keystoneauth1.identity.v3.oidc module¶
- class keystoneauth1.identity.v3.oidc.OidcAccessToken(auth_url: str, identity_provider: str, protocol: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, access_token: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
Bases:
_OidcBase
Implementation for OpenID Connect access token reuse.
- __abstractmethods__ = frozenset({})
- __annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
- __doc__ = 'Implementation for OpenID Connect access token reuse.'
- __init__(auth_url: str, identity_provider: str, protocol: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, access_token: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
The OpenID Connect plugin based on the Access Token.
It expects the following:
- Parameters:
auth_url (string) – URL of the Identity Service
identity_provider (string) – Name of the Identity Provider the client will authenticate against
protocol (string) – Protocol name as configured in keystone
access_token (string) – OpenID Connect Access token
- __module__ = 'keystoneauth1.identity.v3.oidc'
- _abc_impl = <_abc._abc_data object>
- _discovery_cache: ty.Dict[str, discover.Discover]
- auth_ref: ty.Optional[access.AccessInfo]
- auth_url: str
- get_unscoped_auth_ref(session: Session, **kwargs: Any) AccessInfoV3
Authenticate with OpenID Connect and get back claims.
We exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
a token data representation
- Return type:
keystoneauth1.access.AccessInfoV3
- grant_type: ty.ClassVar[str]
- reauthenticate: bool
- class keystoneauth1.identity.v3.oidc.OidcAuthorizationCode(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, code: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, redirect_uri: str | None = None)
Bases:
_OidcBase
Implementation for OpenID Connect Authorization Code.
- __abstractmethods__ = frozenset({})
- __annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
- __doc__ = 'Implementation for OpenID Connect Authorization Code.'
- __init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, code: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, redirect_uri: str | None = None)
The OpenID Authorization Code plugin expects the following.
- Parameters:
redirect_uri (string) – OpenID Connect Client Redirect URL
code (string) – OAuth 2.0 Authorization Code
- __module__ = 'keystoneauth1.identity.v3.oidc'
- _abc_impl = <_abc._abc_data object>
- _discovery_cache: ty.Dict[str, discover.Discover]
- auth_ref: ty.Optional[access.AccessInfo]
- auth_url: str
- get_payload(session: Session) Dict[str, str | None]
Get an authorization grant for the “authorization_code” grant type.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
a python dictionary containing the payload to be exchanged
- Return type:
- grant_type: ty.ClassVar[str] = 'authorization_code'
- reauthenticate: bool
- class keystoneauth1.identity.v3.oidc.OidcClientCredentials(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
Bases:
_OidcBase
Implementation for OpenID Connect Client Credentials.
- __abstractmethods__ = frozenset({})
- __annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
- __doc__ = 'Implementation for OpenID Connect Client Credentials.'
- __init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
The OpenID Client Credentials expects the following.
- Parameters:
client_id – Client ID used to authenticate
client_secret – Client Secret used to authenticate
- __module__ = 'keystoneauth1.identity.v3.oidc'
- _abc_impl = <_abc._abc_data object>
- _discovery_cache: ty.Dict[str, discover.Discover]
- auth_ref: ty.Optional[access.AccessInfo]
- auth_url: str
- get_payload(session: Session) Dict[str, str | None]
Get an authorization grant for the client credentials grant type.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
a python dictionary containing the payload to be exchanged
- Return type:
- grant_type: ty.ClassVar[str] = 'client_credentials'
- reauthenticate: bool
- class keystoneauth1.identity.v3.oidc.OidcDeviceAuthorization(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str | None, scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, device_authorization_endpoint: str | None = None, code_challenge: str | None = None, code_challenge_method: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
Bases:
_OidcBase
Implementation for OAuth 2.0 Device Authorization Grant.
- HEADER_X_FORM = {'Content-Type': 'application/x-www-form-urlencoded'}
- __abstractmethods__ = frozenset({})
- __annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
- __doc__ = 'Implementation for OAuth 2.0 Device Authorization Grant.'
- __init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str | None, scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, device_authorization_endpoint: str | None = None, code_challenge: str | None = None, code_challenge_method: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
The OAuth 2.0 Device Authorization plugin expects the following.
- Parameters:
device_authorization_endpoint (string) – OAuth 2.0 Device Authorization Endpoint, for example: https://localhost:8020/oidc/authorize/device Note that if a discovery document is provided this value will override the discovered one.
code_challenge_method (string) – PKCE Challenge Method (RFC 7636).
- __module__ = 'keystoneauth1.identity.v3.oidc'
- _abc_impl = <_abc._abc_data object>
- _generate_pkce_verifier() str
Generate PKCE verifier string as defined in RFC 7636.
- _get_access_token(session: Session, payload: Dict[str, str | None]) str
Poll token endpoint for an access token.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
payload (dict) –
a dict containing various OpenID Connect values, for example:
{ 'grant_type': 'urn:ietf:params:oauth:grant-type:device_code', 'device_code': self.device_code, }
- _get_device_authorization_endpoint(session: Session) str | None
Get the endpoint for the OAuth 2.0 Device Authorization flow.
This method will return the correct device authorization endpoint to be used. If the user has explicitly passed an device_authorization_endpoint to the constructor that will be returned. If there is no explicit endpoint and a discovery url is provided, it will try to get it from the discovery document. If nothing is found, an exception will be raised.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
the endpoint to use
- Return type:
string or None if no endpoint is found
- get_payload(session: Session) Dict[str, str | None]
Get an authorization grant for the “device_code” grant type.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
a python dictionary containing the payload to be exchanged
- Return type:
- grant_type: ty.ClassVar[str] = 'urn:ietf:params:oauth:grant-type:device_code'
- class keystoneauth1.identity.v3.oidc.OidcPassword(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, username: str | None = None, password: str | None = None, idp_otp_key: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
Bases:
_OidcBase
Implementation for OpenID Connect Resource Owner Password Credential.
- __abstractmethods__ = frozenset({})
- __annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
- __doc__ = 'Implementation for OpenID Connect Resource Owner Password Credential.'
- __init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, username: str | None = None, password: str | None = None, idp_otp_key: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
The OpenID Password plugin expects the following.
- Parameters:
username (string) – Username used to authenticate
password (string) – Password used to authenticate
- __module__ = 'keystoneauth1.identity.v3.oidc'
- _abc_impl = <_abc._abc_data object>
- _discovery_cache: ty.Dict[str, discover.Discover]
- auth_ref: ty.Optional[access.AccessInfo]
- auth_url: str
- get_payload(session: Session) Dict[str, str | None]
Get an authorization grant for the “password” grant type.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
a python dictionary containing the payload to be exchanged
- Return type:
- grant_type: ty.ClassVar[str] = 'password'
- manage_otp_from_session_or_request_to_the_user(payload: Dict[str, str | None], session: Session) None
Get the OTP code from the session or else request to the user.
When the OS_IDP_OTP_KEY environment variable is set, this method will verify if there is an OTP value in the current session, if it exists, we use it (the OTP from session) to send to the Identity Provider when retrieving the access token. If there is no OTP in the current session, we ask the user to enter it (the OTP), and we add it to the session to execute the authentication flow.
The OTP is being stored in the session because in some flows, the CLI is doing the authentication process two times, so saving the OTP in the session, allow us to use the same OTP in a short time interval, avoiding to request it to the user twice in a row.
- Parameters:
payload
session
- Returns:
- reauthenticate: bool
- class keystoneauth1.identity.v3.oidc._OidcBase(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str | None, access_token_type: str, scope: str, access_token_endpoint: str | None, discovery_endpoint: str | None, *, trust_id: str | None, system_scope: str | None, domain_id: str | None, domain_name: str | None, project_id: str | None, project_name: str | None, project_domain_id: str | None, project_domain_name: str | None, reauthenticate: bool, include_catalog: bool)
Bases:
FederationBaseAuth
Base class for different OpenID Connect based flows.
The OpenID Connect specification can be found at::
http://openid.net/specs/openid-connect-core-1_0.html
- __abstractmethods__ = frozenset({'get_payload'})
- __annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': typing.ClassVar[str], 'reauthenticate': 'bool'}
- __doc__ = 'Base class for different OpenID Connect based flows.\n\n The OpenID Connect specification can be found at::\n ``http://openid.net/specs/openid-connect-core-1_0.html``\n '
- __init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str | None, access_token_type: str, scope: str, access_token_endpoint: str | None, discovery_endpoint: str | None, *, trust_id: str | None, system_scope: str | None, domain_id: str | None, domain_name: str | None, project_id: str | None, project_name: str | None, project_domain_id: str | None, project_domain_name: str | None, reauthenticate: bool, include_catalog: bool)
The OpenID Connect plugin expects the following.
- Parameters:
auth_url (string) – URL of the Identity Service
identity_provider (string) – Name of the Identity Provider the client will authenticate against
protocol (string) – Protocol name as configured in keystone
client_id (string) – OAuth 2.0 Client ID
client_secret (string) – OAuth 2.0 Client Secret
access_token_type (string) – OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”
access_token_endpoint (string) – OpenID Connect Provider Token Endpoint, for example: https://localhost:8020/oidc/OP/token Note that if a discovery document is provided this value will override the discovered one.
discovery_endpoint – OpenID Connect Discovery Document URL, for example: https://localhost:8020/oidc/.well-known/openid-configuration
scope (string) – OpenID Connect scope that is requested from OP, for example: “openid profile email”, defaults to “openid profile”. Note that OpenID Connect specification states that “openid” must be always specified.
- __module__ = 'keystoneauth1.identity.v3.oidc'
- _abc_impl = <_abc._abc_data object>
- _get_access_token(session: Session, payload: Dict[str, str | None]) str
Exchange a variety of user supplied values for an access token.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
payload (dict) –
a dict containing various OpenID Connect values, for example:
{ 'grant_type': 'password', 'username': self.username, 'password': self.password, 'scope': self.scope, }
- _get_access_token_endpoint(session: Session) str
Get the “token_endpoint” for the OpenID Connect flow.
This method will return the correct access token endpoint to be used. If the user has explicitly passed an access_token_endpoint to the constructor that will be returned. If there is no explicit endpoint and a discovery url is provided, it will try to get it from the discovery document. If nothing is found, an exception will be raised.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
the endpoint to use
- Return type:
string
- _get_discovery_document(session: Session) Dict[str, object]
Get the contents of the OpenID Connect Discovery Document.
This method grabs the contents of the OpenID Connect Discovery Document if a discovery_endpoint was passed to the constructor and returns it as a dict, otherwise returns an empty dict. Note that it will fetch the discovery document only once, so subsequent calls to this method will return the cached result, if any.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
a python dictionary containing the discovery document if any, otherwise it will return an empty dict.
- Return type:
- _get_keystone_token(session: Session, access_token: str) Response
Exchange an access token for a keystone token.
By Sending the access token in an Authorization: Bearer header, to an OpenID Connect protected endpoint (Federated Token URL). The OpenID Connect server will use the access token to look up information about the authenticated user (this technique is called instrospection). The output of the instrospection will be an OpenID Connect Claim, that will be used against the mapping engine. Should the mapping engine succeed, a Keystone token will be presented to the user.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
access_token (str) – The OpenID Connect access token.
- abstract get_payload(session: Session) Dict[str, str | None]
Get the plugin specific payload for obtainin an access token.
OpenID Connect supports different grant types. This method should prepare the payload that needs to be exchanged with the server in order to get an access token for the particular grant type that the plugin is implementing.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
a python dictionary containing the payload to be exchanged
- Return type:
- get_unscoped_auth_ref(session: Session, **kwargs: Any) AccessInfoV3
Authenticate with OpenID Connect and get back claims.
This is a multi-step process:
- 1.- An access token must be retrieved from the server. In order to do
so, we need to exchange an authorization grant or refresh token with the token endpoint in order to obtain an access token. The authorization grant varies from plugin to plugin.
- 2.- We then exchange the access token upon accessing the protected
Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
a token data representation
- Return type:
keystoneauth1.access.AccessInfoV3