Merge branch 'main' into outbound-apps

Author: guyp-descope

.pre-commit-config.yaml

@@ -52,7 +52,7 @@ repos:
       - id: tox-ini-fmt
         args: ["-p", "type"]
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.27.2
+    rev: v8.28.0
     hooks:
       - id: gitleaks
   - repo: local

README.md

@@ -26,14 +26,23 @@ pip install descope[Flask]
 A Descope `Project ID` is required to initialize the SDK. Find it on the
 [project page in the Descope Console](https://app.descope.com/settings/project).
 
+**Note:** Authentication APIs public access can be disabled via the Descope console.
+If disabled, it's still possible to use the authentication API by providing a management key with
+the appropriate access (`Authentication` / `Full Access`).
+If not provided directly, this value is retrieved from the `DESCOPE_AUTH_MANAGEMENT_KEY` environment variable instead.
+If neither values are set then any disabled authentication methods API calls will fail.
+
 ```python
 from descope import DescopeClient
 
-# Initialized after setting the DESCOPE_PROJECT_ID env var
+# Initialized after setting the DESCOPE_PROJECT_ID and DESCOPE_AUTH_MANAGEMENT_KEY env vars
 descope_client = DescopeClient()
 
 # ** Or directly **
-descope_client = DescopeClient(project_id="<Project ID>")
+descope_client = DescopeClient(
+    project_id="<Project ID>"
+    auth_management_key="<Auth Managemet Key>
+)
 ```
 
 ## Authentication Functions

descope/auth.py

@@ -73,6 +73,7 @@ def __init__(
         management_key: str | None = None,
         timeout_seconds: float = DEFAULT_TIMEOUT_SECONDS,
         jwt_validation_leeway: int = 5,
+        auth_management_key: str | None = None,
     ):
         self.lock_public_keys = Lock()
         # validate project id
@@ -95,6 +96,9 @@ def __init__(
             self.base_url = self.base_url_for_project_id(self.project_id)
         self.timeout_seconds = timeout_seconds
         self.management_key = management_key or os.getenv("DESCOPE_MANAGEMENT_KEY")
+        self.auth_management_key = auth_management_key or os.getenv(
+            "DESCOPE_AUTH_MANAGEMENT_KEY"
+        )
 
         public_key = public_key or os.getenv("DESCOPE_PUBLIC_KEY")
         with self.lock_public_keys:
@@ -498,7 +502,9 @@ def adjust_properties(self, jwt_response: dict, user_jwt: bool):
         ]  # support both url issuer and project ID issuer
 
         sub = (
-            jwt_response.get(SESSION_TOKEN_NAME, {}).get("sub", None)
+            jwt_response.get(SESSION_TOKEN_NAME, {}).get("dsub", None)
+            or jwt_response.get(SESSION_TOKEN_NAME, {}).get("sub", None)
+            or jwt_response.get(REFRESH_SESSION_TOKEN_NAME, {}).get("dsub", None)
             or jwt_response.get(REFRESH_SESSION_TOKEN_NAME, {}).get("sub", None)
             or jwt_response.get("sub", "")
         )
@@ -564,6 +570,8 @@ def _get_default_headers(self, pswd: str | None = None):
         bearer = self.project_id
         if pswd:
             bearer = f"{self.project_id}:{pswd}"
+        if self.auth_management_key:
+            bearer = f"{bearer}:{self.auth_management_key}"
         headers["Authorization"] = f"Bearer {bearer}"
         return headers
 

descope/descope_client.py

@@ -30,6 +30,7 @@ def __init__(
         management_key: str | None = None,
         timeout_seconds: float = DEFAULT_TIMEOUT_SECONDS,
         jwt_validation_leeway: int = 5,
+        auth_management_key: str | None = None,
     ):
         auth = Auth(
             project_id,
@@ -38,6 +39,7 @@ def __init__(
             management_key,
             timeout_seconds,
             jwt_validation_leeway,
+            auth_management_key,
         )
         self._auth = auth
         self._mgmt = MGMT(auth)