usso 0.27.21__py3-none-any.whl → 0.28.0__py3-none-any.whl

usso/session/async_session.py

@@ -36,7 +36,11 @@ class AsyncUssoSession(httpx.AsyncClient, BaseUssoSession):
         """
         Helper function to prepare headers and parameters for refresh requests.
         """
-        headers = {"x-api-key": self.usso_api_key} if self.usso_api_key else {}
+        headers = (
+            {"x-api-key": self.usso_admin_api_key}
+            if self.usso_admin_api_key
+            else {}
+        )
         params = {"user_id": self.user_id} if self.user_id else {}
         return headers, params
 
@@ -49,17 +53,19 @@ class AsyncUssoSession(httpx.AsyncClient, BaseUssoSession):
         self.access_token = data.get("access_token")
         self._refresh_token = data.get("token", {}).get("refresh_token")
         if self.access_token:
-            self.headers.update({"Authorization": f"Bearer {self.access_token}"})
+            self.headers.update({
+                "Authorization": f"Bearer {self.access_token}"
+            })
         return data
 
     def _refresh_sync(self) -> dict:
-        assert (
-            self.refresh_token or self.usso_api_key
-        ), "refresh_token or usso_api_key is required"
+        assert self.refresh_token or self.usso_admin_api_key, (
+            "refresh_token or usso_api_key is required"
+        )
 
         headers, params = self._prepare_refresh_request()
 
-        if self.usso_api_key and not self.refresh_token:
+        if self.usso_admin_api_key and not self.refresh_token:
             response = httpx.get(
                 f"{self.usso_refresh_url}/api", headers=headers, params=params
             )
@@ -71,13 +77,13 @@ class AsyncUssoSession(httpx.AsyncClient, BaseUssoSession):
         return self._handle_refresh_response(response)
 
     async def _refresh(self) -> dict:
-        assert (
-            self.refresh_token or self.usso_api_key
-        ), "refresh_token or usso_api_key is required"
+        assert self.refresh_token or self.usso_admin_api_key, (
+            "refresh_token or usso_api_key is required"
+        )
 
         headers, params = self._prepare_refresh_request()
 
-        if self.usso_api_key and not self.refresh_token:
+        if self.usso_admin_api_key and not self.refresh_token:
             response = await self.get(
                 f"{self.usso_refresh_url}/api", headers=headers, params=params
             )

usso/session/base_session.py

@@ -1,95 +1,77 @@
 import os
-from urllib.parse import urlparse
-
-from usso.core import is_expired
-from typing import Optional, Any, Callable
-import inspect
+from typing import Optional
 
+from usso_jwt.schemas import JWT, JWTConfig
 
 
 class BaseUssoSession:
-
     def __init__(
         self,
-        api_key: str | None = None,
         *,
-        usso_base_url: str | None = None,
-        usso_refresh_url: str | None = None,
+        api_key: str | None = None,
         refresh_token: str | None = None,
         app_id: str | None = None,
         app_secret: str | None = None,
-        access_token: str | None = None,
-        usso_admin_api_key: str | None = None,
-        user_id: str | None = None,
+        usso_url: str = "https://sso.usso.io",
         client: Optional["BaseUssoSession"] = None,
-        **kwargs,
     ):
         if client:
             self.copy_attributes_from(client)
             return
 
-        if not (api_key or usso_base_url or usso_refresh_url):
-            if os.getenv("USSO_API_KEY"):
-                api_key = os.getenv("USSO_API_KEY")
-            elif os.getenv("USSO_URL"):
-                usso_base_url = os.getenv("USSO_URL")
-            elif os.getenv("USSO_REFRESH_URL"):
-                usso_refresh_url = os.getenv("USSO_REFRESH_URL")
-            else:
-                raise ValueError(
-                    "one of api_key, usso_base_url or usso_refresh_url is required"
-                )
+        if not api_key and os.getenv("USSO_API_KEY"):
+            api_key = os.getenv("USSO_API_KEY")
 
-        if not (
-            api_key
-            or refresh_token
-            or usso_admin_api_key
-            or (app_id and app_secret)
-            or access_token
-        ):
+        if not (api_key or refresh_token or (app_id and app_secret)):
             if os.getenv("USSO_REFRESH_TOKEN"):
                 refresh_token = os.getenv("USSO_REFRESH_TOKEN")
-            elif os.getenv("USSO_ADMIN_API_KEY"):
-                usso_admin_api_key = os.getenv("USSO_ADMIN_API_KEY")
             elif os.getenv("USSO_APP_ID") and os.getenv("USSO_APP_SECRET"):
                 app_id = os.getenv("USSO_APP_ID")
                 app_secret = os.getenv("USSO_APP_SECRET")
             else:
                 raise ValueError(
-                    "one of api_key, refresh_token, usso_admin_api_key, app_id and app_secret or access_token is required"
+                    "one of api_key, refresh_token, usso_admin_api_key, "
+                    "app_id and app_secret or access_token is required"
                 )
 
         if api_key:
             self.api_key = api_key
+            self.headers = self.headers or {}
             self.headers.update({"x-api-key": api_key})
+        else:
+            self.api_key = None
 
-        if not usso_base_url:
-            url_parts = urlparse(usso_refresh_url)
-            usso_base_url = f"{url_parts.scheme}://{url_parts.netloc}"
-        elif usso_base_url.endswith("/"):
-            usso_base_url = usso_base_url[:-1]
+        if usso_url.endswith("/"):
+            usso_url = usso_url[:-1]
+
+        self.usso_url = usso_url
+        self.usso_refresh_url = f"{usso_url}/auth/refresh"
+        self._refresh_token = JWT(
+            token=refresh_token,
+            config=JWTConfig(jwk_url=f"{self.usso_url}/website/jwks.json"),
+        )
 
-        self.usso_base_url = usso_base_url
-        self.usso_refresh_url = usso_refresh_url or f"{usso_base_url}/auth/refresh"
-        self._refresh_token = refresh_token
         self.access_token = None
-        self.usso_admin_api_key = usso_admin_api_key
-        self.user_id = user_id
         self.headers = getattr(self, "headers", {})
 
     def copy_attributes_from(self, client: "BaseUssoSession"):
-        self.usso_base_url = client.usso_base_url
+        self.usso_url = client.usso_url
         self.usso_refresh_url = client.usso_refresh_url
         self._refresh_token = client._refresh_token
         self.access_token = client.access_token
         self.api_key = client.api_key
         self.usso_admin_api_key = client.usso_admin_api_key
-        self.user_id = client.user_id
         self.headers = client.headers.copy()
 
     @property
     def refresh_token(self):
-        if self._refresh_token and is_expired(self._refresh_token):
+        if (
+            self._refresh_token
+            and self._refresh_token.verify(  # noqa: W503
+                expected_acr="refresh",
+            )
+            and self._refresh_token.is_temporally_valid()  # noqa: W503
+        ):
             self._refresh_token = None
 
         return self._refresh_token

usso/session/session.py

@@ -1,66 +1,40 @@
 import os
-import inspect
-from typing import Callable, Any
+
 import httpx
 
 from usso.core import is_expired
 
 from .base_session import BaseUssoSession
 
-class UssoSession(httpx.Client, BaseUssoSession):
 
+class UssoSession(httpx.Client, BaseUssoSession):
     def __init__(
         self,
         *,
-        usso_base_url: str | None = os.getenv("USSO_URL"),
         api_key: str | None = os.getenv("USSO_API_KEY"),
-        usso_refresh_url: str | None = os.getenv("USSO_REFRESH_URL"),
         refresh_token: str | None = os.getenv("USSO_REFRESH_TOKEN"),
-        usso_api_key: str | None = os.getenv("USSO_ADMIN_API_KEY"),
-        user_id: str | None = None,
+        usso_url: str | None = os.getenv("USSO_URL"),
         client: "UssoSession" = None,
         **kwargs,
     ):
-
-        # httpx_kwargs = _filter_kwargs(kwargs, httpx.Client.__init__)
-
-        httpx.Client.__init__(self) #, **httpx_kwargs)
+        httpx.Client.__init__(self, **kwargs)
 
         BaseUssoSession.__init__(
             self,
-            usso_base_url=usso_base_url,
             api_key=api_key,
-            usso_refresh_url=usso_refresh_url,
             refresh_token=refresh_token,
-            usso_api_key=usso_api_key,
-            user_id=user_id,
+            usso_url=usso_url,
             client=client,
         )
-        if not hasattr(self, "api_key") or not self.api_key:
+        if not self.api_key:
             self._refresh()
 
-    def _refresh_api(self):
-        assert self.usso_api_key, "usso_api_key is required"
-        params = {"user_id": self.user_id} if self.user_id else {}
-        response = httpx.get(
-            f"{self.usso_refresh_url}/api",
-            headers={"x-api-key": self.usso_api_key},
-            params=params,
-        )
-        response.raise_for_status()
-        data: dict = response.json()
-        self._refresh_token = data.get("token", {}).get("refresh_token")
-
     def _refresh(self):
-        assert (
-            self.refresh_token or self.usso_api_key
-        ), "refresh_token or usso_api_key is required"
-
-        if self.usso_api_key and not self.refresh_token:
-            self._refresh_api()
+        assert self.refresh_token, "refresh_token is required"
 
         response = httpx.post(
-            self.usso_refresh_url, json={"refresh_token": f"{self.refresh_token}"}
+            self.usso_refresh_url,
+            json={"refresh_token": f"{self.refresh_token}"},
         )
         response.raise_for_status()
         self.access_token = response.json().get("access_token")
@@ -68,7 +42,7 @@ class UssoSession(httpx.Client, BaseUssoSession):
         return response.json()
 
     def get_session(self):
-        if hasattr(self, "api_key") and self.api_key:
+        if self.api_key:
             return self
 
         if not self.access_token or is_expired(self.access_token):

usso/utils/method_utils.py

@@ -0,0 +1,12 @@
+class instance_method:
+    def __init__(self, func):
+        self.func = func
+
+    def __get__(self, instance, owner):
+        def wrapper(*args, **kwargs):
+            if instance is not None:
+                return self.func(instance, *args, **kwargs)
+            else:
+                return self.func(owner(), *args, **kwargs)
+
+        return wrapper

usso/utils/string_utils.py

@@ -0,0 +1,7 @@
+def get_authorization_scheme_param(
+    authorization_header_value: str | None,
+) -> tuple[str, str]:
+    if not authorization_header_value:
+        return "", ""
+    scheme, _, param = authorization_header_value.partition(" ")
+    return scheme, param

usso-0.28.0.dist-info/METADATA

@@ -0,0 +1,172 @@
+Metadata-Version: 2.4
+Name: usso
+Version: 0.28.0
+Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
+Author-email: Mahdi Kiani <mahdikiany@gmail.com>
+Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/ussoio/usso-python
+Project-URL: Bug Reports, https://github.com/ussoio/usso-python/issues
+Project-URL: Funding, https://github.com/ussoio/usso-python
+Project-URL: Say Thanks!, https://saythanks.io/to/mahdikiani
+Project-URL: Source, https://github.com/ussoio/usso-python
+Keywords: usso,sso,authentication,security,fastapi,django
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Software Development :: Build Tools
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3 :: Only
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE.txt
+Requires-Dist: pydantic>=2
+Requires-Dist: cryptography>=43.0.0
+Requires-Dist: cachetools
+Requires-Dist: singleton_package
+Requires-Dist: json-advanced
+Requires-Dist: httpx
+Requires-Dist: usso-jwt>=0.1.0
+Provides-Extra: fastapi
+Requires-Dist: fastapi>=0.65.0; extra == "fastapi"
+Requires-Dist: uvicorn[standard]>=0.13.0; extra == "fastapi"
+Provides-Extra: django
+Requires-Dist: Django>=3.2; extra == "django"
+Provides-Extra: dev
+Requires-Dist: check-manifest; extra == "dev"
+Provides-Extra: test
+Requires-Dist: coverage; extra == "test"
+Provides-Extra: all
+Requires-Dist: fastapi; extra == "all"
+Requires-Dist: uvicorn; extra == "all"
+Requires-Dist: django; extra == "all"
+Requires-Dist: dev; extra == "all"
+Requires-Dist: test; extra == "all"
+Dynamic: license-file
+
+# 🛡️ USSO Python Client SDK
+
+The **USSO Python Client SDK** (`usso`) provides a universal, secure JWT authentication layer for Python microservices and web frameworks.  
+It’s designed to integrate seamlessly with the [USSO Identity Platform](https://github.com/ussoio/usso) — or any standards-compliant token issuer.
+
+---
+
+## 🔗 Relationship to the USSO Platform
+
+This SDK is the official verification client for the **USSO** identity service, which provides multi-tenant authentication, RBAC, token flows, and more.  
+You can use the SDK with:
+- Self-hosted USSO via Docker
+- Any identity provider that issues signed JWTs (with proper config)
+
+---
+
+## ✨ Features
+
+- ✅ **Token verification** for EdDSA, RS256, HS256, and more
+- ✅ **Claim validation** (`exp`, `nbf`, `aud`, `iss`)
+- ✅ **Remote JWK support** for key rotation
+- ✅ **Typed payload parsing** via `UserData` (Pydantic)
+- ✅ **Token extraction** from:
+  - `Authorization` header
+  - Cookies
+  - Custom headers
+- ✅ **FastAPI integration** with dependency injection
+- ✅ **Django middleware** for request-based user resolution
+- 🧪 90% tested with `pytest` and `tox`
+
+---
+
+## 📦 Installation
+
+```bash
+pip install usso
+````
+
+With framework extras:
+
+```bash
+pip install "usso[fastapi]"     # for FastAPI integration
+pip install "usso[django]"      # for Django integration
+```
+
+---
+
+## 🚀 Quick Start (FastAPI)
+
+```python
+from usso.fastapi.integration import get_authenticator
+from usso.schemas import JWTConfig, JWTHeaderConfig, UserData
+from usso.jwt.enums import Algorithm
+
+config = JWTConfig(
+    key="your-ed25519-public-key",
+    issuer="https://sso.example.com",
+    audience="api.example.com",
+    type=Algorithm.EdDSA,
+    header=JWTHeaderConfig(type="Authorization")
+)
+
+authenticator = get_authenticator(config)
+
+@app.get("/me")
+def get_me(user: UserData = Depends(authenticator)):
+    return {"user_id": user.sub, "roles": user.roles}
+```
+
+---
+
+## 🧱 Project Structure
+
+```
+src/usso/
+├── fastapi/            # FastAPI adapter
+├── django/             # Django middleware
+├── jwt/                # Core JWT logic and algorithms
+├── session/            # Stateless session support
+├── models/             # JWTConfig, UserData, etc.
+├── exceptions/         # Shared exceptions
+├── authenticator.py    # High-level API (token + user resolution)
+```
+
+---
+
+## 🐳 Integrate with USSO (Docker)
+
+Run your own identity provider:
+
+```bash
+docker run -p 8000:8000 ghcr.io/ussoio/usso:latest
+```
+
+Then configure your app to verify tokens issued by this service, using its public JWKS endpoint:
+
+```python
+JWTConfig(
+    jwk_url="http://localhost:8000/.well-known/jwks.json",
+    ...
+)
+```
+
+---
+
+## 🧪 Testing
+
+```bash
+pytest
+tox
+```
+
+---
+
+## 🤝 Contributing
+
+We welcome contributions! 
+
+---
+
+## 📝 License
+
+MIT License © \[mahdikiani]
+

usso-0.28.0.dist-info/RECORD

@@ -0,0 +1,24 @@
+usso/__init__.py,sha256=t3tYcw4qtGFpk7iakXTqEj5RlzIc8D2fs0I3FZcOmGs,571
+usso/exceptions.py,sha256=cBzmMCwpNQKMjCUXO3bCcFwZJQQvbvJ5RxTH987ZlCI,1012
+usso/auth/__init__.py,sha256=Dthv-iZTgsHTGcJrkJsnAtDCbRR5dNCx0Ut7MufoAXY,270
+usso/auth/api_key.py,sha256=ec3q_mJtPiNb-eZt5MA4bantX1zRo3WwU2JfYBcGCGk,1254
+usso/auth/client.py,sha256=SqZuq2ff4pbfP1bwQ0Mm9W1CEqYZEgFX7lIoAMJDMC4,2525
+usso/auth/config.py,sha256=6tdnIg8iCrksuJGzpliw6QhRc8XsDUMR-dX0XY6QLHU,3833
+usso/integrations/django/__init__.py,sha256=dKpbffHS5ouGtW6ooI2ivzjPmH_1rOBny85htR-KqrY,97
+usso/integrations/django/middleware.py,sha256=8b-VYQ3FRhLnXSl4ZfHBpiA6VLY4b7b0-YoE_X41SFM,3443
+usso/integrations/fastapi/__init__.py,sha256=ZysSeNr35ioMkviQqvfrXLYgt1ox3Wyckzee4Fv0nCk,77
+usso/integrations/fastapi/dependency.py,sha256=HX2x6v9mI1r6O7SVAtSLtoTsx2uXXxxaFNwB6lSCh1Q,2954
+usso/models/user.py,sha256=jG8jlt6F2pHHgqnsRRP6kCuRNK-aO9FE5Mt7iiuPPnU,3293
+usso/session/__init__.py,sha256=tE4qWUdSI7iN_pywm47Mg8NKOTBa2nCNwCy3wCZWRmU,124
+usso/session/async_session.py,sha256=7OKvFnJQaHnLjeQKSW6bltl0KcQGzOvUje-bJKbxFZY,3692
+usso/session/base_session.py,sha256=Jggp_1JJEKwAJYxNTk4KhP15BSjq6diuSSBzf79gToI,2551
+usso/session/session.py,sha256=B29Srxoq7webDvmfmfTeeh5JjtLSHvJijM2WCEZOh-8,1506
+usso/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+usso/utils/method_utils.py,sha256=1NMN4le04PWXDSJZK-nf7q2IFqOMkwYcCnslFXAzlH8,355
+usso/utils/string_utils.py,sha256=7tziAa2Cwa7xhwM_NF4DSY3BHoqVaWgJ21VuV8LvhrY,253
+usso-0.28.0.dist-info/licenses/LICENSE.txt,sha256=ceC9ZJOV9H6CtQDcYmHOS46NA3dHJ_WD4J9blH513pc,1081
+usso-0.28.0.dist-info/METADATA,sha256=eeqNJI0DT_JJCmXWFmMw3BMoNOKq94H_WEbPYfYvL5I,4845
+usso-0.28.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+usso-0.28.0.dist-info/entry_points.txt,sha256=4Zgpm5ELaAWPf0jPGJFz1_X69H7un8ycT3WdGoJ0Vvk,35
+usso-0.28.0.dist-info/top_level.txt,sha256=g9Jf6h1Oyidh0vPiFni7UHInTJjSvu6cUalpLTIvthg,5
+usso-0.28.0.dist-info/RECORD,,

{usso-0.27.21.dist-info → usso-0.28.0.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (75.8.0)
+Generator: setuptools (80.9.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

usso/b64tools.py

@@ -1,20 +0,0 @@
-import base64
-import uuid
-
-
-def b64_encode_uuid(uuid_str: uuid.UUID | str):
-    uuid_UUID = uuid_str if isinstance(uuid_str, uuid.UUID) else uuid.UUID(uuid_str)
-    uuid_bytes = uuid_UUID.bytes
-    encoded_uuid = base64.urlsafe_b64encode(uuid_bytes).decode()
-    return encoded_uuid
-
-
-def b64_encode_uuid_strip(uuid_str):
-    return b64_encode_uuid(uuid_str).rstrip("=")
-
-
-def b64_decode_uuid(encoded_uuid):
-    encoded_uuid += "=" * (4 - len(encoded_uuid) % 4)  # Add padding if needed
-    decoded_uuid = base64.urlsafe_b64decode(encoded_uuid)
-    uuid_obj = uuid.UUID(bytes=decoded_uuid)
-    return uuid_obj

usso/client/__init__.py

@@ -1,4 +0,0 @@
-from .api import UssoAPI
-from .async_api import AsyncUssoAPI
-
-__all__ = ["UssoAPI", "AsyncUssoAPI"]