# Authly
[](https://github.com/descoped/authly/actions/workflows/build-test-native.yml)
[](https://github.com/descoped/authly/actions/workflows/full-stack-test-with-docker.yml)
[](https://codecov.io/gh/descoped/authly)
[](https://www.python.org/downloads/)
[](https://opensource.org/licenses/MIT)
[](https://github.com/descoped/authly/releases)
A **production-ready OAuth 2.1 + OpenID Connect 1.0 authorization server** built with FastAPI and PostgreSQL. Authly provides enterprise-grade security, comprehensive testing (510 tests passing), and professional administration tools.
---
## ๐ **Production Ready Features**
โ
**Complete OAuth 2.1 + OIDC 1.0 Compliance** - Full RFC implementation with PKCE
โ
**510 Tests Passing** - 100% success rate with real integration testing
โ
**Enterprise Security** - Two-layer admin system, rate limiting, audit logging
โ
**Production Architecture** - Docker, monitoring, health checks, deployment guides
โ
**Professional CLI** - Complete admin interface with API-first architecture
โ
**Developer Experience** - Comprehensive docs, easy setup, embedded development mode
---
## ๐ **OAuth 2.1 Authorization Server**
### **Core Authorization Features**
- **Authorization Code Flow** with mandatory PKCE (Proof Key for Code Exchange)
- **Client Management** for confidential and public OAuth clients
- **Token Revocation** (RFC 7009) for immediate token invalidation
- **Server Discovery** (RFC 8414) for automatic client configuration
- **Scope Management** with granular permission control
### **Supported Grant Types**
- **Authorization Code Grant** with PKCE for third-party applications
- **Password Grant** for trusted first-party applications
- **Refresh Token Grant** for token renewal
- **Client Credentials Grant** for service-to-service authentication
### **Security Standards Compliance**
- **RFC 6749** - OAuth 2.0 Authorization Framework โ
- **RFC 7636** - Proof Key for Code Exchange (PKCE) โ
- **RFC 7009** - OAuth 2.0 Token Revocation โ
- **RFC 8414** - OAuth 2.0 Authorization Server Metadata โ
---
## ๐ **OpenID Connect 1.0**
### **OIDC Core Features**
- **ID Token Generation** with RS256/HS256 signing algorithms
- **UserInfo Endpoint** with scope-based claims filtering
- **JWKS Endpoint** for token signature verification
- **OIDC Discovery** with provider configuration metadata
### **ID Token Claims**
- **Standard Claims** - sub, aud, iss, exp, iat, auth_time, nonce
- **Profile Claims** - name, given_name, family_name, email, email_verified
- **Custom Claims** - Extensible claims processing based on requested scopes
### **OIDC Standards Compliance**
- **OpenID Connect Core 1.0** - Complete implementation โ
- **OpenID Connect Discovery 1.0** - Provider metadata โ
---
## ๐ก๏ธ **Enterprise Security**
### **Authentication & Authorization**
- **JWT Security** - RS256/HS256 signing with proper validation and rotation
- **Password Security** - bcrypt hashing with configurable work factors
- **Token Management** - JTI tracking, rotation, and blacklisting
- **Session Security** - Concurrent session control and timeout management
### **Admin Security Model**
- **Two-Layer Security** - Intrinsic authority (is_admin flag) + OAuth scopes
- **Bootstrap System** - Solves IAM chicken-and-egg paradox
- **Granular Permissions** - 8 admin scopes for fine-grained access control
- **API Restrictions** - Admin API localhost-only with configurable access
### **System Security**
- **Rate Limiting** - Configurable protection with multiple backends
- **CORS Protection** - Comprehensive CORS policies and security headers
- **Secret Management** - Encrypted storage with automatic memory cleanup
- **Audit Logging** - Complete administrative action tracking
---
## ๐ฅ **User Management**
### **User Lifecycle**
- **Registration & Verification** - Complete user onboarding with email verification
- **Role-Based Access Control** - Admin and user roles with privilege management
- **Profile Management** - Comprehensive user profile CRUD operations
- **Account Security** - Password reset, account lockout, and security monitoring
### **Admin Capabilities**
- **User Administration** - Create, update, delete, and manage user accounts
- **Permission Management** - Assign and revoke admin privileges
- **Security Monitoring** - Track user authentication and security events
---
## โ๏ธ **Professional CLI Administration**
### **Unified CLI Interface**
```bash
# Start Authly server
python -m authly serve
# Admin operations
python -m authly admin login
python -m authly admin client create --name "My App" --client-type public --redirect-uri "http://localhost:3000/callback"
python -m authly admin scope create --name "read" --description "Read access"
python -m authly admin status
```
### **Admin Commands**
- **Authentication** - `login`, `logout`, `whoami` with secure token storage
- **Client Management** - Create, list, update, delete OAuth clients
- **Scope Management** - Create, list, update, delete OAuth scopes
- **User Management** - Admin user operations and privilege management
- **System Status** - Health checks, configuration, and system information
### **API-First Architecture**
- **HTTP API Backend** - CLI uses REST API exclusively (no direct DB access)
- **Secure Authentication** - JWT-based admin authentication with refresh tokens
- **Consistent Interface** - All admin operations available via both CLI and API
---
## ๐ **Quick Start**
### **Development Setup**
```bash
# Clone and install
git clone <repository-url>
cd authly
uv sync --all-groups
# Start with embedded development server (includes PostgreSQL container)
uv run python -m authly serve --embedded
# Access Authly at http://localhost:8000
# Admin CLI: uv run python -m authly admin --help
```
### **Production Deployment**
```bash
# Using Docker
docker build -t authly .
docker run -p 8000:8000 \
-e DATABASE_URL="postgresql://user:pass@host:5432/authly" \
-e JWT_SECRET_KEY="your-secret-key" \
authly
# Using UV
export DATABASE_URL="postgresql://user:pass@localhost:5432/authly"
export JWT_SECRET_KEY="your-secret-key"
uv run python -m authly serve
```
### **OAuth Client Setup**
```bash
# Create OAuth client
uv run python -m authly admin login
uv run python -m authly admin client create \
--name "My Application" \
--client-type confidential \
--redirect-uri "https://myapp.com/callback"
# Create scope
uv run python -m authly admin scope create \
--name "read" \
--description "Read access to user data"
```
### **Optional Redis Integration**
For distributed deployments and enhanced performance:
```bash
# Install Redis support
uv add --group redis authly
# Configure Redis features
export AUTHLY_REDIS_URL="redis://localhost:6379/0"
export AUTHLY_REDIS_RATE_LIMIT="true" # Distributed rate limiting
export AUTHLY_REDIS_CACHE="true" # High-performance caching
# Start with Redis integration
python -m authly serve
```
**Redis Features:**
- **Distributed Rate Limiting** - Shared across multiple server instances
- **High-Performance Caching** - JWKS keys, discovery metadata, sessions
- **Automatic Fallback** - Works without Redis, falls back to memory backends
- **Configuration-Driven** - Enable specific features as needed
See the [Redis Integration Guide](docs/redis-integration.md) for complete configuration options.
---
## ๐ **Documentation**
### **API Documentation**
- **[API Reference](docs/api-reference.md)** - Complete REST API documentation
- **[OAuth 2.1 Guide](docs/oauth-guide.md)** - OAuth implementation and usage
- **[OIDC Guide](docs/oidc-guide.md)** - OpenID Connect implementation and usage
### **Administration**
- **[CLI Guide](docs/cli-guide.md)** - Complete CLI administration guide
- **[Docker Deployment](docs/docker-deployment.md)** - Docker infrastructure and deployment
- **[Security Audit](docs/security-audit.md)** - Security analysis and validation
---
## ๐ **API Endpoints**
### **OAuth 2.1 Endpoints**
- `GET/POST /oauth/authorize` - Authorization endpoint with consent UI
- `POST /oauth/token` - Token exchange endpoint with all grant types
- `POST /oauth/revoke` - Token revocation endpoint
- `GET /.well-known/oauth-authorization-server` - OAuth discovery metadata
### **OpenID Connect Endpoints**
- `GET /oidc/userinfo` - UserInfo endpoint with claims filtering
- `GET /.well-known/jwks.json` - JWKS endpoint for token verification
- `GET /.well-known/openid_configuration` - OIDC discovery metadata
### **Authentication Endpoints**
- `POST /auth/token` - User authentication and token generation
- `POST /auth/refresh` - Token refresh and rotation
- `POST /auth/logout` - Token invalidation and logout
### **Admin API Endpoints**
- `GET/POST /admin/clients` - OAuth client management
- `GET/POST /admin/scopes` - OAuth scope management
- `GET/POST /admin/users` - User management (admin only)
- `GET /admin/status` - System health and configuration
### **Health & Monitoring**
- `GET /health` - Application health check
- `GET /health/ready` - Readiness probe for Kubernetes
- `GET /health/live` - Liveness probe for Kubernetes
---
## ๐งช **Testing Excellence**
### **Test Coverage**
- **510 Tests Total** - 100% passing (verified production quality)
- **Real Integration Testing** - PostgreSQL testcontainers (no mocking)
- **Complete Flow Testing** - End-to-end OAuth and OIDC flows
- **Security Testing** - Authentication, authorization, and validation
- **API Testing** - All endpoints with comprehensive scenarios
### **Testing Categories**
- **OAuth 2.1 Tests** (156 tests) - Authorization flows, PKCE, client management
- **OIDC 1.0 Tests** (98 tests) - ID tokens, UserInfo, JWKS, discovery
- **Admin System Tests** (85 tests) - CLI, API, security, authentication
- **Core Authentication Tests** (67 tests) - JWT, passwords, tokens
- **User Management Tests** (33 tests) - User lifecycle and management
### **Quality Standards**
- **No Mocking** - Real database and HTTP server integration testing
- **Comprehensive Coverage** - All features, security scenarios, and error cases
- **Continuous Validation** - 100% success rate maintained throughout development
---
## ๐๏ธ **Architecture**
### **Technology Stack**
- **Python 3.11+** - Modern async/await with comprehensive type annotations
- **FastAPI** - High-performance async web framework with automatic OpenAPI
- **PostgreSQL** - Advanced database with UUID primary keys and proper indexing
- **Pydantic v2** - Modern data validation with constraints and serialization
- **UV** - Modern, fast Python package manager and dependency resolver
### **Design Patterns**
- **Package-by-Feature** - Clean module organization with clear boundaries
- **Repository Pattern** - Clean data access layer with async operations
- **Service Layer Pattern** - Business logic separation with dependency injection
- **Factory Pattern** - FastAPI app factory for different deployment modes
- **Strategy Pattern** - Pluggable components (storage, rate limiting, secrets)
### **Security Architecture**
- **Layered Security** - Multiple security layers with defense in depth
- **Async-First Design** - Scalable performance with modern Python patterns
- **Type Safety** - Comprehensive type annotations and validation
- **Configuration Management** - Flexible config with multiple providers
---
## ๐ **Project Status**
### **Implementation Status**
- โ
**OAuth 2.1 Complete** - All endpoints, flows, and security features
- โ
**OIDC 1.0 Complete** - ID tokens, UserInfo, JWKS, discovery
- โ
**Admin System Complete** - CLI, API, security, user management
- โ
**Production Ready** - Docker, monitoring, deployment, documentation
- โ
**Test Excellence** - 510 tests passing with comprehensive coverage
### **Standards Compliance**
- โ
**6 RFC Specifications** implemented and validated
- โ
**Security Best Practices** - OWASP guidelines and threat modeling
- โ
**Enterprise Features** - Audit logging, rate limiting, monitoring
- โ
**Developer Experience** - Comprehensive docs, easy setup, great tooling
### **Next Phase Opportunities**
- **Performance Optimization** - Advanced caching and connection optimization
- **Enterprise Features** - Multi-tenant support, SAML integration, LDAP
- **Advanced Security** - FIDO2, WebAuthn, biometric authentication
- **Cloud Native** - Kubernetes operators, service mesh integration
---
## ๐ **License**
This project is licensed under the MIT License - see the LICENSE file for details.
---
## ๐ค **Contributing**
We welcome contributions! Please see our contributing guidelines and code of conduct.
### **Development Setup**
1. Clone the repository
2. Install dependencies: `uv sync --all-groups`
3. Install git hooks (recommended): `.githooks/install-hooks.sh`
4. Run tests: `pytest`
5. Start development server: `uv run python -m authly serve --embedded`
### **Git Hooks (Auto-Fix)**
```bash
# Install git hooks with auto-fixing capabilities
.githooks/install-hooks.sh
# Features:
# โ
Auto-fix ruff linting issues
# โ
Auto-format code with ruff
# โ
Re-stage fixed files automatically
# Disable auto-fixing (if needed)
export AUTHLY_NO_AUTO_FIX=true
```
### **Development Commands**
- **Linting**: `uv run ruff check .`
- **Formatting**: `uv run ruff format .`
- **Auto-fix linting**: `uv run ruff check --fix .`
- **Validate Renovate config**: `npx --yes --package renovate -- renovate-config-validator .github/renovate.json`
### **Quality Standards**
- All code must include comprehensive tests
- 100% test success rate required
- Type annotations and documentation required
- Security-first development practices
---
**Authly** - Production-ready OAuth 2.1 + OpenID Connect 1.0 authorization server with enterprise-grade security and comprehensive testing.
Raw data
{
"_id": null,
"home_page": null,
"name": "authly",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.11",
"maintainer_email": null,
"keywords": "asyncio, authentication, authorization, fastapi, iam, identity, oauth, oauth2, oidc, security",
"author": null,
"author_email": "Ove Ranheim <oranheim@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/00/18/7803c7bad1115bd8cbae903e4b4fc2293686f9975114e47245486f54c8e8/authly-0.5.3.tar.gz",
"platform": null,
"description": "# Authly\n\n[](https://github.com/descoped/authly/actions/workflows/build-test-native.yml)\n[](https://github.com/descoped/authly/actions/workflows/full-stack-test-with-docker.yml)\n[](https://codecov.io/gh/descoped/authly)\n[](https://www.python.org/downloads/)\n[](https://opensource.org/licenses/MIT)\n[](https://github.com/descoped/authly/releases)\n\nA **production-ready OAuth 2.1 + OpenID Connect 1.0 authorization server** built with FastAPI and PostgreSQL. Authly provides enterprise-grade security, comprehensive testing (510 tests passing), and professional administration tools.\n\n---\n\n## \ud83d\ude80 **Production Ready Features**\n\n\u2705 **Complete OAuth 2.1 + OIDC 1.0 Compliance** - Full RFC implementation with PKCE \n\u2705 **510 Tests Passing** - 100% success rate with real integration testing \n\u2705 **Enterprise Security** - Two-layer admin system, rate limiting, audit logging \n\u2705 **Production Architecture** - Docker, monitoring, health checks, deployment guides \n\u2705 **Professional CLI** - Complete admin interface with API-first architecture \n\u2705 **Developer Experience** - Comprehensive docs, easy setup, embedded development mode\n\n---\n\n## \ud83d\udd10 **OAuth 2.1 Authorization Server**\n\n### **Core Authorization Features**\n- **Authorization Code Flow** with mandatory PKCE (Proof Key for Code Exchange)\n- **Client Management** for confidential and public OAuth clients\n- **Token Revocation** (RFC 7009) for immediate token invalidation\n- **Server Discovery** (RFC 8414) for automatic client configuration\n- **Scope Management** with granular permission control\n\n### **Supported Grant Types**\n- **Authorization Code Grant** with PKCE for third-party applications\n- **Password Grant** for trusted first-party applications\n- **Refresh Token Grant** for token renewal\n- **Client Credentials Grant** for service-to-service authentication\n\n### **Security Standards Compliance**\n- **RFC 6749** - OAuth 2.0 Authorization Framework \u2705\n- **RFC 7636** - Proof Key for Code Exchange (PKCE) \u2705\n- **RFC 7009** - OAuth 2.0 Token Revocation \u2705\n- **RFC 8414** - OAuth 2.0 Authorization Server Metadata \u2705\n\n---\n\n## \ud83c\udd94 **OpenID Connect 1.0**\n\n### **OIDC Core Features**\n- **ID Token Generation** with RS256/HS256 signing algorithms\n- **UserInfo Endpoint** with scope-based claims filtering\n- **JWKS Endpoint** for token signature verification\n- **OIDC Discovery** with provider configuration metadata\n\n### **ID Token Claims**\n- **Standard Claims** - sub, aud, iss, exp, iat, auth_time, nonce\n- **Profile Claims** - name, given_name, family_name, email, email_verified\n- **Custom Claims** - Extensible claims processing based on requested scopes\n\n### **OIDC Standards Compliance**\n- **OpenID Connect Core 1.0** - Complete implementation \u2705\n- **OpenID Connect Discovery 1.0** - Provider metadata \u2705\n\n---\n\n## \ud83d\udee1\ufe0f **Enterprise Security**\n\n### **Authentication & Authorization**\n- **JWT Security** - RS256/HS256 signing with proper validation and rotation\n- **Password Security** - bcrypt hashing with configurable work factors\n- **Token Management** - JTI tracking, rotation, and blacklisting\n- **Session Security** - Concurrent session control and timeout management\n\n### **Admin Security Model**\n- **Two-Layer Security** - Intrinsic authority (is_admin flag) + OAuth scopes\n- **Bootstrap System** - Solves IAM chicken-and-egg paradox\n- **Granular Permissions** - 8 admin scopes for fine-grained access control\n- **API Restrictions** - Admin API localhost-only with configurable access\n\n### **System Security**\n- **Rate Limiting** - Configurable protection with multiple backends\n- **CORS Protection** - Comprehensive CORS policies and security headers\n- **Secret Management** - Encrypted storage with automatic memory cleanup\n- **Audit Logging** - Complete administrative action tracking\n\n---\n\n## \ud83d\udc65 **User Management**\n\n### **User Lifecycle**\n- **Registration & Verification** - Complete user onboarding with email verification\n- **Role-Based Access Control** - Admin and user roles with privilege management\n- **Profile Management** - Comprehensive user profile CRUD operations\n- **Account Security** - Password reset, account lockout, and security monitoring\n\n### **Admin Capabilities**\n- **User Administration** - Create, update, delete, and manage user accounts\n- **Permission Management** - Assign and revoke admin privileges\n- **Security Monitoring** - Track user authentication and security events\n\n---\n\n## \u2699\ufe0f **Professional CLI Administration**\n\n### **Unified CLI Interface**\n```bash\n# Start Authly server\npython -m authly serve\n\n# Admin operations\npython -m authly admin login\npython -m authly admin client create --name \"My App\" --client-type public --redirect-uri \"http://localhost:3000/callback\"\npython -m authly admin scope create --name \"read\" --description \"Read access\"\npython -m authly admin status\n```\n\n### **Admin Commands**\n- **Authentication** - `login`, `logout`, `whoami` with secure token storage\n- **Client Management** - Create, list, update, delete OAuth clients\n- **Scope Management** - Create, list, update, delete OAuth scopes\n- **User Management** - Admin user operations and privilege management\n- **System Status** - Health checks, configuration, and system information\n\n### **API-First Architecture**\n- **HTTP API Backend** - CLI uses REST API exclusively (no direct DB access)\n- **Secure Authentication** - JWT-based admin authentication with refresh tokens\n- **Consistent Interface** - All admin operations available via both CLI and API\n\n---\n\n## \ud83d\ude80 **Quick Start**\n\n### **Development Setup**\n```bash\n# Clone and install\ngit clone <repository-url>\ncd authly\nuv sync --all-groups\n\n# Start with embedded development server (includes PostgreSQL container)\nuv run python -m authly serve --embedded\n\n# Access Authly at http://localhost:8000\n# Admin CLI: uv run python -m authly admin --help\n```\n\n### **Production Deployment**\n```bash\n# Using Docker\ndocker build -t authly .\ndocker run -p 8000:8000 \\\n -e DATABASE_URL=\"postgresql://user:pass@host:5432/authly\" \\\n -e JWT_SECRET_KEY=\"your-secret-key\" \\\n authly\n\n# Using UV\nexport DATABASE_URL=\"postgresql://user:pass@localhost:5432/authly\"\nexport JWT_SECRET_KEY=\"your-secret-key\"\nuv run python -m authly serve\n```\n\n### **OAuth Client Setup**\n```bash\n# Create OAuth client\nuv run python -m authly admin login\nuv run python -m authly admin client create \\\n --name \"My Application\" \\\n --client-type confidential \\\n --redirect-uri \"https://myapp.com/callback\"\n\n# Create scope\nuv run python -m authly admin scope create \\\n --name \"read\" \\\n --description \"Read access to user data\"\n```\n\n### **Optional Redis Integration**\nFor distributed deployments and enhanced performance:\n\n```bash\n# Install Redis support\nuv add --group redis authly\n\n# Configure Redis features\nexport AUTHLY_REDIS_URL=\"redis://localhost:6379/0\"\nexport AUTHLY_REDIS_RATE_LIMIT=\"true\" # Distributed rate limiting\nexport AUTHLY_REDIS_CACHE=\"true\" # High-performance caching\n\n# Start with Redis integration\npython -m authly serve\n```\n\n**Redis Features:**\n- **Distributed Rate Limiting** - Shared across multiple server instances \n- **High-Performance Caching** - JWKS keys, discovery metadata, sessions\n- **Automatic Fallback** - Works without Redis, falls back to memory backends\n- **Configuration-Driven** - Enable specific features as needed\n\nSee the [Redis Integration Guide](docs/redis-integration.md) for complete configuration options.\n\n---\n\n## \ud83d\udcda **Documentation**\n\n### **API Documentation**\n- **[API Reference](docs/api-reference.md)** - Complete REST API documentation\n- **[OAuth 2.1 Guide](docs/oauth-guide.md)** - OAuth implementation and usage\n- **[OIDC Guide](docs/oidc-guide.md)** - OpenID Connect implementation and usage\n\n### **Administration**\n- **[CLI Guide](docs/cli-guide.md)** - Complete CLI administration guide\n- **[Docker Deployment](docs/docker-deployment.md)** - Docker infrastructure and deployment\n- **[Security Audit](docs/security-audit.md)** - Security analysis and validation\n\n---\n\n## \ud83d\udd0d **API Endpoints**\n\n### **OAuth 2.1 Endpoints**\n- `GET/POST /oauth/authorize` - Authorization endpoint with consent UI\n- `POST /oauth/token` - Token exchange endpoint with all grant types\n- `POST /oauth/revoke` - Token revocation endpoint\n- `GET /.well-known/oauth-authorization-server` - OAuth discovery metadata\n\n### **OpenID Connect Endpoints**\n- `GET /oidc/userinfo` - UserInfo endpoint with claims filtering\n- `GET /.well-known/jwks.json` - JWKS endpoint for token verification\n- `GET /.well-known/openid_configuration` - OIDC discovery metadata\n\n### **Authentication Endpoints**\n- `POST /auth/token` - User authentication and token generation\n- `POST /auth/refresh` - Token refresh and rotation\n- `POST /auth/logout` - Token invalidation and logout\n\n### **Admin API Endpoints**\n- `GET/POST /admin/clients` - OAuth client management\n- `GET/POST /admin/scopes` - OAuth scope management\n- `GET/POST /admin/users` - User management (admin only)\n- `GET /admin/status` - System health and configuration\n\n### **Health & Monitoring**\n- `GET /health` - Application health check\n- `GET /health/ready` - Readiness probe for Kubernetes\n- `GET /health/live` - Liveness probe for Kubernetes\n\n---\n\n## \ud83e\uddea **Testing Excellence**\n\n### **Test Coverage**\n- **510 Tests Total** - 100% passing (verified production quality)\n- **Real Integration Testing** - PostgreSQL testcontainers (no mocking)\n- **Complete Flow Testing** - End-to-end OAuth and OIDC flows\n- **Security Testing** - Authentication, authorization, and validation\n- **API Testing** - All endpoints with comprehensive scenarios\n\n### **Testing Categories**\n- **OAuth 2.1 Tests** (156 tests) - Authorization flows, PKCE, client management\n- **OIDC 1.0 Tests** (98 tests) - ID tokens, UserInfo, JWKS, discovery\n- **Admin System Tests** (85 tests) - CLI, API, security, authentication\n- **Core Authentication Tests** (67 tests) - JWT, passwords, tokens\n- **User Management Tests** (33 tests) - User lifecycle and management\n\n### **Quality Standards**\n- **No Mocking** - Real database and HTTP server integration testing\n- **Comprehensive Coverage** - All features, security scenarios, and error cases\n- **Continuous Validation** - 100% success rate maintained throughout development\n\n---\n\n## \ud83c\udfd7\ufe0f **Architecture**\n\n### **Technology Stack**\n- **Python 3.11+** - Modern async/await with comprehensive type annotations\n- **FastAPI** - High-performance async web framework with automatic OpenAPI\n- **PostgreSQL** - Advanced database with UUID primary keys and proper indexing\n- **Pydantic v2** - Modern data validation with constraints and serialization\n- **UV** - Modern, fast Python package manager and dependency resolver\n\n### **Design Patterns**\n- **Package-by-Feature** - Clean module organization with clear boundaries\n- **Repository Pattern** - Clean data access layer with async operations\n- **Service Layer Pattern** - Business logic separation with dependency injection\n- **Factory Pattern** - FastAPI app factory for different deployment modes\n- **Strategy Pattern** - Pluggable components (storage, rate limiting, secrets)\n\n### **Security Architecture**\n- **Layered Security** - Multiple security layers with defense in depth\n- **Async-First Design** - Scalable performance with modern Python patterns\n- **Type Safety** - Comprehensive type annotations and validation\n- **Configuration Management** - Flexible config with multiple providers\n\n---\n\n## \ud83d\udcca **Project Status**\n\n### **Implementation Status**\n- \u2705 **OAuth 2.1 Complete** - All endpoints, flows, and security features\n- \u2705 **OIDC 1.0 Complete** - ID tokens, UserInfo, JWKS, discovery\n- \u2705 **Admin System Complete** - CLI, API, security, user management\n- \u2705 **Production Ready** - Docker, monitoring, deployment, documentation\n- \u2705 **Test Excellence** - 510 tests passing with comprehensive coverage\n\n### **Standards Compliance**\n- \u2705 **6 RFC Specifications** implemented and validated\n- \u2705 **Security Best Practices** - OWASP guidelines and threat modeling\n- \u2705 **Enterprise Features** - Audit logging, rate limiting, monitoring\n- \u2705 **Developer Experience** - Comprehensive docs, easy setup, great tooling\n\n### **Next Phase Opportunities**\n- **Performance Optimization** - Advanced caching and connection optimization\n- **Enterprise Features** - Multi-tenant support, SAML integration, LDAP\n- **Advanced Security** - FIDO2, WebAuthn, biometric authentication\n- **Cloud Native** - Kubernetes operators, service mesh integration\n\n---\n\n## \ud83d\udcdd **License**\n\nThis project is licensed under the MIT License - see the LICENSE file for details.\n\n---\n\n## \ud83e\udd1d **Contributing**\n\nWe welcome contributions! Please see our contributing guidelines and code of conduct.\n\n### **Development Setup**\n1. Clone the repository\n2. Install dependencies: `uv sync --all-groups`\n3. Install git hooks (recommended): `.githooks/install-hooks.sh`\n4. Run tests: `pytest`\n5. Start development server: `uv run python -m authly serve --embedded`\n\n### **Git Hooks (Auto-Fix)**\n```bash\n# Install git hooks with auto-fixing capabilities\n.githooks/install-hooks.sh\n\n# Features:\n# \u2705 Auto-fix ruff linting issues\n# \u2705 Auto-format code with ruff\n# \u2705 Re-stage fixed files automatically\n\n# Disable auto-fixing (if needed)\nexport AUTHLY_NO_AUTO_FIX=true\n```\n\n### **Development Commands**\n- **Linting**: `uv run ruff check .`\n- **Formatting**: `uv run ruff format .`\n- **Auto-fix linting**: `uv run ruff check --fix .`\n- **Validate Renovate config**: `npx --yes --package renovate -- renovate-config-validator .github/renovate.json`\n\n### **Quality Standards**\n- All code must include comprehensive tests\n- 100% test success rate required\n- Type annotations and documentation required\n- Security-first development practices\n\n---\n\n**Authly** - Production-ready OAuth 2.1 + OpenID Connect 1.0 authorization server with enterprise-grade security and comprehensive testing.",
"bugtrack_url": null,
"license": null,
"summary": "Authorization & User Token Handling Layer for You",
"version": "0.5.3",
"project_urls": {
"Homepage": "https://github.com/descoped/authly",
"Issues": "https://github.com/descoped/authly/issues",
"Repository": "https://github.com/descoped/authly"
},
"split_keywords": [
"asyncio",
" authentication",
" authorization",
" fastapi",
" iam",
" identity",
" oauth",
" oauth2",
" oidc",
" security"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "3d3fae03a8829aa8ded63fab98352a75e1fbaf00d5bc19d6a2bedf8d215ef764",
"md5": "4f6669d88a301c71b591bbecb87689ee",
"sha256": "c245a15ca6b2cadbc26a7a7982e7a54d63747a409942aac9d5787b7052000233"
},
"downloads": -1,
"filename": "authly-0.5.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "4f6669d88a301c71b591bbecb87689ee",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.11",
"size": 187939,
"upload_time": "2025-08-01T20:31:35",
"upload_time_iso_8601": "2025-08-01T20:31:35.261387Z",
"url": "https://files.pythonhosted.org/packages/3d/3f/ae03a8829aa8ded63fab98352a75e1fbaf00d5bc19d6a2bedf8d215ef764/authly-0.5.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "00187803c7bad1115bd8cbae903e4b4fc2293686f9975114e47245486f54c8e8",
"md5": "568bf0c850f5d834ccc61df4e186bd45",
"sha256": "a520a6d45a881181fc83d4f6edf7b33a705cfc0188957a15e650c8d4f9930119"
},
"downloads": -1,
"filename": "authly-0.5.3.tar.gz",
"has_sig": false,
"md5_digest": "568bf0c850f5d834ccc61df4e186bd45",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.11",
"size": 600903,
"upload_time": "2025-08-01T20:31:36",
"upload_time_iso_8601": "2025-08-01T20:31:36.672499Z",
"url": "https://files.pythonhosted.org/packages/00/18/7803c7bad1115bd8cbae903e4b4fc2293686f9975114e47245486f54c8e8/authly-0.5.3.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-08-01 20:31:36",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "descoped",
"github_project": "authly",
"travis_ci": false,
"coveralls": true,
"github_actions": true,
"lcname": "authly"
}
JSON
