The Utils Module

openstack_auth.utils.LOG = <Logger openstack_auth.utils (WARNING)>

We need the request object to get the user, so we’ll slightly modify the existing django.contrib.auth.get_user method. To do so we update the auth middleware to point to our overridden method.

Calling “patch_middleware_get_user” is done in our custom middleware at “openstack_auth.middleware” to monkeypatch the code in before it is needed.


Checks if users should be able to change their expired passwords.

openstack_auth.utils.build_absolute_uri(request, relative_url)[source]

Ensure absolute_uri are relative to WEBROOT.


Clean up the auth url to extract the exact Keystone URL

openstack_auth.utils.default_services_region(service_catalog, request=None, ks_endpoint=None)[source]

Return the default service region.

Order of precedence: 1. ‘services_region’ cookie value 2. Matching endpoint in DEFAULT_SERVICE_REGIONS 3. ‘*’ key in DEFAULT_SERVICE_REGIONS 4. First valid region from catalog

In each case the value must also be present in available_regions or we move to the next level of precedence.


Fix up the auth url if an invalid or no version prefix was given.

Fix the URL to say v3 in this case and add version if it is missing entirely. This should be smarter and use discovery. Until version discovery is implemented we need this method to get everything working.


Common function for getting the admin permissions from settings

This format is ‘’ and ‘xxx’ is a real role name.


Set object including all admin permission. If there is no permission, this will return empty:



Common function for getting the admin roles from settings


Set object including all admin roles. If there is no role, this will return empty:

    "foo", "bar", "admin"


Return client ip address using SECURE_PROXY_ADDR_HEADER variable.

If not present or not defined on settings then REMOTE_ADDR is used.


request (django.http.HttpRequest) – Django http request object.


Possible client ip address

Return type



Common function for getting the region from endpoint.

In Keystone V3, region has been deprecated in favor of region_id.

This method provides a way to get region that works for both Keystone V2 and V3.


Common function for getting the permission froms arg

This format is ‘’ and ‘xxx’ is a real role name.


String like “openstack.roles.admin” If role is None, this will return None.

openstack_auth.utils.get_websso_url(request, auth_url, websso_auth)[source]

Return the keystone endpoint for initiating WebSSO.

Generate the keystone WebSSO endpoint that will redirect the user to the login page of the federated identity provider.

Based on the authentication type selected by the user in the login form, it will construct the keystone WebSSO endpoint.

  • request (django.http.HttpRequest) – Django http request object.

  • auth_url (string) – Keystone endpoint configured in the horizon setting. If WEBSSO_KEYSTONE_URL is defined, its value will be used. Otherwise, the value is derived from: - OPENSTACK_KEYSTONE_URL - AVAILABLE_REGIONS

  • websso_auth (string) – Authentication type selected by the user from the login form. The value is derived from the horizon setting WEBSSO_CHOICES.

Example of horizon WebSSO setting:

    ("credentials", "Keystone Credentials"),
    ("oidc", "OpenID Connect"),
    ("saml2", "Security Assertion Markup Language"),
    ("acme_oidc", "ACME - OpenID Connect"),
    ("acme_saml2", "ACME - SAML2")

    "acme_oidc": ("acme", "oidc"),
    "acme_saml2": ("acme", "saml2")

The value of websso_auth will be looked up in the WEBSSO_IDP_MAPPING dictionary, if a match is found it will return a IdP specific WebSSO endpoint using the values found in the mapping.

The value in WEBSSO_IDP_MAPPING is expected to be a tuple formatted as (<idp_id>, <protocol_id>). Using the values found, a IdP/protocol specific URL will be constructed:


If no value is found from the WEBSSO_IDP_MAPPING dictionary, it will treat the value as the global WebSSO protocol <protocol_id> and construct the WebSSO URL by:


Keystone WebSSO endpoint.

Return type


openstack_auth.utils.has_in_url_path(url, subs)[source]

Test if any of subs strings is present in the url path.

openstack_auth.utils.is_token_valid(token, margin=None)[source]

Timezone-aware checking of the auth token’s expiration timestamp.

Returns True if the token has not yet expired, otherwise False.

  • token – The openstack_auth.user.Token instance to check

  • margin – A time margin in seconds to subtract from the real token’s validity. An example usage is that the token can be valid once the middleware passed, and invalid (timed-out) during a view rendering and this generates authorization errors during the view rendering. A default margin can be set by the TOKEN_TIMEOUT_MARGIN in the django settings.


Checks if the websso default redirect is available.

As with websso, this is only supported in Keystone version 3.


Websso is supported in Keystone version 3.

Common function for setting the cookie in the response.

Provides a common policy of setting cookies for last used project and region, can be reused in other locations.

This method will set the cookie to expire in 365 days.

openstack_auth.utils.store_initial_k2k_session(auth_url, request, scoped_auth_ref, unscoped_auth_ref)[source]

Stores session variables if there are k2k service providers

This stores variables related to Keystone2Keystone federation. This function gets skipped if there are no Keystone service providers. An unscoped token to the identity provider keystone gets stored so that it can be used to do federated login into the service providers when switching keystone providers. The settings file can be configured to set the display name of the local (identity provider) keystone by setting KEYSTONE_PROVIDER_IDP_NAME. The KEYSTONE_PROVIDER_IDP_ID settings variable is used for comparison against the service providers. It should not conflict with any of the service provider ids.

  • auth_url – base token auth url

  • request – Django http request object

  • scoped_auth_ref – Scoped Keystone access info object

  • unscoped_auth_ref – Unscoped Keystone access info object

openstack_auth.utils.url_path_replace(url, old, new, count=None)[source]

Return a copy of url with replaced path.

Return a copy of url with all occurrences of old replaced by new in the url path. If the optional argument count is given, only the first count occurrences are replaced.