keystoneauth1.identity.v3.oidc module¶
- class keystoneauth1.identity.v3.oidc.OidcAccessToken(auth_url: str, identity_provider: str, protocol: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, access_token: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
Bases:
_OidcBaseImplementation for OpenID Connect access token reuse.
- __abstractmethods__ = frozenset({})
- __annotate_func__ = None
- __annotations_cache__ = {}
- __doc__ = 'Implementation for OpenID Connect access token reuse.'
- __firstlineno__ = 645
- __init__(auth_url: str, identity_provider: str, protocol: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, access_token: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
The OpenID Connect plugin based on the Access Token.
It expects the following:
- Parameters:
auth_url (string) – URL of the Identity Service
identity_provider (string) – Name of the Identity Provider the client will authenticate against
protocol (string) – Protocol name as configured in keystone
access_token (string) – OpenID Connect Access token
- __module__ = 'keystoneauth1.identity.v3.oidc'
- __static_attributes__ = ('access_token',)
- _abc_impl = <_abc._abc_data object>
- get_payload(session: Session) dict[str, str | None]
OidcAccessToken does not require a payload.
- get_unscoped_auth_ref(session: Session) AccessInfoV3
Authenticate with OpenID Connect and get back claims.
We exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
a token data representation
- Return type:
keystoneauth1.access.AccessInfoV3
- class keystoneauth1.identity.v3.oidc.OidcAuthorizationCode(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, code: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, redirect_uri: str | None = None)
Bases:
_OidcBaseImplementation for OpenID Connect Authorization Code.
- __abstractmethods__ = frozenset({})
- __annotate_func__ = None
- __annotations_cache__ = {}
- __doc__ = 'Implementation for OpenID Connect Authorization Code.'
- __firstlineno__ = 566
- __init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, code: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, redirect_uri: str | None = None)
The OpenID Authorization Code plugin expects the following.
- Parameters:
redirect_uri (string) – OpenID Connect Client Redirect URL
code (string) – OAuth 2.0 Authorization Code
- __module__ = 'keystoneauth1.identity.v3.oidc'
- __static_attributes__ = ('code', 'redirect_uri')
- _abc_impl = <_abc._abc_data object>
- get_payload(session: Session) dict[str, str | None]
Get an authorization grant for the “authorization_code” grant type.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
a python dictionary containing the payload to be exchanged
- Return type:
dict
- grant_type: ClassVar[str] = 'authorization_code'
- class keystoneauth1.identity.v3.oidc.OidcClientCredentials(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
Bases:
_OidcBaseImplementation for OpenID Connect Client Credentials.
- __abstractmethods__ = frozenset({})
- __annotate_func__ = None
- __annotations_cache__ = {}
- __doc__ = 'Implementation for OpenID Connect Client Credentials.'
- __firstlineno__ = 493
- __init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
The OpenID Client Credentials expects the following.
- Parameters:
client_id – Client ID used to authenticate
client_secret – Client Secret used to authenticate
- __module__ = 'keystoneauth1.identity.v3.oidc'
- __static_attributes__ = ()
- _abc_impl = <_abc._abc_data object>
- get_payload(session: Session) dict[str, str | None]
Get an authorization grant for the client credentials grant type.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
a python dictionary containing the payload to be exchanged
- Return type:
dict
- grant_type: ClassVar[str] = 'client_credentials'
- class keystoneauth1.identity.v3.oidc.OidcPassword(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, username: str | None = None, password: str | None = None, idp_otp_key: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
Bases:
_OidcBaseImplementation for OpenID Connect Resource Owner Password Credential.
- __abstractmethods__ = frozenset({})
- __annotate_func__ = None
- __annotations_cache__ = {}
- __doc__ = 'Implementation for OpenID Connect Resource Owner Password Credential.'
- __firstlineno__ = 374
- __init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, username: str | None = None, password: str | None = None, idp_otp_key: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
The OpenID Password plugin expects the following.
- Parameters:
username (string) – Username used to authenticate
password (string) – Password used to authenticate
- __module__ = 'keystoneauth1.identity.v3.oidc'
- __static_attributes__ = ('idp_otp_key', 'password', 'username')
- _abc_impl = <_abc._abc_data object>
- get_payload(session: Session) dict[str, str | None]
Get an authorization grant for the “password” grant type.
- Parameters:
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns:
a python dictionary containing the payload to be exchanged
- Return type:
dict
- grant_type: ClassVar[str] = 'password'
- manage_otp_from_session_or_request_to_the_user(payload: dict[str, str | None], session: Session) None
Get the OTP code from the session or else request to the user.
When the OS_IDP_OTP_KEY environment variable is set, this method will verify if there is an OTP value in the current session, if it exists, we use it (the OTP from session) to send to the Identity Provider when retrieving the access token. If there is no OTP in the current session, we ask the user to enter it (the OTP), and we add it to the session to execute the authentication flow.
The OTP is being stored in the session because in some flows, the CLI is doing the authentication process two times, so saving the OTP in the session, allow us to use the same OTP in a short time interval, avoiding to request it to the user twice in a row.
- Parameters:
payload
session
- Returns:
