{"id":25874644,"url":"https://github.com/lyft/python-kmsauth","last_synced_at":"2025-03-02T09:28:36.243Z","repository":{"id":62574446,"uuid":"61582775","full_name":"lyft/python-kmsauth","owner":"lyft","description":"A python library for reusing KMS for your own authentication and authorization","archived":false,"fork":false,"pushed_at":"2023-10-23T21:19:03.000Z","size":60,"stargazers_count":37,"open_issues_count":1,"forks_count":9,"subscribers_count":291,"default_branch":"master","last_synced_at":"2024-04-25T23:21:20.958Z","etag":null,"topics":["lyft"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lyft.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-06-20T21:51:30.000Z","updated_at":"2024-06-19T01:25:17.286Z","dependencies_parsed_at":"2024-06-19T01:25:16.209Z","dependency_job_id":"3a4047f4-4333-4b42-830c-ba7aa54133a9","html_url":"https://github.com/lyft/python-kmsauth","commit_stats":{"total_commits":30,"total_committers":5,"mean_commits":6.0,"dds":0.5,"last_synced_commit":"d7b88f08db4e65193543638040c07a731027173f"},"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lyft%2Fpython-kmsauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lyft%2Fpython-kmsauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lyft%2Fpython-kmsauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lyft%2Fpython-kmsauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lyft","download_url":"https://codeload.github.com/lyft/python-kmsauth/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241485220,"owners_count":19970441,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["lyft"],"created_at":"2025-03-02T09:28:35.834Z","updated_at":"2025-03-02T09:28:36.226Z","avatar_url":"https://github.com/lyft.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# python-kmsauth\n\nA python library for KMS authentication and authorization\n\n## Usage\n\nkmsauth can generate authentication tokens and validate authentication tokens.\nkmsauth current supports tokens in v1 or v2 format. By default, when generating\ntokens, it will generate tokens in v2 format. The difference between the\nformats is the encryption context and the username format.\n\nDecrypting tokens requires the username and the token, so when passing this to\na service, you should pass both along.\n\n### Token formats\n\nv1:\n* username: 'my-service-name'\n* encryption context: {\"to\":\"their-service-name\",\"from\":\"my-service-name\"}\n\nv2:\n* username: '2/service/my-service-name'\n* encryption context: {\"to\":\"their-service-name\",\"from\":\"my-service-name\",\"user\\_type\":\"service\"}\n\n### Generating tokens\n\n```python\nimport kmsauth\n# user to service authentication\ngenerator = kmsauth.KMSTokenGenerator(\n    # KMS key to use for authentication\n    'alias/authnz-production',\n    # Encryption context to use\n    {\n        # We're authenticating to this service\n        'to':'confidant-production',\n        # It's from this user\n        'from':'rlane',\n        # This token is for a user\n        'user_type': 'user'\n    },\n    # Find the KMS key in this region\n    'us-east-1'\n)\nusername = generator.get_username()\ntoken = generator.get_token()\n\n# service to service authentication\ngenerator = kmsauth.KMSTokenGenerator(\n    # KMS key to use for authentication\n    'alias/authnz-production',\n    # Encryption context to use\n    {\n        # We're authenticating to this service\n        'to':'confidant-production',\n        # It's from this service\n        'from':'example-production',\n        # This token is for a service\n        'user_type': 'service'\n    },\n    # Find the KMS key in this region\n    'us-east-1'\n)\nusername = generator.get_username()\ntoken = generator.get_token()\n```\n\n### Validating tokens\n\n```python\nimport kmsauth\nvalidator = kmsauth.KMSTokenValidator(\n    # KMS keys to use for service authentication\n    ['alias/authnz-production'],\n    # KMS keys to use for user authentication\n    ['alias/authnz-users-production', '6655d2a8-0606-4727-a1f6-f5b6a6754377'],\n    # The context of this validation (the \"to\" context to validate against)\n    'confidant-production',\n    # Find the KMS keys in this region\n    'us-east-1'\n)\nvalidator.decrypt_token(username, token)\n```\n\nIf you're extending the common KMS auth token context, you can pass extra\ncontext into the validator:\n\n```python\nimport kmsauth\nvalidator = kmsauth.KMSTokenValidator(\n    # KMS keys to use for service authentication\n    ['alias/authnz-production'],\n    # KMS keys to use for user authentication\n    ['alias/authnz-users-production', '6655d2a8-0606-4727-a1f6-f5b6a6754377'],\n    # The context of this validation (the \"to\" context to validate against)\n    'confidant-production',\n    # Find the KMS keys in this region\n    'us-east-1',\n    extra_context={'action': 'create_resource'}\n)\nvalidator.decrypt_token(username, token)\n```\n\nNote: 'to', 'from', and 'user_type' keys are not allowed to be set in\nextra_context.\n\n## Performance Tuning\n\nWith the [boto defaults](https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html), the AWS KMS client used in `KMSTokenValidator` may not be performant under higher loads, due to latency when communicating with AWS KMS. Try tuning these parameters below with the given starting points.\n\n```python\n...\nmax_pool_connections=100,\nconnect_timeout=1,\nread_timeout=1,\n...\n```\n\n## Reporting security vulnerabilities\n\nIf you've found a vulnerability or a potential vulnerability in kmsauth\nplease let us know at security@lyft.com. We'll send a confirmation email to\nacknowledge your report, and we'll send an additional email when we've\nidentified the issue positively or negatively.\n\n## Getting support or asking questions\n\nkmsauth is a component of Confidant, so discussion for it is through the same\nchannels as Confidant. We have a mailing list for discussion, and a low volume\nlist for announcements:\n\n* https://groups.google.com/forum/#!forum/confidant-users\n* https://groups.google.com/forum/#!forum/confidant-announce\n\nWe also have an IRC channel on freenode and a Gitter channel:\n\n* [#confidant](http://webchat.freenode.net/?channels=confidant)\n* [lyft/confidant on Gitter](https://gitter.im/lyft/confidant)\n\nFeel free to drop into either Gitter or the IRC channel for any reason, even\nif just to chat. It doesn't matter which one you join, the messages are sync'd\nbetween the two.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flyft%2Fpython-kmsauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flyft%2Fpython-kmsauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flyft%2Fpython-kmsauth/lists"}