Metadata-Version: 2.4
Name: authx-identity
Version: 0.1.0rc1
Summary: Standalone OIDC identity microservice and client library for DjangoPlay and Python applications.
Author: CodeFleet Labs
License-Expression: MIT
Project-URL: Homepage, https://github.com/codefleetx/authx
Project-URL: Repository, https://github.com/codefleetx/authx
Project-URL: Issues, https://github.com/codefleetx/authx/issues
Keywords: authx,oidc,oauth2,identity,authentication,jwt,fastapi,microservice,djangoplay
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Framework :: FastAPI
Classifier: Environment :: Web Environment
Requires-Python: >=3.11
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: fastapi>=0.111.0
Requires-Dist: uvicorn[standard]>=0.29.0
Requires-Dist: sqlalchemy>=2.0.0
Requires-Dist: alembic>=1.13.0
Requires-Dist: asyncpg>=0.29.0
Requires-Dist: psycopg2-binary>=2.9.0
Requires-Dist: passlib[bcrypt]>=1.7.4
Requires-Dist: python-jose[cryptography]>=3.3.0
Requires-Dist: cryptography>=42.0.0
Requires-Dist: python-multipart>=0.0.9
Requires-Dist: pydantic>=2.7.0
Requires-Dist: pydantic-settings>=2.2.0
Requires-Dist: email-validator>=2.0.0
Requires-Dist: httpx>=0.27.0
Requires-Dist: python-dotenv>=1.0.0
Requires-Dist: structlog>=24.1.0
Provides-Extra: dev
Requires-Dist: pytest>=8.0.0; extra == "dev"
Requires-Dist: pytest-asyncio>=0.23.0; extra == "dev"
Requires-Dist: pytest-cov>=5.0.0; extra == "dev"
Requires-Dist: aiosqlite>=0.20.0; extra == "dev"
Requires-Dist: ruff>=0.4.0; extra == "dev"
Requires-Dist: build>=1.2.0; extra == "dev"
Requires-Dist: twine>=5.0.0; extra == "dev"
Dynamic: license-file

# AuthX
<p align="left">
  Maintained by 
  <img
    src="static/logo/dp/icon.svg"
    alt="DjangoPlay Icon"
    width="20"
    valign="middle"
  />
  <img
    src="static/logo/dp/name.svg"
    alt="DjangoPlay"
    width="72"
    valign="middle"
  />
</p>
<a href="https://djangoplay.org">https://djangoplay.org</a>

## 

![Python](https://img.shields.io/pypi/pyversions/authx)
![License](https://img.shields.io/badge/license-MIT-green)

Standalone OIDC identity microservice for codefleetx applications.

## What it does

AuthX is a standards-compliant OpenID Connect (OIDC) identity provider built with FastAPI. It:

- Issues signed JWT access tokens and refresh tokens
- Exposes public OIDC endpoints (`/token`, `/userinfo`, `/jwks`, `/.well-known/openid-configuration`)
- Exposes an internal API (`/internal/identities`) for trusted services (e.g. DjangoPlay) to create and look up identities
- Supports email/password and SSO (Google, Apple) identity providers
- Is stateless and horizontally scalable

## Architecture

```
┌──────────────────────────────────────┐
│  Client (browser, mobile, CLI)       │
│  → POST /token (login)               │
│  → GET  /userinfo (who am I?)        │
└────────────────┬─────────────────────┘
                 │ JWT
     ┌───────────▼──────────────────┐
     │         AuthX                │
     │  FastAPI + PostgreSQL        │
     │  Issues & validates JWTs     │
     └───────────┬──────────────────┘
                 │ Internal API (service token)
     ┌───────────▼──────────────────┐
     │       DjangoPlay             │
     │  Trusts AuthX JWTs           │
     │  Owns EmploymentProfile      │
     │  Owns MemberProfile          │
     └──────────────────────────────┘
```

## Endpoints

### Public OIDC
| Method | Path | Description |
|--------|------|-------------|
| GET | `/.well-known/openid-configuration` | OIDC discovery document |
| GET | `/jwks` | Public keys for JWT verification |
| POST | `/token` | Issue access + refresh token |
| POST | `/token/refresh` | Refresh access token |
| GET | `/userinfo` | Get identity info from token |

### Internal (service token required)
| Method | Path | Description |
|--------|------|-------------|
| POST | `/internal/identities` | Create identity |
| GET | `/internal/identities/{id}` | Get identity by ID |
| GET | `/internal/identities/by-email/{email}` | Lookup by email |
| GET | `/internal/identities/by-sso` | Lookup by SSO provider + ID |
| PATCH | `/internal/identities/{id}` | Update identity fields |
| DELETE | `/internal/identities/{id}` | Soft delete identity |

## Running locally

```bash
cp .env.example .env
# fill in values

docker compose up
```

Migrations run automatically on startup.

## Running in production

```bash
docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
```

## Environment variables

See `.env.example` for all required variables.

## JWT verification (for consumers)

Consumers (DjangoPlay, etc.) should:
1. Fetch public keys from `/jwks` on startup (cache them)
2. Verify JWT signatures locally — no AuthX call needed per request
3. Only call `/userinfo` for server-to-server lookups without a JWT in hand
