keystone.token.token_formatters module¶

class keystone.token.token_formatters.ApplicationCredentialScopedPayload[source]¶

Bases: BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]¶

Assemble the payload of a token.

Parameters:

user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]¶

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:: payload – this variant of payload
Returns:: a tuple of the payloads component data

version: int = 9¶

class keystone.token.token_formatters.BasePayload[source]¶

Bases: object

Assemble the payload of a token.

Parameters:

user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod attempt_convert_uuid_hex_to_bytes(value)[source]¶

Attempt to convert value to bytes or return value.

Parameters:: value – value to attempt to convert to bytes
Returns:: tuple containing boolean indicating whether user_id was stored as bytes and uuid value as bytes or the original value

classmethod base64_encode(s)[source]¶

Encode a URL-safe string.

Return type:: str

classmethod convert_uuid_bytes_to_hex(uuid_byte_string)[source]¶

Generate uuid.hex format based on byte string.

Parameters:: uuid_byte_string – uuid string to generate from
Returns:: uuid hex formatted string

classmethod convert_uuid_hex_to_bytes(uuid_string)[source]¶

Compress UUID formatted strings to bytes.

Parameters:: uuid_string – uuid string to compress to bytes
Returns:: a byte representation of the uuid

classmethod disassemble(payload)[source]¶

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:: payload – this variant of payload
Returns:: a tuple of the payloads component data

classmethod random_urlsafe_str_to_bytes(s)[source]¶

Convert string from random_urlsafe_str() to bytes.

Return type:: bytes

version: int¶

class keystone.token.token_formatters.DomainScopedPayload[source]¶

Bases: BasePayload

Assemble the payload of a token.

Parameters:

user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]¶

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:: payload – this variant of payload
Returns:: a tuple of the payloads component data

version: int = 1¶

class keystone.token.token_formatters.FederatedDomainScopedPayload[source]¶

Bases: FederatedScopedPayload

version: int = 6¶

class keystone.token.token_formatters.FederatedProjectScopedPayload[source]¶

Bases: FederatedScopedPayload

version: int = 5¶

class keystone.token.token_formatters.FederatedScopedPayload[source]¶

Bases: FederatedUnscopedPayload

Assemble the payload of a token.

Parameters:

user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]¶

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:: payload – this variant of payload
Returns:: a tuple of the payloads component data

class keystone.token.token_formatters.FederatedUnscopedPayload[source]¶

Bases: BasePayload

Assemble the payload of a token.

Parameters:

user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]¶

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:: payload – this variant of payload
Returns:: a tuple of the payloads component data

classmethod pack_group_id(group_dict)[source]¶

classmethod unpack_group_id(group_id_in_bytes)[source]¶

version: int = 4¶

class keystone.token.token_formatters.Oauth2CredentialsScopedPayload[source]¶

Bases: BasePayload

Assemble the payload of a token.

Parameters:

user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]¶

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:: payload – this variant of payload
Returns:: a tuple of the payloads component data

version: int = 10¶

class keystone.token.token_formatters.OauthScopedPayload[source]¶

Bases: BasePayload

Assemble the payload of a token.

Parameters:

user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]¶

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:: payload – this variant of payload
Returns:: a tuple of the payloads component data

version: int = 7¶

class keystone.token.token_formatters.ProjectScopedPayload[source]¶

Bases: BasePayload

Assemble the payload of a token.

Parameters:

user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]¶

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:: payload – this variant of payload
Returns:: a tuple of the payloads component data

version: int = 2¶

class keystone.token.token_formatters.SystemScopedPayload[source]¶

Bases: BasePayload

Assemble the payload of a token.

Parameters:

user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]¶

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:: payload – this variant of payload
Returns:: a tuple of the payloads component data

version: int = 8¶

class keystone.token.token_formatters.TokenFormatter[source]¶

Bases: object

Packs and unpacks payloads into tokens for transport.

create_token(user_id, expires_at, audit_ids, payload_class, methods=None, system=None, domain_id=None, project_id=None, trust_id=None, federated_group_ids=None, identity_provider_id=None, protocol_id=None, access_token_id=None, app_cred_id=None, thumbprint=None)[source]¶: Given a set of payload attributes, generate a Fernet token.

classmethod creation_time(fernet_token)[source]¶

Return the creation time of a valid Fernet token.

property crypto¶

Return a cryptography instance.

You can extend this class with a custom crypto @property to provide your own token encoding / decoding. For example, using a different cryptography library (e.g. python-keyczar) or to meet arbitrary security requirements.

This @property just needs to return an object that implements encrypt(plaintext) and decrypt(ciphertext).

pack(payload)[source]¶

Pack a payload for transport as a token.

Return type:: str

classmethod restore_padding(token)[source]¶

Restore padding based on token size.

Parameters:: token (str) – token to restore padding on
Returns:: token with correct padding

unpack(token)[source]¶

Unpack a token, and validate the payload.

Return type:: bytes

validate_token(token)[source]¶

Validate a Fernet token and returns the payload attributes.

class keystone.token.token_formatters.TrustScopedPayload[source]¶

Bases: BasePayload

Assemble the payload of a token.

Parameters:

user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]¶

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:: payload – this variant of payload
Returns:: a tuple of the payloads component data

version: int = 3¶

class keystone.token.token_formatters.UnscopedPayload[source]¶

Bases: BasePayload

Assemble the payload of a token.

Parameters:

user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]¶

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:: payload – this variant of payload
Returns:: a tuple of the payloads component data

version: int = 0¶

keystone.token.token_formatters module

keystone.token.token_formatters module¶

keystone 28.0.1.dev3

Page Contents