{"id":51510296,"url":"https://github.com/man4ish/omnibioai-iam-client","last_synced_at":"2026-07-08T05:01:58.441Z","repository":{"id":364491929,"uuid":"1238075046","full_name":"man4ish/omnibioai-iam-client","owner":"man4ish","description":"Async IAM client SDK for the OmniBioAI distributed HPC ecosystem — Redis-cached JWT validation with zero-latency token verification on hot paths, async-native design for high-throughput service meshes, and automatic token refresh. Used by all services that need to verify identity without calling the auth service on every request.","archived":false,"fork":false,"pushed_at":"2026-06-13T07:13:37.000Z","size":36,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-13T09:12:44.341Z","etag":null,"topics":["authentication","bioinformatics","hpc","jwt","microservices","omnibioai","python","redis"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/man4ish.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-13T19:39:54.000Z","updated_at":"2026-06-13T07:13:40.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/man4ish/omnibioai-iam-client","commit_stats":null,"previous_names":["man4ish/omnibioai-iam-client"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/man4ish/omnibioai-iam-client","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-iam-client","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-iam-client/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-iam-client/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-iam-client/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/man4ish","download_url":"https://codeload.github.com/man4ish/omnibioai-iam-client/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-iam-client/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35252324,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-08T02:00:06.796Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","bioinformatics","hpc","jwt","microservices","omnibioai","python","redis"],"created_at":"2026-07-08T05:01:57.748Z","updated_at":"2026-07-08T05:01:58.417Z","avatar_url":"https://github.com/man4ish.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🔐 OmniBioAI IAM Client\n\nA **high-performance, async Identity \u0026 Access Management (IAM) client SDK** for the OmniBioAI ecosystem.\n\nIt provides **zero-latency authentication**, combining:\n\n* Local JWT validation\n* Redis caching layer\n* Async fallback to central auth service\n\n---\n\n# 🚀 Overview\n\nThis SDK is designed to securely authenticate and authorize users across distributed OmniBioAI services:\n\n* TES (HPC workflow engine)\n* Workbench (Django platform)\n* Control Center (system observability)\n* Studio (Electron desktop client)\n* SDK integrations\n\nIt ensures **sub-millisecond identity checks for HPC-scale workloads**.\n\n---\n\n## Deployment Context\n\nThe IAM client is used as a **library**, not a standalone service.\nIt is embedded in services that need to validate JWT tokens:\n\n- `omnibioai-api-gateway` — validates every incoming request\n- `omnibioai-security-sdk` — wraps IAM client in middleware stack\n- `omnibioai-control-center` — validates internal service tokens\n\nInstall as a local package:\n\n```bash\npip install -e ~/Desktop/machine/omnibioai-iam-client\n```\n\n---\n\n# ⚡ Key Features\n\n## 🧠 Zero-latency authentication\n\n* Cache-first identity resolution\n* Local JWT decoding (no network required)\n\n## ⚡ Async + scalable\n\n* Built on `httpx.AsyncClient`\n* Non-blocking authentication flow\n\n## 🧩 Redis caching layer\n\n* Token → user context caching\n* Automatic TTL-based expiration\n* Cache eviction on invalid tokens\n\n## 🔐 Secure fallback model\n\n* Central auth service validation when cache misses\n* Revocation-aware token handling\n\n---\n\n# 🏗 Architecture\n\n```text\nClient Request\n      │\n      ▼\nRedis Cache (FAST PATH ⚡)\n      │ hit\n      ▼\nUser Context returned (0.5 ms)\n\n      │ miss\n      ▼\nLocal JWT decode (NO NETWORK)\n      │ success\n      ▼\nCache store\n\n      │ fallback\n      ▼\nAuth Service validation\n      │\n      ▼\nCache update / eviction\n```\n\n---\n\n## Testing\n\n```bash\ncd ~/Desktop/machine/omnibioai-iam-client\npytest tests/ -v --cov=.\n\n# 100% coverage\n# Covers: IAM client validate, cache hit/miss,\n#         token eviction, permission checks, models\n```\n\n---\n\n# 📦 Installation\n\n```bash\npip install httpx redis python-jose pydantic\n```\n\nOr install locally:\n\n```bash\npip install -e .\n```\n\n---\n\n# ⚙️ Usage\n\n## Initialize IAM Client\n\n```python\nfrom iam_client import AsyncIAMClient\n\niam = AsyncIAMClient(\n    base_url=\"http://auth-service:8001\",\n    redis_url=\"redis://localhost:6379\"\n)\n```\n\n---\n\n## Authenticate user (HPC-safe)\n\n```python\nuser = await iam.get_user(\n    token=ACCESS_TOKEN,\n    secret=\"JWT_SECRET\"\n)\n\nif not user:\n    raise Exception(\"Unauthorized\")\n```\n\n---\n\n## Access user context\n\n```python\nprint(user.user_id)\nprint(user.email)\nprint(user.roles)\n```\n\n---\n\n# ⚡ Performance Model\n\n| Layer                 | Latency   |\n| --------------------- | --------- |\n| Redis cache           | ~0.3–1 ms |\n| Local JWT decode      | ~0.2 ms   |\n| Auth service fallback | ~20–80 ms |\n\n👉 99% requests never hit network\n\n---\n\n# 🔐 Security Model\n\n## Token validation layers\n\n1. Cache validation (fast path)\n2. Local JWT validation (offline)\n3. Central auth validation (fallback)\n\n## Cache invalidation\n\n* Invalid tokens are immediately removed from Redis\n* Revoked tokens are not cached again\n\n---\n\n# 🧠 Design Principles\n\n* Zero-trust authentication\n* Fail-safe by default\n* HPC-first performance design\n* Stateless compute nodes\n* Centralized identity authority\n\n---\n\n# 🧬 Integration Targets\n\nThis SDK is used across:\n\n* omnibioai-tes\n* omnibioai\n* omnibioai-control-center\n* omnibioai-workbench\n\n---\n\n## Known Limitations\n\n- No automatic key rotation (JWT secret-based, rotation planned for v0.5)\n- No offline policy enforcement (OPA not integrated)\n\n\u003e **Note:** Redis pub/sub cache invalidation IS implemented —\n\u003e the api-gateway subscribes to `policy:invalidate` and evicts\n\u003e stale tokens on logout. This is handled at the gateway level,\n\u003e not the IAM client level.\n\n---\n\n## Roadmap\n\n| Feature | Status |\n|---------|--------|\n| Redis cache-first validation | ✓ Stable |\n| Async httpx client | ✓ Stable |\n| Local JWT decode (offline) | ✓ Stable |\n| Cache eviction on invalid tokens | ✓ Stable |\n| Redis pub/sub invalidation (gateway level) | ✓ Stable |\n| 100% test coverage | ✓ Stable |\n| RS256 public/private key JWT | Planned v0.5 |\n| Multi-tenant lab isolation | Planned v0.5 |\n| OPA policy integration | Planned |\n\n---\n\n## Related Services\n\n| Service | Role |\n|---------|------|\n| `omnibioai-auth` | Validates tokens on cache miss (POST /auth/validate) |\n| `omnibioai-api-gateway` | Primary consumer — uses IAM client for every request |\n| `omnibioai-security-sdk` | Wraps IAM client in reusable middleware |\n| `omnibioai-studio` | Provides REDIS_URL and IAM_URL via docker-compose env |\n\n## License\n\nApache 2.0\n\n---\n\n*Part of the [OmniBioAI](https://github.com/man4ish/omnibioai-studio) platform.*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fman4ish%2Fomnibioai-iam-client","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fman4ish%2Fomnibioai-iam-client","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fman4ish%2Fomnibioai-iam-client/lists"}