pypomes-iam 0.5.7__py3-none-any.whl → 0.5.9__py3-none-any.whl

pypomes_iam/iam_common.py

@@ -1,7 +1,7 @@
 import requests
 import sys
 from datetime import datetime
-from enum import StrEnum
+from enum import StrEnum, auto
 from logging import Logger
 from pypomes_core import TZ_LOCAL, exc_format
 from pypomes_crypto import crypto_jwk_convert
@@ -13,42 +13,107 @@ class IamServer(StrEnum):
     """
     Supported IAM servers.
     """
-    IAM_JUSRBR = "iam-jusbr",
-    IAM_KEYCLOAK = "iam-keycloak"
+    JUSRBR = auto()
+    KEYCLOAK = auto()
 
 
+class IamParam(StrEnum):
+    """
+    Parameters for configuring *IAM* servers.
+    """
+    ADMIN_ID = "admin-id"
+    ADMIN_SECRET = "admin-secret"
+    CLIENT_ID = "client-id"
+    CLIENT_REALM = "client-realm"
+    CLIENT_SECRET = "client-secret"
+    ENDPOINT_CALLBACK = "endpoint-callback"
+    ENDPOINT_LOGIN = "endpoint-login"
+    ENDPOINT_LOGOUT = "endpoint_logout"
+    ENDPOINT_TOKEN = "endpoint-token"
+    ENDPOINT_EXCHANGE = "endpoint-exchange"
+    LOGIN_TIMEOUT = "login-timeout"
+    PK_EXPIRATION = "pk-expiration"
+    PK_LIFETIME = "pk-lifetime"
+    PUBLIC_KEY = "public-key"
+    RECIPIENT_ATTR = "recipient-attr"
+    URL_BASE = "url-base"
+    USERS = "users"
+
+
+class UserParam(StrEnum):
+    """
+    Parameters for handling *IAM* users.
+    """
+    ACCESS_TOKEN = "access-token"
+    REFRESH_TOKEN = "refresh-token"
+    ACCESS_EXPIRATION = "access-expiration"
+    REFRESH_EXPIRATION = "refresh-expiration"
+    # transient attributes
+    LOGIN_EXPIRATION = "login-expiration"
+    LOGIN_ID = "login-id"
+    REDIRECT_URI = "redirect-uri"
+
+
+# The configuration parameters for the IAM servers are specified dynamically dynamically with *iam_setup()*
+# Specifying configuration parameters with environment variables can be done in two ways:
+#
+# 1. for a single *IAM* server, specify the data set
+#       - *<APP_PREFIX>_IAM_SERVER*               (required, one of *jusbr*, *keycloak*)
+#       - *<APP_PREFIX>_IAM_ADMIN_ID*             (optional, needed only if administrative duties are performed)
+#       - *<APP_PREFIX>_IAM_ADMIN_PWD*            (optional, needed only if administrative duties are performed)
+#       - *<APP_PREFIX>_IAM_CLIENT_ID*            (required)
+#       - *<APP_PREFIX>_IAM_CLIENT_REALM*         (required)
+#       - *<APP_PREFIX>_IAM_CLIENT_SECRET*        (required)
+#       - *<APP_PREFIX>_IAM_ENDPOINT_CALLBACK*    (optional)
+#       - *<APP_PREFIX>_IAM_ENDPOINT_LOGIN*       (optional)
+#       - *<APP_PREFIX>_IAM_ENDPOINT_LOGOUT*      (optional)
+#       - *<APP_PREFIX>_IAM_ENDPOINT_TOKEN*       (optional)
+#       - *<APP_PREFIX>_IAM_ENDPOINT_EXCHANGE*    (optional)
+#       - *<APP_PREFIX>_IAM_LOGIN_TIMEOUT*        (optional, defaults to no timeout)
+#       - *<APP_PREFIX>_IAM_PK_LIFETIME*          (optional, defaults to non-terminating lifetime)
+#       - *<APP_PREFIX>_IAM_RECIPIENT_ATTR*       (required)
+#       - *<APP_PREFIX>_IAM_URL_BASE*             (required)
+#
+# 2. for multiple *IAM* servers, specify the data set above for each server,
+#    respectively replacing *IAM* with a name in *IamServer* (currently, *JUSBR* and *KEYCLOAK* are supported).
+#
+# 3. the parameters *PUBLIC_KEY*, *PK_EXPIRATION*, and *USERS* cannot be assigned values,
+#    as they are reserved for internal use
+
 # registry structure:
 # { <IamServer>:
 #    {
 #       "base-url": <str>,
+#       "admin-id": <str>,
+#       "admin-secret": <str>,
 #       "client-id": <str>,
 #       "client-secret": <str>,
+#       "client-realm": <str,
 #       "client-timeout": <int>,
 #       "recipient-attr": <str>,
 #       "public-key": <str>,
 #       "pk-lifetime": <int>,
 #       "pk-expiration": <int>,
-#       "cache": <FIFOCache>
+#       "users": {}
 #    },
 #    ...
 # }
-# data in "cache":
+# data in "users":
 # {
-#    "users": {
-#       "<user-id>": {
-#          "access-token": <str>
-#          "refresh-token": <str>
-#          "access-expiration": <timestamp>,
-#          "refresh-expiration": <timestamp>,
-#          # transient attributes:
-#          "login-expiration": <timestamp>,
-#          "login-id": <str>,
-#          "redirect-uri": <str>
-#       }
-#    },
+#   "<user-id>": {
+#      "access-token": <str>
+#      "refresh-token": <str>
+#      "access-expiration": <timestamp>,
+#      "refresh-expiration": <timestamp>,
+#      # transient attributes
+#      "login-expiration": <timestamp>,
+#      "login-id": <str>,
+#      "redirect-uri": <str>
+#   },
 #   ...
 # }
-_IAM_SERVERS: Final[dict[IamServer, dict[str, Any]]] = {}
+_IAM_SERVERS: Final[dict[IamServer, dict[IamParam, Any]]] = {}
+
 
 # the lock protecting the data in '_IAM_SERVERS'
 # (because it is 'Final' and set at declaration time, it can be accessed through simple imports)
@@ -66,15 +131,15 @@ def _iam_server_from_endpoint(endpoint: str,
     :param logger: optional logger
     :return: the corresponding *IAM* server, or *None* if one could not be obtained
     """
-    # declare the return variable
-    result: IamServer | None
-
-    if endpoint.startswith("jusbr"):
-        result = IamServer.IAM_JUSRBR
-    elif endpoint.startswith("keycloak"):
-        result = IamServer.IAM_KEYCLOAK
-    else:
-        result = None
+    # initialize the return variable
+    result: IamServer | None = None
+
+    for iam_server in _IAM_SERVERS:
+        if endpoint.startswith(iam_server):
+            result = iam_server
+            break
+
+    if not result:
         msg: str = f"Unable to find a IAM server to service endpoint '{endpoint}'"
         if logger:
             logger.error(msg=msg)
@@ -98,8 +163,9 @@ def _iam_server_from_issuer(issuer: str,
     # initialize the return variable
     result: IamServer | None = None
 
-    for iam_server, server_data in _IAM_SERVERS.items():
-        if server_data["base-url"] == issuer:
+    for iam_server, registry in _IAM_SERVERS.items():
+        base_url: str = f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+        if base_url == issuer:
             result = IamServer(iam_server)
             break
 
@@ -161,9 +227,10 @@ def _get_public_key(iam_server: IamServer,
                                                  logger=logger)
     if registry:
         now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-        if now > registry["pk-expiration"]:
+        if now > registry[IamParam.PK_EXPIRATION]:
             # obtain the JWKS (JSON Web Key Set) from the token issuer
-            url: str = f"{registry["base-url"]}/protocol/openid-connect/certs"
+            base_url: str = f"{registry[IamParam.URL_BASE]}/realms/{registry[IamParam.CLIENT_REALM]}"
+            url: str = f"{base_url}/protocol/openid-connect/certs"
             if logger:
                 logger.debug(msg=f"Obtaining signature public key used by IAM server '{iam_server}'")
                 logger.debug(msg=f"GET {url}")
@@ -174,9 +241,8 @@ def _get_public_key(iam_server: IamServer,
                     if logger:
                         logger.debug(msg=f"GET success, status {response.status_code}")
                     # select the appropriate JWK
-                    reply: dict[str, Any] = response.json()
+                    reply: dict[str, list[dict[str, str]]] = response.json()
                     jwk: dict[str, str] | None = None
-                    # replay["keys"]: list[dict[str, str]]
                     for key in reply["keys"]:
                         if key.get("use") == "sig":
                             jwk = key
@@ -185,11 +251,11 @@ def _get_public_key(iam_server: IamServer,
                         # convert from 'JWK' to 'PEM' and save it for further use
                         result = crypto_jwk_convert(jwk=jwk,
                                                     fmt="PEM")
-                        registry["public-key"] = result
-                        lifetime: int = registry["pk-lifetime"] or 0
-                        registry["pk-expiration"] = now + lifetime if lifetime else sys.maxsize
+                        registry[IamParam.PUBLIC_KEY] = result
+                        lifetime: int = registry[IamParam.PK_LIFETIME] or 0
+                        registry[IamParam.PK_EXPIRATION] = now + lifetime if lifetime else sys.maxsize
                         if logger:
-                            logger.debug(f"Public key obtained and saved")
+                            logger.debug("Public key obtained and saved")
                     else:
                         msg = "Signature public key missing from the token issuer's JWKS"
                         if logger:
@@ -212,7 +278,7 @@ def _get_public_key(iam_server: IamServer,
                 if isinstance(errors, list):
                     errors.append(msg)
         else:
-            result = registry["public-key"]
+            result = registry[IamParam.PUBLIC_KEY]
 
     return result
 
@@ -267,10 +333,10 @@ def _get_user_data(iam_server: IamServer,
         result = users.get(user_id)
         if not result:
             result = {
-                "access-token": None,
-                "refresh-token": None,
-                "access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
-                "refresh-expiration": sys.maxsize
+                UserParam.ACCESS_TOKEN: None,
+                UserParam.REFRESH_TOKEN: None,
+                UserParam.ACCESS_EXPIRATION: int(datetime.now(tz=TZ_LOCAL).timestamp()),
+                UserParam.REFRESH_EXPIRATION: sys.maxsize
             }
             users[user_id] = result
             if logger:
@@ -296,10 +362,10 @@ def _get_iam_registry(iam_server: IamServer,
     result: dict[str, Any] | None
 
     match iam_server:
-        case IamServer.IAM_JUSRBR:
-            result = _IAM_SERVERS[IamServer.IAM_JUSRBR]
-        case IamServer.IAM_KEYCLOAK:
-            result = _IAM_SERVERS[IamServer.IAM_KEYCLOAK]
+        case IamServer.JUSRBR:
+            result = _IAM_SERVERS[IamServer.JUSRBR]
+        case IamServer.KEYCLOAK:
+            result = _IAM_SERVERS[IamServer.KEYCLOAK]
         case _:
             result = None
             msg = f"Unknown IAM server '{iam_server}'"
@@ -315,14 +381,14 @@ def _get_iam_users(iam_server: IamServer,
                    errors: list[str] | None,
                    logger: Logger | None) -> dict[str, dict[str, Any]]:
     """
-    Retrieve the cache storage in *iam_server*'s registry.
+    Retrieve the users data storage in *iam_server*'s registry.
 
     :param iam_server: the reference registered *IAM* server
     :param errors: incidental error messages
     :param logger: optional logger
-    :return: the cache storage in *iam_server*'s registry, or *None* if the server is unknown
+    :return: the users data storage in *iam_server*'s registry, or *None* if the server is unknown
     """
     registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
                                                  errors=errors,
                                                  logger=logger)
-    return registry["cache"]["users"] if registry else None
+    return registry[IamParam.USERS] if registry else None

pypomes_iam/iam_pomes.py

@@ -0,0 +1,156 @@
+from flask import Flask
+from logging import Logger
+from pypomes_core import APP_PREFIX, env_get_int, env_get_str
+from typing import Any
+
+from .iam_common import (
+    _IAM_SERVERS, IamServer, IamParam, _iam_lock
+)
+from .iam_actions import action_token
+from .iam_services import (
+    service_login, service_logout, service_callback, service_exchange, service_token
+)
+
+
+def iam_setup(flask_app: Flask,
+              iam_server: IamServer,
+              base_url: str,
+              client_id: str,
+              client_realm: str,
+              client_secret: str | None,
+              recipient_attribute: str,
+              admin_id: str = None,
+              admin_secret: str = None,
+              login_timeout: int = None,
+              public_key_lifetime: int = None,
+              callback_endpoint: str = None,
+              exchange_endpoint: str = None,
+              login_endpoint: str = None,
+              logout_endpoint: str = None,
+              token_endpoint: str = None) -> None:
+    """
+    Establish the provided parameters for configuring the *IAM* server *iam_server*.
+
+    The parameters *admin_id* and *admin_* are required only if administrative are task are planned.
+    The optional parameter *client_timeout* refers to the maximum time in seconds allowed for the
+    user to login at the *IAM* server's login page, and defaults to no time limit.
+
+    The parameter *client_secret* is required in most requests to the *IAM* server. In the case
+    it is not provided, but *admin_id* and *admin_secret* are, it is obtained from the *IAM* server itself
+    the first time it is needed.
+
+    :param flask_app: the Flask application
+    :param iam_server: identifies the supported *IAM* server (*jusbr* or *keycloak*)
+    :param base_url: base URL to request services
+    :param client_id: the client's identification with the *IAM* server
+    :param client_realm: the client realm
+    :param client_secret: the client's password with the *IAM* server
+    :param recipient_attribute: attribute in the token's payload holding the token's subject
+    :param admin_id: identifies the realm administrator
+    :param admin_secret: password for the realm administrator
+    :param login_timeout: timeout for login authentication (in seconds,defaults to no timeout)
+    :param public_key_lifetime: how long to use *IAM* server's public key, before refreshing it (in seconds)
+    :param callback_endpoint: endpoint for the callback from the front end
+    :param exchange_endpoint: endpoint for requesting token exchange
+    :param login_endpoint: endpoint for redirecting user to the *IAM* server's login page
+    :param logout_endpoint: endpoint for terminating user access
+    :param token_endpoint: endpoint for retrieving authentication token
+    """
+
+    # configure the Keycloak registry
+    with _iam_lock:
+        _IAM_SERVERS[iam_server] = {
+            IamParam.URL_BASE: base_url,
+            IamParam.CLIENT_ID: client_id,
+            IamParam.CLIENT_REALM: client_realm,
+            IamParam.CLIENT_SECRET: client_secret,
+            IamParam.RECIPIENT_ATTR: recipient_attribute,
+            IamParam.ADMIN_ID: admin_id,
+            IamParam.ADMIN_SECRET: admin_secret,
+            IamParam.LOGIN_TIMEOUT: login_timeout,
+            IamParam.PK_LIFETIME: public_key_lifetime,
+            IamParam.PK_EXPIRATION: 0,
+            IamParam.PUBLIC_KEY: None,
+            IamParam.USERS: {}
+        }
+
+    # establish the endpoints
+    if callback_endpoint:
+        flask_app.add_url_rule(rule=callback_endpoint,
+                               endpoint=f"{iam_server}-callback",
+                               view_func=service_callback,
+                               methods=["GET"])
+    if login_endpoint:
+        flask_app.add_url_rule(rule=login_endpoint,
+                               endpoint=f"{iam_server}-login",
+                               view_func=service_login,
+                               methods=["GET"])
+    if logout_endpoint:
+        flask_app.add_url_rule(rule=logout_endpoint,
+                               endpoint=f"{iam_server}-logout",
+                               view_func=service_logout,
+                               methods=["GET"])
+    if token_endpoint:
+        flask_app.add_url_rule(rule=token_endpoint,
+                               endpoint=f"{iam_server}-token",
+                               view_func=service_token,
+                               methods=["GET"])
+    if exchange_endpoint:
+        flask_app.add_url_rule(rule=exchange_endpoint,
+                               endpoint=f"{iam_server}-exchange",
+                               view_func=service_exchange,
+                               methods=["POST"])
+
+
+def iam_get_env_parameters(iam_prefix: str = None) -> dict[str, Any]:
+    """
+    Retrieve the set parameters for a *IAM* server from the environment.
+
+    the parameters are returned ready to be used as a '**kwargs' parameter set in a call to *iam_setup()*,
+    and sorted in the order appropriate to use them instead with a '*args' parameter set.
+
+    :param iam_prefix: the prefix classifying the parameters
+    :return: the sorted parameters classified by *prefix*
+    """
+    return {
+        "url_base": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_URL_BASE"),
+        "client_id": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_CLIENT_ID"),
+        "client_realm": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_CLIENT_REALM"),
+        "client_secret": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_CLIENT_SECRET"),
+        "recipient_attr": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_RECIPIENT_ATTR"),
+        "admin_id": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_ADMIN_ID"),
+        "admin_secret": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_ADMIN_SECRET"),
+        "login_timeout": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_LOGIN_TIMEOUT"),
+        "public_key_lifetime": env_get_int(key=f"{APP_PREFIX}_{iam_prefix}_PUBLIC_KEY_LIFETIME"),
+        "callback_endpoint": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_ENDPOINT_CALLBACK"),
+        "exchange_endpoint": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_ENDPOINT_EXCHANGE"),
+        "login_endpoint": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_ENDPOINT_LOGIN"),
+        "logout_endpoint": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}__ENDPOINT_LOGOUT"),
+        "token_endpoint": env_get_str(key=f"{APP_PREFIX}_{iam_prefix}_ENDPOINT_TOKEN")
+    }
+
+
+def iam_get_token(iam_server: IamServer,
+                  user_id: str,
+                  errors: list[str] = None,
+                  logger: Logger = None) -> str:
+    """
+    Retrieve an authentication token for *user_id*.
+
+    :param iam_server: identifies the *IAM* server
+    :param user_id: identifies the user
+    :param errors: incidental errors
+    :param logger: optional logger
+    :return: the uthentication tokem
+    """
+    # declare the return variable
+    result: str
+
+    # retrieve the token
+    args: dict[str, Any] = {"user-id": user_id}
+    with _iam_lock:
+        result = action_token(iam_server=iam_server,
+                              args=args,
+                              errors=errors,
+                              logger=logger)
+    return result

pypomes_iam/iam_services.py

@@ -4,7 +4,7 @@ from logging import Logger
 from typing import Any
 
 from .iam_common import (
-    IamServer, _iam_lock,
+    IamServer, IamParam, _iam_lock,
     _get_iam_registry, _get_public_key,
     _iam_server_from_endpoint, _iam_server_from_issuer
 )
@@ -73,7 +73,7 @@ def __request_validate(request: Request) -> Response:
                                                                      errors=None,
                                                                      logger=__IAM_LOGGER)
                         if registry:
-                            recipient_attr = registry["recipient-attr"]
+                            recipient_attr = registry[IamParam.RECIPIENT_ATTR]
                     public_key: str = _get_public_key(iam_server=iam_server,
                                                       errors=None,
                                                       logger=__IAM_LOGGER)
@@ -90,7 +90,7 @@ def __request_validate(request: Request) -> Response:
             elif __IAM_LOGGER:
                 __IAM_LOGGER.error("; ".join(errors))
         if bad_token and __IAM_LOGGER:
-            __IAM_LOGGER.error(f"authorization refused for token {token}")
+            __IAM_LOGGER.error(f"Authorization refused for token {token}")
 
     # deny the authorization
     if bad_token:
@@ -256,9 +256,9 @@ def service_callback() -> Response:
     else:
         result = jsonify({"user-id": token_data[0],
                           "access-token": token_data[1]})
-    # log the response
     if __IAM_LOGGER:
-        __IAM_LOGGER.debug(msg=f"Response {result}, {result.get_data(as_text=True)}")
+        # log the response (the returned data is not logged, as it contains the token)
+        __IAM_LOGGER.debug(msg=f"Response {result}")
 
     return result
 
@@ -317,9 +317,9 @@ def service_token() -> Response:
     else:
         result = jsonify({"user-id": user_id,
                           "access-token": token})
-    # log the response
     if __IAM_LOGGER:
-        __IAM_LOGGER.debug(msg=f"Response {result}, {result.get_data(as_text=True)}")
+        # log the response (the returned data is not logged, as it contains the token)
+        __IAM_LOGGER.debug(msg=f"Response {result}")
 
     return result
 

pypomes_iam/provider_pomes.py

@@ -3,22 +3,42 @@ import requests
 import sys
 from base64 import b64encode
 from datetime import datetime
+from enum import StrEnum
 from logging import Logger
 from pypomes_core import TZ_LOCAL, exc_format
 from threading import Lock
 from typing import Any, Final
 
+
+class ProviderParam(StrEnum):
+    """
+    Parameters for configuring a *JWT* token provider.
+    """
+    URL = "url"
+    USER = "user"
+    PWD = "pwd"
+    CUSTOM_AUTH = "custom-auth"
+    HEADER_DATA = "headers-data"
+    BODY_DATA = "body-data"
+    ACCESS_TOKEN = "access-token"
+    ACCESS_EXPIRATION = "access-expiration"
+    REFRESH_TOKEN = "refresh-token"
+    REFRESH_EXPIRATION = "refresh-expiration"
+
+
 # structure:
 # {
 #    <provider-id>: {
 #      "url": <strl>,
 #      "user": <str>,
 #      "pwd": <str>,
-#      "basic-auth": <bool>,
+#      "custom-auth": <bool>,
 #      "headers-data": <dict[str, str]>,
 #      "body-data": <dict[str, str],
 #      "access-token": <str>,
-#      "access-expiration": <timestamp>
+#      "access-expiration": <timestamp>,
+#      "refresh-token": <str>,
+#      "refresh-expiration": <timestamp>
 #    }
 # }
 _provider_registry: Final[dict[str, dict[str, Any]]] = {}
@@ -58,16 +78,16 @@ def provider_register(provider_id: str,
 
     with _provider_lock:
         _provider_registry[provider_id] = {
-            "url": auth_url,
-            "user": auth_user,
-            "pwd": auth_pwd,
-            "custom-auth": custom_auth,
-            "headers-data": headers_data,
-            "body-data": body_data,
-            "access-token": None,
-            "access-expiration": 0,
-            "refresh-token": None,
-            "refresh-expiration": 0
+            ProviderParam.URL: auth_url,
+            ProviderParam.USER: auth_user,
+            ProviderParam.PWD: auth_pwd,
+            ProviderParam.CUSTOM_AUTH: custom_auth,
+            ProviderParam.HEADER_DATA: headers_data,
+            ProviderParam.BODY_DATA: body_data,
+            ProviderParam.ACCESS_TOKEN: None,
+            ProviderParam.ACCESS_EXPIRATION: 0,
+            ProviderParam.REFRESH_TOKEN: None,
+            ProviderParam.REFRESH_EXPIRATION: 0
         }
 
 
@@ -91,19 +111,19 @@ def provider_get_token(provider_id: str,
         provider: dict[str, Any] = _provider_registry.get(provider_id)
         if provider:
             now: float = datetime.now(tz=TZ_LOCAL).timestamp()
-            if now > provider.get("access-expiration"):
-                user: str = provider.get("user")
-                pwd: str = provider.get("pwd")
-                headers_data: dict[str, str] = provider.get("headers-data") or {}
-                body_data: dict[str, str] = provider.get("body-data") or {}
-                custom_auth: tuple[str, str] = provider.get("custom-auth")
+            if now > provider.get(ProviderParam.ACCESS_EXPIRATION):
+                user: str = provider.get(ProviderParam.USER)
+                pwd: str = provider.get(ProviderParam.PWD)
+                headers_data: dict[str, str] = provider.get(ProviderParam.HEADER_DATA) or {}
+                body_data: dict[str, str] = provider.get(ProviderParam.BODY_DATA) or {}
+                custom_auth: tuple[str, str] = provider.get(ProviderParam.CUSTOM_AUTH)
                 if custom_auth:
                     body_data[custom_auth[0]] = user
                     body_data[custom_auth[1]] = pwd
                 else:
                     enc_bytes: bytes = b64encode(f"{user}:{pwd}".encode())
                     headers_data["Authorization"] = f"Basic {enc_bytes.decode()}"
-                url: str = provider.get("url")
+                url: str = provider.get(ProviderParam.URL)
                 if logger:
                     logger.debug(msg=f"POST {url}, {json.dumps(obj=body_data,
                                                                ensure_ascii=False)}")
@@ -130,14 +150,14 @@ def provider_get_token(provider_id: str,
                         if logger:
                             logger.debug(msg=f"POST success, status {response.status_code}")
                         reply: dict[str, Any] = response.json()
-                        provider["access-token"] = reply.get("access_token")
-                        provider["access-expiration"] = now + int(reply.get("expires_in"))
-                        if reply.get("refresh_token"):
-                            provider["refresh-token"] = reply["refresh_token"]
+                        provider[ProviderParam.ACCESS_TOKEN] = reply.get("access_token")
+                        provider[ProviderParam.ACCESS_EXPIRATION] = now + int(reply.get("expires_in"))
+                        if reply.get(ProviderParam.REFRESH_TOKEN):
+                            provider[ProviderParam.REFRESH_TOKEN] = reply["refresh_token"]
                             if reply.get("refresh_expires_in"):
-                                provider["refresh-expiration"] = now + int(reply.get("refresh_expires_in"))
+                                provider[ProviderParam.REFRESH_EXPIRATION] = now + int(reply.get("refresh_expires_in"))
                             else:
-                                provider["refresh-expiration"] = sys.maxsize
+                                provider[ProviderParam.REFRESH_EXPIRATION] = sys.maxsize
                         if logger:
                             logger.debug(msg=f"POST {url}: status {response.status_code}")
                 except Exception as e:
@@ -154,7 +174,7 @@ def provider_get_token(provider_id: str,
         if logger:
             logger.error(msg=err_msg)
     else:
-        result = provider.get("access-token")
+        result = provider.get(ProviderParam.ACCESS_TOKEN)
 
     return result
 

pypomes_iam/token_pomes.py

@@ -117,8 +117,6 @@ def token_validate(token: str,
             "verify_nbf": False,
             "verify_signature": token_alg in ["RS256", "RS512"] and public_key is not None
         }
-        if issuer:
-            options["require"].append("iss")
         try:
             # raises:
             #   InvalidTokenError: token is invalid

{pypomes_iam-0.5.7.dist-info → pypomes_iam-0.5.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_iam
-Version: 0.5.7
+Version: 0.5.9
 Summary: A collection of Python pomes, penyeach (IAM modules)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-IAM
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-IAM/issues

pypomes_iam-0.5.9.dist-info/RECORD

@@ -0,0 +1,11 @@
+pypomes_iam/__init__.py,sha256=_6tSFfjuU-5p6TAMqNLHSL6IQmaJMSYuEW-TG3ybhTI,1044
+pypomes_iam/iam_actions.py,sha256=Bmd8rBg3948Afsg10B6B1ZrFY4wYtbxi55rX4Rlqiyk,39167
+pypomes_iam/iam_common.py,sha256=asgool1T1ja1RKtQP1h71EeG3SJf8UX59NEDisHqLb8,15672
+pypomes_iam/iam_pomes.py,sha256=fSB4KnCVM9HKZ6_LBfud9vtMM4psNQPrP98QDal3l9Y,7342
+pypomes_iam/iam_services.py,sha256=IkCjrKDX1Ix7BiHh-BL3VKz5xogcNC8prXkHyJzQoZ8,15862
+pypomes_iam/provider_pomes.py,sha256=N0nL9_hgHmAjG9JKFoXC33zk8b1ckPG1veu1jTp-2JE,8045
+pypomes_iam/token_pomes.py,sha256=K4nSAotKUoHIE2s3ltc_nVimlNeKS9tnD-IlslkAvkk,6626
+pypomes_iam-0.5.9.dist-info/METADATA,sha256=iTKxygsO09k_vx4DEmbTc7IIkwt1_8Fu9z-YpybSM24,694
+pypomes_iam-0.5.9.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+pypomes_iam-0.5.9.dist-info/licenses/LICENSE,sha256=YvUELgV8qvXlaYsy9hXG5EW3Bmsrkw-OJmmILZnonAc,1086
+pypomes_iam-0.5.9.dist-info/RECORD,,