keystone.token.token_formatters module

keystone.token.token_formatters module

class keystone.token.token_formatters.ApplicationCredentialScopedPayload[source]

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)[source]

Assemble the payload of a token.

Parameters:
  • user_id – identifier of the user in the token request
  • methods – list of authentication methods used
  • system – a string including system scope information
  • project_id – ID of the project to scope to
  • domain_id – ID of the domain to scope to
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
  • trust_id – ID of the trust in effect
  • federated_group_ids – list of group IDs from SAML assertion
  • identity_provider_id – ID of the user’s identity provider
  • protocol_id – federated protocol used for authentication
  • access_token_id – ID of the secret in OAuth1 authentication
  • app_cred_id – ID of the application credential in effect
Returns:

the payload of a token

classmethod create_arguments_apply(**kwargs)[source]

Check the arguments to see if they apply to this payload variant.

Returns:True if the arguments indicate that this payload class is needed for the token otherwise returns False.
Return type:bool
classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)
  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:payload – this variant of payload
Returns:a tuple of the payloads component data
version = 9
class keystone.token.token_formatters.BasePayload[source]

Bases: object

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)[source]

Assemble the payload of a token.

Parameters:
  • user_id – identifier of the user in the token request
  • methods – list of authentication methods used
  • system – a string including system scope information
  • project_id – ID of the project to scope to
  • domain_id – ID of the domain to scope to
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
  • trust_id – ID of the trust in effect
  • federated_group_ids – list of group IDs from SAML assertion
  • identity_provider_id – ID of the user’s identity provider
  • protocol_id – federated protocol used for authentication
  • access_token_id – ID of the secret in OAuth1 authentication
  • app_cred_id – ID of the application credential in effect
Returns:

the payload of a token

classmethod attempt_convert_uuid_hex_to_bytes(value)[source]

Attempt to convert value to bytes or return value.

Parameters:value – value to attempt to convert to bytes
Returns:tuple containing boolean indicating whether user_id was stored as bytes and uuid value as bytes or the original value
classmethod base64_encode(s)[source]

Encode a URL-safe string.

Return type:six.text_type
classmethod convert_uuid_bytes_to_hex(uuid_byte_string)[source]

Generate uuid.hex format based on byte string.

Parameters:uuid_byte_string – uuid string to generate from
Returns:uuid hex formatted string
classmethod convert_uuid_hex_to_bytes(uuid_string)[source]

Compress UUID formatted strings to bytes.

Parameters:uuid_string – uuid string to compress to bytes
Returns:a byte representation of the uuid
classmethod create_arguments_apply(**kwargs)[source]

Check the arguments to see if they apply to this payload variant.

Returns:True if the arguments indicate that this payload class is needed for the token otherwise returns False.
Return type:bool
classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)
  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:payload – this variant of payload
Returns:a tuple of the payloads component data
classmethod random_urlsafe_str_to_bytes(s)[source]

Convert a string from random_urlsafe_str() to six.binary_type.

Return type:six.binary_type
version = None
class keystone.token.token_formatters.DomainScopedPayload[source]

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)[source]

Assemble the payload of a token.

Parameters:
  • user_id – identifier of the user in the token request
  • methods – list of authentication methods used
  • system – a string including system scope information
  • project_id – ID of the project to scope to
  • domain_id – ID of the domain to scope to
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
  • trust_id – ID of the trust in effect
  • federated_group_ids – list of group IDs from SAML assertion
  • identity_provider_id – ID of the user’s identity provider
  • protocol_id – federated protocol used for authentication
  • access_token_id – ID of the secret in OAuth1 authentication
  • app_cred_id – ID of the application credential in effect
Returns:

the payload of a token

classmethod create_arguments_apply(**kwargs)[source]

Check the arguments to see if they apply to this payload variant.

Returns:True if the arguments indicate that this payload class is needed for the token otherwise returns False.
Return type:bool
classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)
  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:payload – this variant of payload
Returns:a tuple of the payloads component data
version = 1
class keystone.token.token_formatters.FederatedDomainScopedPayload[source]

Bases: keystone.token.token_formatters.FederatedScopedPayload

classmethod create_arguments_apply(**kwargs)[source]

Check the arguments to see if they apply to this payload variant.

Returns:True if the arguments indicate that this payload class is needed for the token otherwise returns False.
Return type:bool
version = 6
class keystone.token.token_formatters.FederatedProjectScopedPayload[source]

Bases: keystone.token.token_formatters.FederatedScopedPayload

classmethod create_arguments_apply(**kwargs)[source]

Check the arguments to see if they apply to this payload variant.

Returns:True if the arguments indicate that this payload class is needed for the token otherwise returns False.
Return type:bool
version = 5
class keystone.token.token_formatters.FederatedScopedPayload[source]

Bases: keystone.token.token_formatters.FederatedUnscopedPayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)[source]

Assemble the payload of a token.

Parameters:
  • user_id – identifier of the user in the token request
  • methods – list of authentication methods used
  • system – a string including system scope information
  • project_id – ID of the project to scope to
  • domain_id – ID of the domain to scope to
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
  • trust_id – ID of the trust in effect
  • federated_group_ids – list of group IDs from SAML assertion
  • identity_provider_id – ID of the user’s identity provider
  • protocol_id – federated protocol used for authentication
  • access_token_id – ID of the secret in OAuth1 authentication
  • app_cred_id – ID of the application credential in effect
Returns:

the payload of a token

classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)
  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:payload – this variant of payload
Returns:a tuple of the payloads component data
version = None
class keystone.token.token_formatters.FederatedUnscopedPayload[source]

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)[source]

Assemble the payload of a token.

Parameters:
  • user_id – identifier of the user in the token request
  • methods – list of authentication methods used
  • system – a string including system scope information
  • project_id – ID of the project to scope to
  • domain_id – ID of the domain to scope to
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
  • trust_id – ID of the trust in effect
  • federated_group_ids – list of group IDs from SAML assertion
  • identity_provider_id – ID of the user’s identity provider
  • protocol_id – federated protocol used for authentication
  • access_token_id – ID of the secret in OAuth1 authentication
  • app_cred_id – ID of the application credential in effect
Returns:

the payload of a token

classmethod create_arguments_apply(**kwargs)[source]

Check the arguments to see if they apply to this payload variant.

Returns:True if the arguments indicate that this payload class is needed for the token otherwise returns False.
Return type:bool
classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)
  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:payload – this variant of payload
Returns:a tuple of the payloads component data
classmethod pack_group_id(group_dict)[source]
classmethod unpack_group_id(group_id_in_bytes)[source]
version = 4
class keystone.token.token_formatters.OauthScopedPayload[source]

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)[source]

Assemble the payload of a token.

Parameters:
  • user_id – identifier of the user in the token request
  • methods – list of authentication methods used
  • system – a string including system scope information
  • project_id – ID of the project to scope to
  • domain_id – ID of the domain to scope to
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
  • trust_id – ID of the trust in effect
  • federated_group_ids – list of group IDs from SAML assertion
  • identity_provider_id – ID of the user’s identity provider
  • protocol_id – federated protocol used for authentication
  • access_token_id – ID of the secret in OAuth1 authentication
  • app_cred_id – ID of the application credential in effect
Returns:

the payload of a token

classmethod create_arguments_apply(**kwargs)[source]

Check the arguments to see if they apply to this payload variant.

Returns:True if the arguments indicate that this payload class is needed for the token otherwise returns False.
Return type:bool
classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)
  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:payload – this variant of payload
Returns:a tuple of the payloads component data
version = 7
class keystone.token.token_formatters.ProjectScopedPayload[source]

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)[source]

Assemble the payload of a token.

Parameters:
  • user_id – identifier of the user in the token request
  • methods – list of authentication methods used
  • system – a string including system scope information
  • project_id – ID of the project to scope to
  • domain_id – ID of the domain to scope to
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
  • trust_id – ID of the trust in effect
  • federated_group_ids – list of group IDs from SAML assertion
  • identity_provider_id – ID of the user’s identity provider
  • protocol_id – federated protocol used for authentication
  • access_token_id – ID of the secret in OAuth1 authentication
  • app_cred_id – ID of the application credential in effect
Returns:

the payload of a token

classmethod create_arguments_apply(**kwargs)[source]

Check the arguments to see if they apply to this payload variant.

Returns:True if the arguments indicate that this payload class is needed for the token otherwise returns False.
Return type:bool
classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)
  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:payload – this variant of payload
Returns:a tuple of the payloads component data
version = 2
class keystone.token.token_formatters.SystemScopedPayload[source]

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)[source]

Assemble the payload of a token.

Parameters:
  • user_id – identifier of the user in the token request
  • methods – list of authentication methods used
  • system – a string including system scope information
  • project_id – ID of the project to scope to
  • domain_id – ID of the domain to scope to
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
  • trust_id – ID of the trust in effect
  • federated_group_ids – list of group IDs from SAML assertion
  • identity_provider_id – ID of the user’s identity provider
  • protocol_id – federated protocol used for authentication
  • access_token_id – ID of the secret in OAuth1 authentication
  • app_cred_id – ID of the application credential in effect
Returns:

the payload of a token

classmethod create_arguments_apply(**kwargs)[source]

Check the arguments to see if they apply to this payload variant.

Returns:True if the arguments indicate that this payload class is needed for the token otherwise returns False.
Return type:bool
classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)
  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:payload – this variant of payload
Returns:a tuple of the payloads component data
version = 8
class keystone.token.token_formatters.TokenFormatter[source]

Bases: object

Packs and unpacks payloads into tokens for transport.

create_token(user_id, expires_at, audit_ids, methods=None, system=None, domain_id=None, project_id=None, trust_id=None, federated_group_ids=None, identity_provider_id=None, protocol_id=None, access_token_id=None, app_cred_id=None)[source]

Given a set of payload attributes, generate a Fernet token.

classmethod creation_time(fernet_token)[source]

Return the creation time of a valid Fernet token.

crypto

Return a cryptography instance.

You can extend this class with a custom crypto @property to provide your own token encoding / decoding. For example, using a different cryptography library (e.g. python-keyczar) or to meet arbitrary security requirements.

This @property just needs to return an object that implements encrypt(plaintext) and decrypt(ciphertext).

pack(payload)[source]

Pack a payload for transport as a token.

Return type:six.text_type
classmethod restore_padding(token)[source]

Restore padding based on token size.

Parameters:token (six.text_type) – token to restore padding on
Returns:token with correct padding
unpack(token)[source]

Unpack a token, and validate the payload.

Return type:six.binary_type
validate_token(token)[source]

Validate a Fernet token and returns the payload attributes.

class keystone.token.token_formatters.TrustScopedPayload[source]

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)[source]

Assemble the payload of a token.

Parameters:
  • user_id – identifier of the user in the token request
  • methods – list of authentication methods used
  • system – a string including system scope information
  • project_id – ID of the project to scope to
  • domain_id – ID of the domain to scope to
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
  • trust_id – ID of the trust in effect
  • federated_group_ids – list of group IDs from SAML assertion
  • identity_provider_id – ID of the user’s identity provider
  • protocol_id – federated protocol used for authentication
  • access_token_id – ID of the secret in OAuth1 authentication
  • app_cred_id – ID of the application credential in effect
Returns:

the payload of a token

classmethod create_arguments_apply(**kwargs)[source]

Check the arguments to see if they apply to this payload variant.

Returns:True if the arguments indicate that this payload class is needed for the token otherwise returns False.
Return type:bool
classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)
  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:payload – this variant of payload
Returns:a tuple of the payloads component data
version = 3
class keystone.token.token_formatters.UnscopedPayload[source]

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)[source]

Assemble the payload of a token.

Parameters:
  • user_id – identifier of the user in the token request
  • methods – list of authentication methods used
  • system – a string including system scope information
  • project_id – ID of the project to scope to
  • domain_id – ID of the domain to scope to
  • expires_at – datetime of the token’s expiration
  • audit_ids – list of the token’s audit IDs
  • trust_id – ID of the trust in effect
  • federated_group_ids – list of group IDs from SAML assertion
  • identity_provider_id – ID of the user’s identity provider
  • protocol_id – federated protocol used for authentication
  • access_token_id – ID of the secret in OAuth1 authentication
  • app_cred_id – ID of the application credential in effect
Returns:

the payload of a token

classmethod create_arguments_apply(**kwargs)[source]

Check the arguments to see if they apply to this payload variant.

Returns:True if the arguments indicate that this payload class is needed for the token otherwise returns False.
Return type:bool
classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)
  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:payload – this variant of payload
Returns:a tuple of the payloads component data
version = 0
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.