{"id":36685165,"url":"https://github.com/coreason-ai/coreason-identity","last_synced_at":"2026-02-10T04:01:26.296Z","repository":{"id":332070048,"uuid":"1126282816","full_name":"CoReason-AI/coreason-identity","owner":"CoReason-AI","description":"Decoupled authentication middleware, abstracting OIDC and OAuth2 protocols from the main application.","archived":false,"fork":false,"pushed_at":"2026-02-06T19:32:04.000Z","size":442,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-07T06:11:41.371Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CoReason-AI.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-01-01T15:12:45.000Z","updated_at":"2026-02-06T19:31:46.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/CoReason-AI/coreason-identity","commit_stats":null,"previous_names":["coreason-ai/coreason-identity"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/CoReason-AI/coreason-identity","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CoReason-AI%2Fcoreason-identity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CoReason-AI%2Fcoreason-identity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CoReason-AI%2Fcoreason-identity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CoReason-AI%2Fcoreason-identity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CoReason-AI","download_url":"https://codeload.github.com/CoReason-AI/coreason-identity/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CoReason-AI%2Fcoreason-identity/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29290460,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-10T03:42:42.660Z","status":"ssl_error","status_checked_at":"2026-02-10T03:42:41.897Z","response_time":65,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-12T11:13:00.814Z","updated_at":"2026-02-10T04:01:26.290Z","avatar_url":"https://github.com/CoReason-AI.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# coreason-identity\n\nDecoupled authentication middleware, abstracting OIDC and OAuth2 protocols from the main application.\n\n[![Organization](https://img.shields.io/badge/org-CoReason--AI-blue)](https://github.com/CoReason-AI)\n[![License](https://img.shields.io/badge/license-Prosperity%203.0-blue)](https://img.shields.io/badge/license-Prosperity%203.0-blue)\n[![Build Status](https://github.com/CoReason-AI/coreason_identity/actions/workflows/build.yml/badge.svg)](https://github.com/CoReason-AI/coreason_identity/actions)\n[![Code Style: Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)\n[![Documentation](https://img.shields.io/badge/docs-Product%20Requirements-green)](docs/product_requirements.md)\n\n## Overview\n\n`coreason-identity` (\"The Bouncer\") handles all Authentication (AuthN) and Role-Based Access Control (AuthZ) for the CoReason platform. It enforces a strict \"Bouncer\" philosophy: it checks IDs and checks lists but does not issue IDs.\n\nThe package standardizes:\n*   **Protocol:** OIDC (OpenID Connect).\n*   **Identity Provider:** Auth0 or Keycloak.\n*   **Library:** Authlib.\n\n## Features\n\nBased on the [Product Requirements](docs/product_requirements.md):\n\n*   **OIDCProvider:** Fetches and caches JWKS from the OIDC Discovery URL (LRU Cache).\n*   **TokenValidator:** Validates JWT signatures, standard claims (`exp`, `iss`, `aud`), and enforces strict audience checks to prevent \"Confused Deputy\" attacks.\n*   **IdentityMapper:** Maps IdP claims to a standardized `UserContext` model, handling project context extraction and group-to-permission mapping.\n*   **DeviceFlowClient:** Implements RFC 8628 OAuth 2.0 Device Authorization Grant for headless CLI authentication.\n*   **Observability:** Emits OpenTelemetry spans and secure logs (PII hashed).\n*   **Security:** DNS-based SSRF protection, strict DoS limits, PII sanitization, and Replay Protection (JTI Cache). See [Security Hardening (SOTA)](docs/design/018_security_hardening.md).\n\n## Installation\n\n```bash\npip install coreason-identity\n```\n\n## Usage\n\n### 1. Token Verification (Server-Side)\n\nUse `CoreasonVerifierConfig` for services that only need to validate tokens (no client credentials required).\n\n```python\nfrom coreason_identity import IdentityManager, CoreasonVerifierConfig, InvalidTokenError\nfrom pydantic import SecretStr\n\n# Initialize (The Bouncer)\nconfig = CoreasonVerifierConfig(\n    domain=\"auth.coreason.com\",\n    audience=\"api://coreason\",\n    pii_salt=SecretStr(\"super-secret-salt-123\"),  # Mandatory: for PII hashing\n    http_timeout=5.0,  # Mandatory: fail fast if IdP is slow\n    allowed_algorithms=[\"RS256\"],  # Mandatory: algorithm allowlist\n    clock_skew_leeway=0            # Optional: defaults to 0 (strict security)\n)\nidentity = IdentityManager(config)\n\n# Validate (The Check)\ntry:\n    # Validate a raw Bearer token\n    user_context = identity.validate_token(auth_header=\"Bearer eyJ...\")\n\n    # Access canonical Identity Passport fields\n    print(f\"User {user_context.user_id} ({user_context.email}) is active.\")\n\n    # Check groups for Row-Level Security\n    if \"admin\" in user_context.groups:\n        print(\"Admin access granted.\")\n\nexcept InvalidTokenError:\n    # Handle invalid tokens (expired, bad signature, wrong audience, etc.)\n    print(\"Access denied.\")\n```\n\n### 2. Device Flow Login (CLI / Client-Side)\n\nUse `CoreasonClientConfig` when the application acts as an OIDC Client (needs `client_id`).\n\n```python\nfrom coreason_identity import IdentityManager, CoreasonClientConfig\n\n# Initialize (The Borrower)\nconfig = CoreasonClientConfig(\n    domain=\"auth.coreason.com\",\n    audience=\"api://coreason\",\n    client_id=\"my-cli-client-id\",  # Mandatory for client operations\n    pii_salt=SecretStr(\"super-secret-salt-123\"),\n    http_timeout=10.0,\n    allowed_algorithms=[\"RS256\"]\n)\nidentity = IdentityManager(config)\n\n# CLI Login (The Device Flow)\n# Initiate the flow\nflow = identity.start_device_login(scope=\"openid profile email\")\nprint(f\"Go to {flow.verification_uri} and enter {flow.user_code}\")\n\n# Poll for tokens\ntry:\n    tokens = identity.await_device_token(flow)\n    print(\"Login successful!\")\n    print(f\"Access Token: {tokens.access_token}\")\nexcept Exception as e:\n    print(f\"Login failed: {e}\")\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoreason-ai%2Fcoreason-identity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcoreason-ai%2Fcoreason-identity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcoreason-ai%2Fcoreason-identity/lists"}