Token-based Authentication Middleware.
This WSGI component:
Verifies that incoming client requests have valid tokens by validating tokens with the auth service.
Rejects unauthenticated requests unless the auth_token middleware is in
delay_auth_decisionmode, which means the final decision is delegated to the downstream WSGI component (usually the OpenStack service).
Collects and forwards identity information based on a valid token such as user name, domain, project, etc.
Refer to: https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html
The auth_token middleware uses headers sent in by the client on the request and sets headers and environment variables for the downstream WSGI component.
Coming in from initial call from client or customer¶
The client token being passed in.
A service token being passed in.
Used for communication between components¶
HTTP header returned to a user indicating which endpoint to use to retrieve a new token.
What auth_token adds to the request for use by the OpenStack service¶
When using composite authentication (a user and service token are
present) additional service headers relating to the service user
will be added. They take the same form as the standard headers but add
_SERVICE_. These headers will not exist in the environment if no
service token is present.
- HTTP_X_IDENTITY_STATUS, HTTP_X_SERVICE_IDENTITY_STATUS
Will be set to either
The underlying service will only see a value of ‘Invalid’ if the middleware is configured to run in
delay_auth_decisionmode. As with all such headers,
HTTP_X_SERVICE_IDENTITY_STATUSwill only exist in the environment if a service token is presented. This is different than
HTTP_X_IDENTITY_STATUSwhich is always set even if no user token is presented. This allows the underlying service to determine if a denial should use
A string relaying system information about the token’s scope. This attribute is only present if the token is system-scoped. The string
allmeans the token is scoped to the entire deployment system.
- HTTP_X_DOMAIN_ID, HTTP_X_SERVICE_DOMAIN_ID
Identity service managed unique identifier, string. Only present if this is a domain-scoped token.
- HTTP_X_DOMAIN_NAME, HTTP_X_SERVICE_DOMAIN_NAME
Unique domain name, string. Only present if this is a domain-scoped token.
- HTTP_X_PROJECT_ID, HTTP_X_SERVICE_PROJECT_ID
Identity service managed unique identifier, string. Only present if this is a project-scoped token.
- HTTP_X_PROJECT_NAME, HTTP_X_SERVICE_PROJECT_NAME
Project name, unique within owning domain, string. Only present if this is a project-scoped token.
- HTTP_X_PROJECT_DOMAIN_ID, HTTP_X_SERVICE_PROJECT_DOMAIN_ID
Identity service managed unique identifier of owning domain of project, string. Only present if this is a project-scoped v3 token. If this variable is set, this indicates that the PROJECT_NAME can only be assumed to be unique within this domain.
- HTTP_X_PROJECT_DOMAIN_NAME, HTTP_X_SERVICE_PROJECT_DOMAIN_NAME
Name of owning domain of project, string. Only present if this is a project-scoped v3 token. If this variable is set, this indicates that the PROJECT_NAME can only be assumed to be unique within this domain.
- HTTP_X_USER_ID, HTTP_X_SERVICE_USER_ID
Identity-service managed unique identifier, string.
- HTTP_X_USER_NAME, HTTP_X_SERVICE_USER_NAME
User identifier, unique within owning domain, string.
- HTTP_X_USER_DOMAIN_ID, HTTP_X_SERVICE_USER_DOMAIN_ID
Identity service managed unique identifier of owning domain of user, string. If this variable is set, this indicates that the USER_NAME can only be assumed to be unique within this domain.
- HTTP_X_USER_DOMAIN_NAME, HTTP_X_SERVICE_USER_DOMAIN_NAME
Name of owning domain of user, string. If this variable is set, this indicates that the USER_NAME can only be assumed to be unique within this domain.
- HTTP_X_ROLES, HTTP_X_SERVICE_ROLES
Comma delimited list of case-sensitive role names.
The string value ‘True’ or ‘False’ representing whether the user’s token is scoped to the admin project. As historically there was no admin project this will default to True for tokens without this information to be backwards with existing policy files.
service catalog (optional, JSON string).
For compatibility reasons this catalog will always be in the V2 catalog format even if it is a v3 token.
This is an exception in that it contains ‘SERVICE’ but relates to a user token, not a service token. The existing user’s catalog can be very large; it was decided not to present a catalog relating to the service token to avoid using more HTTP header space.
Deprecated in favor of HTTP_X_PROJECT_ID.
Identity service managed unique identifier, string. For v3 tokens, this will be set to the same value as HTTP_X_PROJECT_ID.
Deprecated in favor of HTTP_X_PROJECT_NAME.
Project identifier, unique within owning domain, string. For v3 tokens, this will be set to the same value as HTTP_X_PROJECT_NAME.
Deprecated in favor of HTTP_X_TENANT_ID and HTTP_X_TENANT_NAME.
Identity server-assigned unique identifier, string. For v3 tokens, this will be set to the same value as HTTP_X_PROJECT_ID.
Deprecated in favor of HTTP_X_USER_ID and HTTP_X_USER_NAME.
User name, unique within owning domain, string.
Deprecated in favor of HTTP_X_ROLES.
Will contain the same values as HTTP_X_ROLES.
These variables are set in the request environment for use by the downstream WSGI component.
Information about the token discovered in the process of validation. This may include extended information returned by the token validation call, as well as basic information about the project and user.
A keystoneauth1 auth plugin that may be used with a
keystoneauth1.session.Session. This plugin will load the authentication data provided to auth_token middleware.
auth_token middleware configuration can be in the main application’s
configuration file, e.g. in
auth_plugin = password
auth_url = http://keystone:5000/
username = nova
user_domain_id = default
password = whyarewestillusingpasswords
project_name = service
project_domain_id = default
Configuration can also be in the
api-paste.ini file with the same options,
but this is discouraged.
When deploy auth_token middleware with Swift, user may elect to use Swift
memcache instead of the local auth_token memcache. Swift memcache is passed in
from the request environment and it’s identified by the
However it could be different, depending on deployment. To use Swift memcache,
you must set the
cache option to the environment key where the Swift cache
object is stored.
- class keystonemiddleware.auth_token.AuthProtocol(app, conf)¶
Middleware that handles authenticating client calls.
- fetch_token(token, allow_expired=False)¶
Retrieve a token from either a PKI bundle or the identity server.
token (str) – token id
exc.InvalidToken – if token is rejected
Evaluate the headers in a request and attempt to authenticate the request. If authenticated then additional headers are added to the request for use by applications. If not authenticated the request will be rejected or marked unauthenticated depending on configuration.
WWW-Authenticateheaders to requests that failed with
401 Unauthenticatedso users know where to authenticate for future requests.
- class keystonemiddleware.auth_token.BaseAuthProtocol(app, log=<KeywordArgumentAdapter keystonemiddleware.auth_token (WARNING)>, enforce_token_bind='permissive', service_token_roles=None, service_token_roles_required=False, service_type=None)¶
A base class for AuthProtocol token checking implementations.
app (Callable) – The next application to call after middleware.
log (logging.Logger) – The logging object to use for output. By default it will use a logger in the keystonemiddleware.auth_token namespace.
enforce_token_bind (str) – The style of token binding enforcement to perform.
- fetch_token(token, **kwargs)¶
Fetch the token data based on the value in the header.
Retrieve the data associated with the token value that was in the header. This can be from PKI, contacting the identity server or whatever is required.
token (str) – The token present in the request header.
kwargs (dict) – Additional keyword arguments may be passed through here to support new features. If an implementation is not aware of how to use these arguments it should ignore them.
exc.InvalidToken – if token is invalid.
The token data
- Return type:
If this method returns a value then that value will be used as the response. The next application down the stack will not be executed and process_response will not be called.
Otherwise, the next application down the stack will be executed and process_response will be called with the generated response.
By default this method does not return a value.
request (_request.AuthTokenRequest) – Incoming request
Do whatever you’d like to the response.
By default the response is returned unmodified.
response (._request._AuthTokenResponse) – Response object
- validate_allowed_request(request, token)¶
- keystonemiddleware.auth_token.app_factory(global_conf, **local_conf)¶
- keystonemiddleware.auth_token.filter_factory(global_conf, **local_conf)¶
Return a WSGI filter app for use with paste.deploy.
Return a list of oslo_config options available in auth_token middleware.
The returned list includes all oslo_config options which may be registered at runtime by the project.
Each element of the list is a tuple. The first element is the name of the group under which the list of elements in the second element will be registered. A group name of None corresponds to the [DEFAULT] group in config files.
NOTE: This function is no longer used for oslo_config sample generation. Some services rely on this function for listing ALL (including deprecated) options and registering them into their own config objects which we do not want for sample config files.
keystonemiddleware.auth_token._opts.list_opts()for sample config files.
a list of (group_name, opts) tuples