequence-flow.png)
+### Why This Matters
+- **Works with any OIDC provider** — Switch from Auth0 to Keycloak? Change two environment variables. Zero code changes.
+- **Works with any Python framework** — First-class FastAPI support today, with Django and Flask coming soon. The core logic is pure Python with no framework dependency.
+- **Built on Clean Architecture** — The domain layer has zero external dependencies. All I/O (JWT decoding, OIDC discovery) happens through abstract ports implemented by swappable adapters.
+- **Easy to test** — Mock the `TokenValidatorPort` for fast unit tests without any HTTP calls.
+- **Easy to extend** — Implement `TenantResolverPort` to wire in your own database for M2M tenant lookups.
+---
 ## Features
 - **Vendor Neutral** — Works with any OIDC-compliant identity provider
@@ -43,6 +76,8 @@ Open Shield lets you enforce authentication (AuthN) and authorization (AuthZ) in
 - **Type Safe** — Fully typed, checked with `mypy`
 - **Automatic JWKS Rotation** — Fetches and caches keys from OIDC discovery
+---
 ## Installation
 ```bash
@@ -262,37 +297,6 @@ ctx.user.actor_type  # "user" | "service" | "agent"
 ---
-## Architecture
-Open Shield sits as a **thin, powerful layer** between your identity provider and your Python backend — handling all the complexity of token validation, claim extraction, tenant resolution, and authorization enforcement so you don't have to.
-![How Open Shield Works](https://raw.githubusercontent.com/avinash-singh-io/open-shield-python/main/docs/images/architecture.png)
-### How It Works
-1. **Any OIDC Identity Provider** (Logto, Auth0, Keycloak, Azure Entra ID, AWS Cognito, or your own) issues a JWT token when a user or service authenticates.
-2. **Open Shield SDK** intercepts the incoming request in your Python application and:
-   - **Validates the token** — verifies the signature using auto-fetched JWKS keys from the provider's OIDC discovery endpoint.
-   - **Maps claims** — extracts user ID, email, tenant, scopes, and roles from the JWT using your configurable claim mapping (every provider names claims differently — Open Shield normalizes them).
-   - **Resolves the tenant** — determines tenant isolation using the 3-step cascade (M2M lookup → org claim → sub fallback).
-   - **Detects actor type** — classifies the caller as `user`, `service`, or `agent`.
-   - **Enforces authorization** — checks scopes and roles before the request reaches your handler.
-3. **Your Python service** receives a clean, verified `UserContext` object — ready to use. No JWT parsing, no OIDC plumbing, no provider-specific code.
-### Request Authentication Flow
-![Request Authentication Flow](https://raw.githubusercontent.com/avinash-singh-io/open-shield-python/main/docs/images/sequence-flow.png)
-### Why This Matters
-- **Works with any OIDC provider** — Switch from Auth0 to Keycloak? Change two environment variables. Zero code changes.
-- **Works with any Python framework** — First-class FastAPI support today, with Django and Flask coming soon. The core logic is pure Python with no framework dependency.
-- **Built on Clean Architecture** — The domain layer has zero external dependencies. All I/O (JWT decoding, OIDC discovery) happens through abstract ports implemented by swappable adapters.
-- **Easy to test** — Mock the `TokenValidatorPort` for fast unit tests without any HTTP calls.
-- **Easy to extend** — Implement `TenantResolverPort` to wire in your own database for M2M tenant lookups.
----
 ## Optional Authentication
 For routes that work with or without auth (e.g., public APIs with enhanced features for logged-in users):

{open_shield_python-0.2.6 → open_shield_python-0.2.7}/README.md RENAMED Viewed

@@ -6,6 +6,39 @@ Vendor-agnostic authentication and authorization enforcement SDK for Python.
 Open Shield lets you enforce authentication (AuthN) and authorization (AuthZ) in your Python applications without coupling to a specific identity provider. Works with **Logto**, **Keycloak**, **Auth0**, **Entra ID**, **Cognito**, or any OIDC-compliant provider.
+---
+## Architecture
+Open Shield sits as a **thin, powerful layer** between your identity provider and your Python backend — handling all the complexity of token validation, claim extraction, tenant resolution, and authorization enforcement so you don't have to.
+![How Open Shield Works](https://raw.githubusercontent.com/avinash-singh-io/open-shield-python/main/docs/images/architecture.png)
+### How It Works
+1. **Any OIDC Identity Provider** (Logto, Auth0, Keycloak, Azure Entra ID, AWS Cognito, or your own) issues a JWT token when a user or service authenticates.
+2. **Open Shield SDK** intercepts the incoming request in your Python application and:
+   - **Validates the token** — verifies the signature using auto-fetched JWKS keys from the provider's OIDC discovery endpoint.
+   - **Maps claims** — extracts user ID, email, tenant, scopes, and roles from the JWT using your configurable claim mapping (every provider names claims differently — Open Shield normalizes them).
+   - **Resolves the tenant** — determines tenant isolation using the 3-step cascade (M2M lookup → org claim → sub fallback).
+   - **Detects actor type** — classifies the caller as `user`, `service`, or `agent`.
+   - **Enforces authorization** — checks scopes and roles before the request reaches your handler.
+3. **Your Python service** receives a clean, verified `UserContext` object — ready to use. No JWT parsing, no OIDC plumbing, no provider-specific code.
+### Request Authentication Flow
+![Request Authentication Flow](https://raw.githubusercontent.com/avinash-singh-io/open-shield-python/main/docs/images/sequence-flow.png)
+### Why This Matters
+- **Works with any OIDC provider** — Switch from Auth0 to Keycloak? Change two environment variables. Zero code changes.
+- **Works with any Python framework** — First-class FastAPI support today, with Django and Flask coming soon. The core logic is pure Python with no framework dependency.
+- **Built on Clean Architecture** — The domain layer has zero external dependencies. All I/O (JWT decoding, OIDC discovery) happens through abstract ports implemented by swappable adapters.
+- **Easy to test** — Mock the `TokenValidatorPort` for fast unit tests without any HTTP calls.
+- **Easy to extend** — Implement `TenantResolverPort` to wire in your own database for M2M tenant lookups.
+---
 ## Features
 - **Vendor Neutral** — Works with any OIDC-compliant identity provider
@@ -17,6 +50,8 @@ Open Shield lets you enforce authentication (AuthN) and authorization (AuthZ) in
 - **Type Safe** — Fully typed, checked with `mypy`
 - **Automatic JWKS Rotation** — Fetches and caches keys from OIDC discovery
+---
 ## Installation
 ```bash
@@ -236,37 +271,6 @@ ctx.user.actor_type  # "user" | "service" | "agent"
 ---
-## Architecture
-Open Shield sits as a **thin, powerful layer** between your identity provider and your Python backend — handling all the complexity of token validation, claim extraction, tenant resolution, and authorization enforcement so you don't have to.
-![How Open Shield Works](https://raw.githubusercontent.com/avinash-singh-io/open-shield-python/main/docs/images/architecture.png)
-### How It Works
-1. **Any OIDC Identity Provider** (Logto, Auth0, Keycloak, Azure Entra ID, AWS Cognito, or your own) issues a JWT token when a user or service authenticates.
-2. **Open Shield SDK** intercepts the incoming request in your Python application and:
-   - **Validates the token** — verifies the signature using auto-fetched JWKS keys from the provider's OIDC discovery endpoint.
-   - **Maps claims** — extracts user ID, email, tenant, scopes, and roles from the JWT using your configurable claim mapping (every provider names claims differently — Open Shield normalizes them).
-   - **Resolves the tenant** — determines tenant isolation using the 3-step cascade (M2M lookup → org claim → sub fallback).
-   - **Detects actor type** — classifies the caller as `user`, `service`, or `agent`.
-   - **Enforces authorization** — checks scopes and roles before the request reaches your handler.
-3. **Your Python service** receives a clean, verified `UserContext` object — ready to use. No JWT parsing, no OIDC plumbing, no provider-specific code.
-### Request Authentication Flow
-![Request Authentication Flow](https://raw.githubusercontent.com/avinash-singh-io/open-shield-python/main/docs/images/sequence-flow.png)
-### Why This Matters
-- **Works with any OIDC provider** — Switch from Auth0 to Keycloak? Change two environment variables. Zero code changes.
-- **Works with any Python framework** — First-class FastAPI support today, with Django and Flask coming soon. The core logic is pure Python with no framework dependency.
-- **Built on Clean Architecture** — The domain layer has zero external dependencies. All I/O (JWT decoding, OIDC discovery) happens through abstract ports implemented by swappable adapters.
-- **Easy to test** — Mock the `TokenValidatorPort` for fast unit tests without any HTTP calls.
-- **Easy to extend** — Implement `TenantResolverPort` to wire in your own database for M2M tenant lookups.
----
 ## Optional Authentication
 For routes that work with or without auth (e.g., public APIs with enhanced features for logged-in users):

{open_shield_python-0.2.6 → open_shield_python-0.2.7}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "open-shield-python"
-version = "0.2.6"
+version = "0.2.7"
 description = "Vendor-agnostic authentication and authorization enforcement SDK"
 readme = "README.md"
 requires-python = ">=3.12"

open_shield_python-0.2.6/CHANGELOG.md DELETED Viewed

@@ -1,13 +0,0 @@
-# Changelog
-All notable changes to this project will be documented in this file.
-## [v0.1.0] - 2026-02-12
-### Added
-- **Core Domain**: Implemented `TokenService`, `AuthorizationService`, and core entities (`User`, `Token`).
-- **Adapters**: Added `PyJWTValidator` for token validation and `OIDCDiscoKeyProvider` for JWKS fetching.
-- **FastAPI Integration**: Added `OpenShieldMiddleware` and dependencies (`get_user_context`, `RequireScope`, `RequireRole`).
-- **Configuration**: `Pydantic` based configuration loading from environment variables.
-- **Documentation**: Comprehensive `README.md` and `CONTRIBUTING.md`.
-- **Testing**: Integration tests for adapters and API layer.