keystoneauth1.identity.v3.oidc module

class keystoneauth1.identity.v3.oidc.OidcAccessToken(auth_url: str, identity_provider: str, protocol: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, access_token: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: _OidcBase

Implementation for OpenID Connect access token reuse.

__abstractmethods__ = frozenset({})
__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
__doc__ = 'Implementation for OpenID Connect access token reuse.'
__init__(auth_url: str, identity_provider: str, protocol: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, access_token: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

The OpenID Connect plugin based on the Access Token.

It expects the following:

Parameters:
  • auth_url (string) – URL of the Identity Service

  • identity_provider (string) – Name of the Identity Provider the client will authenticate against

  • protocol (string) – Protocol name as configured in keystone

  • access_token (string) – OpenID Connect Access token

__module__ = 'keystoneauth1.identity.v3.oidc'
_abc_impl = <_abc._abc_data object>
_discovery_cache: ty.Dict[str, discover.Discover]
_discovery_document: ty.Dict[str, object]
auth_ref: ty.Optional[access.AccessInfo]
auth_url: str
get_payload(session: Session) Dict[str, str | None]

OidcAccessToken does not require a payload.

get_unscoped_auth_ref(session: Session, **kwargs: Any) AccessInfoV3

Authenticate with OpenID Connect and get back claims.

We exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

a token data representation

Return type:

keystoneauth1.access.AccessInfoV3

grant_type: ty.ClassVar[str]
reauthenticate: bool
class keystoneauth1.identity.v3.oidc.OidcAuthorizationCode(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, code: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, redirect_uri: str | None = None)

Bases: _OidcBase

Implementation for OpenID Connect Authorization Code.

__abstractmethods__ = frozenset({})
__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
__doc__ = 'Implementation for OpenID Connect Authorization Code.'
__init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, code: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, redirect_uri: str | None = None)

The OpenID Authorization Code plugin expects the following.

Parameters:
  • redirect_uri (string) – OpenID Connect Client Redirect URL

  • code (string) – OAuth 2.0 Authorization Code

__module__ = 'keystoneauth1.identity.v3.oidc'
_abc_impl = <_abc._abc_data object>
_discovery_cache: ty.Dict[str, discover.Discover]
_discovery_document: ty.Dict[str, object]
auth_ref: ty.Optional[access.AccessInfo]
auth_url: str
get_payload(session: Session) Dict[str, str | None]

Get an authorization grant for the “authorization_code” grant type.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

a python dictionary containing the payload to be exchanged

Return type:

dict

grant_type: ty.ClassVar[str] = 'authorization_code'
reauthenticate: bool
class keystoneauth1.identity.v3.oidc.OidcClientCredentials(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: _OidcBase

Implementation for OpenID Connect Client Credentials.

__abstractmethods__ = frozenset({})
__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
__doc__ = 'Implementation for OpenID Connect Client Credentials.'
__init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

The OpenID Client Credentials expects the following.

Parameters:
  • client_id – Client ID used to authenticate

  • client_secret – Client Secret used to authenticate

__module__ = 'keystoneauth1.identity.v3.oidc'
_abc_impl = <_abc._abc_data object>
_discovery_cache: ty.Dict[str, discover.Discover]
_discovery_document: ty.Dict[str, object]
auth_ref: ty.Optional[access.AccessInfo]
auth_url: str
get_payload(session: Session) Dict[str, str | None]

Get an authorization grant for the client credentials grant type.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

a python dictionary containing the payload to be exchanged

Return type:

dict

grant_type: ty.ClassVar[str] = 'client_credentials'
reauthenticate: bool
class keystoneauth1.identity.v3.oidc.OidcDeviceAuthorization(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str | None, scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, device_authorization_endpoint: str | None = None, code_challenge: str | None = None, code_challenge_method: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: _OidcBase

Implementation for OAuth 2.0 Device Authorization Grant.

HEADER_X_FORM = {'Content-Type': 'application/x-www-form-urlencoded'}
__abstractmethods__ = frozenset({})
__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
__doc__ = 'Implementation for OAuth 2.0 Device Authorization Grant.'
__init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str | None, scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, device_authorization_endpoint: str | None = None, code_challenge: str | None = None, code_challenge_method: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

The OAuth 2.0 Device Authorization plugin expects the following.

Parameters:
  • device_authorization_endpoint (string) – OAuth 2.0 Device Authorization Endpoint, for example: https://localhost:8020/oidc/authorize/device Note that if a discovery document is provided this value will override the discovered one.

  • code_challenge_method (string) – PKCE Challenge Method (RFC 7636).

__module__ = 'keystoneauth1.identity.v3.oidc'
_abc_impl = <_abc._abc_data object>
_generate_pkce_challenge() str | None

Generate PKCE challenge string as defined in RFC 7636.

_generate_pkce_verifier() str

Generate PKCE verifier string as defined in RFC 7636.

_get_access_token(session: Session, payload: Dict[str, str | None]) str

Poll token endpoint for an access token.

Parameters:
  • session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

  • payload (dict) –

    a dict containing various OpenID Connect values, for example:

    {
        'grant_type': 'urn:ietf:params:oauth:grant-type:device_code',
        'device_code': self.device_code,
    }
    

_get_device_authorization_endpoint(session: Session) str | None

Get the endpoint for the OAuth 2.0 Device Authorization flow.

This method will return the correct device authorization endpoint to be used. If the user has explicitly passed an device_authorization_endpoint to the constructor that will be returned. If there is no explicit endpoint and a discovery url is provided, it will try to get it from the discovery document. If nothing is found, an exception will be raised.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

the endpoint to use

Return type:

string or None if no endpoint is found

get_payload(session: Session) Dict[str, str | None]

Get an authorization grant for the “device_code” grant type.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

a python dictionary containing the payload to be exchanged

Return type:

dict

grant_type: ty.ClassVar[str] = 'urn:ietf:params:oauth:grant-type:device_code'
class keystoneauth1.identity.v3.oidc.OidcPassword(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, username: str | None = None, password: str | None = None, idp_otp_key: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: _OidcBase

Implementation for OpenID Connect Resource Owner Password Credential.

__abstractmethods__ = frozenset({})
__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
__doc__ = 'Implementation for OpenID Connect Resource Owner Password Credential.'
__init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, username: str | None = None, password: str | None = None, idp_otp_key: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

The OpenID Password plugin expects the following.

Parameters:
  • username (string) – Username used to authenticate

  • password (string) – Password used to authenticate

__module__ = 'keystoneauth1.identity.v3.oidc'
_abc_impl = <_abc._abc_data object>
_discovery_cache: ty.Dict[str, discover.Discover]
_discovery_document: ty.Dict[str, object]
auth_ref: ty.Optional[access.AccessInfo]
auth_url: str
get_payload(session: Session) Dict[str, str | None]

Get an authorization grant for the “password” grant type.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

a python dictionary containing the payload to be exchanged

Return type:

dict

grant_type: ty.ClassVar[str] = 'password'
manage_otp_from_session_or_request_to_the_user(payload: Dict[str, str | None], session: Session) None

Get the OTP code from the session or else request to the user.

When the OS_IDP_OTP_KEY environment variable is set, this method will verify if there is an OTP value in the current session, if it exists, we use it (the OTP from session) to send to the Identity Provider when retrieving the access token. If there is no OTP in the current session, we ask the user to enter it (the OTP), and we add it to the session to execute the authentication flow.

The OTP is being stored in the session because in some flows, the CLI is doing the authentication process two times, so saving the OTP in the session, allow us to use the same OTP in a short time interval, avoiding to request it to the user twice in a row.

Parameters:
  • payload

  • session

Returns:

reauthenticate: bool
class keystoneauth1.identity.v3.oidc._OidcBase(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str | None, access_token_type: str, scope: str, access_token_endpoint: str | None, discovery_endpoint: str | None, *, trust_id: str | None, system_scope: str | None, domain_id: str | None, domain_name: str | None, project_id: str | None, project_name: str | None, project_domain_id: str | None, project_domain_name: str | None, reauthenticate: bool, include_catalog: bool)

Bases: FederationBaseAuth

Base class for different OpenID Connect based flows.

The OpenID Connect specification can be found at:: http://openid.net/specs/openid-connect-core-1_0.html

__abstractmethods__ = frozenset({'get_payload'})
__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': typing.ClassVar[str], 'reauthenticate': 'bool'}
__doc__ = 'Base class for different OpenID Connect based flows.\n\n    The OpenID Connect specification can be found at::\n    ``http://openid.net/specs/openid-connect-core-1_0.html``\n    '
__init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str | None, access_token_type: str, scope: str, access_token_endpoint: str | None, discovery_endpoint: str | None, *, trust_id: str | None, system_scope: str | None, domain_id: str | None, domain_name: str | None, project_id: str | None, project_name: str | None, project_domain_id: str | None, project_domain_name: str | None, reauthenticate: bool, include_catalog: bool)

The OpenID Connect plugin expects the following.

Parameters:
  • auth_url (string) – URL of the Identity Service

  • identity_provider (string) – Name of the Identity Provider the client will authenticate against

  • protocol (string) – Protocol name as configured in keystone

  • client_id (string) – OAuth 2.0 Client ID

  • client_secret (string) – OAuth 2.0 Client Secret

  • access_token_type (string) – OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”

  • access_token_endpoint (string) – OpenID Connect Provider Token Endpoint, for example: https://localhost:8020/oidc/OP/token Note that if a discovery document is provided this value will override the discovered one.

  • discovery_endpoint – OpenID Connect Discovery Document URL, for example: https://localhost:8020/oidc/.well-known/openid-configuration

  • scope (string) – OpenID Connect scope that is requested from OP, for example: “openid profile email”, defaults to “openid profile”. Note that OpenID Connect specification states that “openid” must be always specified.

__module__ = 'keystoneauth1.identity.v3.oidc'
_abc_impl = <_abc._abc_data object>
_get_access_token(session: Session, payload: Dict[str, str | None]) str

Exchange a variety of user supplied values for an access token.

Parameters:
  • session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

  • payload (dict) –

    a dict containing various OpenID Connect values, for example:

    {
        'grant_type': 'password',
        'username': self.username,
        'password': self.password,
        'scope': self.scope,
    }
    

_get_access_token_endpoint(session: Session) str

Get the “token_endpoint” for the OpenID Connect flow.

This method will return the correct access token endpoint to be used. If the user has explicitly passed an access_token_endpoint to the constructor that will be returned. If there is no explicit endpoint and a discovery url is provided, it will try to get it from the discovery document. If nothing is found, an exception will be raised.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

the endpoint to use

Return type:

string

_get_discovery_document(session: Session) Dict[str, object]

Get the contents of the OpenID Connect Discovery Document.

This method grabs the contents of the OpenID Connect Discovery Document if a discovery_endpoint was passed to the constructor and returns it as a dict, otherwise returns an empty dict. Note that it will fetch the discovery document only once, so subsequent calls to this method will return the cached result, if any.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

a python dictionary containing the discovery document if any, otherwise it will return an empty dict.

Return type:

dict

_get_keystone_token(session: Session, access_token: str) Response

Exchange an access token for a keystone token.

By Sending the access token in an Authorization: Bearer header, to an OpenID Connect protected endpoint (Federated Token URL). The OpenID Connect server will use the access token to look up information about the authenticated user (this technique is called instrospection). The output of the instrospection will be an OpenID Connect Claim, that will be used against the mapping engine. Should the mapping engine succeed, a Keystone token will be presented to the user.

Parameters:
  • session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

  • access_token (str) – The OpenID Connect access token.

_sanitize(data: Dict[str, str | None]) Dict[str, str | None]
abstract get_payload(session: Session) Dict[str, str | None]

Get the plugin specific payload for obtainin an access token.

OpenID Connect supports different grant types. This method should prepare the payload that needs to be exchanged with the server in order to get an access token for the particular grant type that the plugin is implementing.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

a python dictionary containing the payload to be exchanged

Return type:

dict

get_unscoped_auth_ref(session: Session, **kwargs: Any) AccessInfoV3

Authenticate with OpenID Connect and get back claims.

This is a multi-step process:

1.- An access token must be retrieved from the server. In order to do

so, we need to exchange an authorization grant or refresh token with the token endpoint in order to obtain an access token. The authorization grant varies from plugin to plugin.

2.- We then exchange the access token upon accessing the protected

Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

a token data representation

Return type:

keystoneauth1.access.AccessInfoV3

grant_type: ClassVar[str]