All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Add support for ES* algorithms (
ES256,ES384,ES512) for EC keys inJWK,JWKS, andAsymmetricJWTValidator. - Fix flaky test
test_jwt_validator_fetches_tokens_again_for_unknown_kidthat failed on slower hardware (e.g. Raspberry Pi / aarch64) due to a timing-sensitiverefresh_timethreshold; replaced real-time sleeps with mocked time for deterministic behaviour. Reported by @wrobell in #18.
- Add a
guardpost.protectionnamespace with classes offering a strategy for brute-force protection against authentication attempts, and to log all failed authentication attempts consistently. - Add an
InvalidCredentialsErrorexception.AuthenticationHandlerimplementations can raiseInvalidCredentialsErrorwhen invalid credentials are provided, to enable automatic logging and, if enabled, brute-force protection. - Add
RateLimiterclass that can block authentication attempts after a configurable threshold is exceeded. By default stores failed attempts in-memory. - Integrate
RateLimiterintoAuthenticationStrategywith automatic tracking of failed authentication attempts and support for blocking excessive requests. - Add Python
3.14and remove3.9from the build matrix. - Drop support for Python
3.9(it reached EOL in October 2025). - Add an optional dependency on
essentials, to use itsSecretclass to handle secrets for JWT validation with symmetric encryption. This is useful to support rotating secrets by updating env variables. - Improve exceptions raised for invalid
JWTsto include the source exception (exc.__cause__).
- Add a
rolesproperty to theIdentityobject. - Add a
RolesRequirementclass to authorize by sufficient roles (any one is enough). - Add support for validating JWTs signed using symmetric encryption
(
SymmetricJWTValidatorandAsymmetricJWTValidator). - Add support to call the
authorizemethod with an optional set of roles, treated as sufficient roles to succeed authorization. - Add Python
3.12and3.13to the build matrix. - Remove Python
3.8from the build matrix. - Improve
pyproject.toml. - Workflow maintenance.
- Raises a more specific exception
ForbiddenErrorwhen the user of an operation is authenticated properly, but authorization fails. This enables better handling of authorization error, differentiating when the user context is missing or invalid, and when the context is valid but the user has no rights to do a certain operation. See #371.
- Improves the automatic rotation of
JWKS: when validatingJWTs,JWKSare refreshed automatically if an unknownkidis encountered, andJWKSwere last fetched more thanrefresh_timeseconds ago (by default 120 seconds). - Corrects an inconsistency in how
claimsare read in theUserclass.
- Adds built-in support for dependency injection, using the new
ContainerProtocolinrodiv2. - Removes the synchronous code API, maintaining only the asynchronous code API
for
AuthenticationStrategy.authenticateandAuthoreoizationStrategy.authorize. - Replaces
setup.pywithpyproject.toml. - Reduces imports verbosity.
- Improves the
identity_gettercode API. - Corrects
Identity.__getitem__to raiseKeyErrorif a claim is missing.
- Workflow maintenance.
- Adds
sub,access_token, andrefresh_tokenproperties to theIdentity. class - Adds
py.typedfile.
- Adds classes to handle
JWTs validation, but only forRSAkeys. - Fixes issue (wrong arrangement in test) #5.
- Includes
Python 3.10in the CI/CD matrix. - Enforces
blackandisortin the CI pipeline.
- Corrects a bug in the
Policyclass (#2). - Changes the type annotation of
Identityclaims (#3).
- Completely migrates to GitHub Workflows.
- Improves build to test Python 3.6 and 3.9.
- Adds a changelog.
- Improves badges.
- Improves code quality using
flake8andblack.