Split auth deps with extra subpackages

.github/workflows/ci.yaml

@@ -41,7 +41,7 @@ jobs:
 
       - name: Install application
         run: |
-          pip install src/core "src/authentication[oidc]" src/build src/log src/permissions src/settings src/web
+          pip install src/core "src/authentication[all]" src/build src/log src/permissions src/settings src/web
 
       - name: Run tests
         run: pytest --import-mode=importlib

CHANGELOG.md

@@ -14,6 +14,15 @@ and this project adheres to
 - settings: Support optional section-level documentation via `_doc` in settings
   definition (#80).
 - auth: Add `OIDCClient` for OpenID Connect Authorization Code flow (#76).
+- auth: Add `[all]` extra on `RFL.authentication` to install all authentication
+  backends (jwt, ldap, oidc) (#84).
+
+### Changed
+- auth: Move PyJWT and python-ldap from core dependencies to optional `[jwt]` and
+  `[ldap]` extras on `RFL.authentication`; add `[all]` extra for the full stack
+  (#84).
+- web: Depend on `RFL.authentication[jwt]` so web no longer pulls LDAP
+  transitively (#84).
 
 ## [1.7.0] - 2026-05-08
 

src/authentication/README.md

@@ -1,3 +1,26 @@
 # RFL: authentication package
 
-Generate and validate JWT tokens.
+User identity types, JWT token management, LDAP authentication, and OpenID
+Connect (OIDC) client support.
+
+## Installation
+
+The core package installs only `RFL.core`. Optional backends are installed via
+pip extras:
+
+| Extra | Dependencies | Use |
+|-------|----------------|-----|
+| `jwt` | PyJWT | `rfl.authentication.jwt` |
+| `ldap` | python-ldap | `rfl.authentication.ldap` |
+| `oidc` | Authlib, Flask, requests | `rfl.authentication.oidc` |
+| `all` | All of the above | Full authentication stack |
+
+Examples:
+
+```bash
+pip install RFL.authentication          # user types and errors only
+pip install "RFL.authentication[jwt]"   # JWT support
+pip install "RFL.authentication[ldap]"  # LDAP support
+pip install "RFL.authentication[oidc]"  # OIDC support
+pip install "RFL.authentication[all]"   # all backends
+```

src/authentication/pyproject.toml

@@ -14,8 +14,6 @@ authors = [
 ]
 dependencies = [
     "RFL.core",
-    "PyJWT",
-    "python-ldap",
 ]
 classifiers = [
     "Development Status :: 5 - Production/Stable",
@@ -27,7 +25,16 @@ classifiers = [
 readme = "README.md"
 
 [project.optional-dependencies]
+jwt = ["PyJWT"]
+ldap = ["python-ldap"]
 oidc = ["Authlib", "Flask", "requests"]
+all = [
+    "PyJWT",
+    "python-ldap",
+    "Authlib",
+    "Flask",
+    "requests",
+]
 
 [project.urls]
 "Homepage" = "https://github.com/rackslab/RFL"

src/authentication/rfl/authentication/jwt.py

@@ -10,7 +10,10 @@
 import logging
 from pathlib import Path
 
-import jwt
+try:
+    import jwt
+except ImportError as err:
+    raise ImportError("PyJWT is required for RFL JWT Authentication") from err
 
 from .user import AuthenticatedUser
 from .errors import (

src/authentication/rfl/authentication/ldap.py

@@ -8,8 +8,11 @@
 from pathlib import Path
 import logging
 
-import ldap
-import ldap.filter
+try:
+    import ldap
+    import ldap.filter
+except ImportError as err:
+    raise ImportError("python-ldap is required for RFL LDAP Authentication") from err
 
 from .user import AuthenticatedUser
 from .errors import LDAPAuthenticationError

src/web/pyproject.toml

@@ -15,7 +15,7 @@ authors = [
 dependencies = [
     "Flask",
     "RFL.permissions",
-    "RFL.authentication"
+    "RFL.authentication[jwt]"
 ]
 classifiers = [
     "Development Status :: 5 - Production/Stable",