keystone.oauth1 package¶

Subpackages¶

Submodules¶

keystone.oauth1.controllers module¶

Extensions supporting OAuth1.

class keystone.oauth1.controllers.AccessTokenCrudV3(*args, **kwargs)[source]¶

Bases: keystone.common.controller.V3Controller

collection_name = ‘access_tokens’¶

delete_access_token(request, *args, **kwargs)[source]¶

get_access_token(request, *args, **kwargs)[source]¶

list_access_tokens(request, *args, **kwargs)[source]¶

member_name = ‘access_token’¶

class keystone.oauth1.controllers.AccessTokenRolesV3(*args, **kwargs)[source]¶

Bases: keystone.common.controller.V3Controller

collection_name = ‘roles’¶

get_access_token_role(request, *args, **kwargs)[source]¶

list_access_token_roles(request, *args, **kwargs)[source]¶

member_name = ‘role’¶

class keystone.oauth1.controllers.ConsumerCrudV3(*args, **kwargs)[source]¶

Bases: keystone.common.controller.V3Controller

classmethod base_url(context, path=None)[source]¶

Construct a path and pass it to V3Controller.base_url method.

collection_name = ‘consumers’¶

create_consumer(request, *args, **kwargs)[source]¶

delete_consumer(request, *args, **kwargs)[source]¶

get_consumer(request, *args, **kwargs)[source]¶

list_consumers(request, *args, **kwargs)[source]¶

member_name = ‘consumer’¶

update_consumer(request, *args, **kwargs)[source]¶

class keystone.oauth1.controllers.OAuthControllerV3(*args, **kwargs)[source]¶

Bases: keystone.common.controller.V3Controller

authorize_request_token(request, *args, **kwargs)[source]¶

An authenticated user is going to authorize a request token.

As a security precaution, the requested roles must match those in the request token. Because this is in a CLI-only world at the moment, there is not another easy way to make sure the user knows which roles are being requested before authorizing.

collection_name = ‘not_used’¶

create_access_token(request)[source]¶

create_request_token(request)[source]¶

member_name = ‘not_used’¶

keystone.oauth1.core module¶

Main entry point into the OAuth1 service.

class keystone.oauth1.core.Manager(*args, **kwargs)[source]¶

Bases: keystone.common.manager.Manager

Default pivot point for the OAuth1 backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

create_access_token(*args, **kwargs)[source]¶

create_consumer(*args, **kwargs)[source]¶

create_request_token(*args, **kwargs)[source]¶

delete_access_token(*args, **kwargs)[source]¶

delete_consumer(*args, **kwargs)[source]¶

driver_namespace = ‘keystone.oauth1’¶

update_consumer(*args, **kwargs)[source]¶

class keystone.oauth1.core.Token(key, secret)[source]¶

Bases: object

set_verifier(verifier)[source]¶

keystone.oauth1.core.get_oauth_headers(headers)[source]¶

keystone.oauth1.core.token_generator(*args, **kwargs)[source]¶

keystone.oauth1.core.validate_oauth_params(query_string)[source]¶

keystone.oauth1.routers module¶

class keystone.oauth1.routers.Routers[source]¶

Bases: keystone.common.wsgi.RoutersBase

API Endpoints for the OAuth1 extension.

The goal of this extension is to allow third-party service providers to acquire tokens with a limited subset of a user’s roles for acting on behalf of that user. This is done using an oauth-similar flow and api.

The API looks like:

# Basic admin-only consumer crud
POST /OS-OAUTH1/consumers
GET /OS-OAUTH1/consumers
PATCH /OS-OAUTH1/consumers/{consumer_id}
GET /OS-OAUTH1/consumers/{consumer_id}
DELETE /OS-OAUTH1/consumers/{consumer_id}

# User access token crud
GET /users/{user_id}/OS-OAUTH1/access_tokens
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
GET /users/{user_id}/OS-OAUTH1/access_tokens
    /{access_token_id}/roles/{role_id}
DELETE /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

# OAuth interfaces
POST /OS-OAUTH1/request_token  # create a request token
PUT /OS-OAUTH1/authorize  # authorize a request token
POST /OS-OAUTH1/access_token  # create an access token

append_v3_routers(mapper, routers)[source]¶

keystone.oauth1.schema module¶

keystone.oauth1.validator module¶

oAuthlib request validator.

class keystone.oauth1.validator.OAuthValidator(*args, **kwargs)[source]¶

Bases: oauthlib.oauth1.rfc5849.request_validator.RequestValidator

check_access_token(access_token)[source]¶

check_client_key(client_key)[source]¶

check_nonce(nonce)[source]¶

check_request_token(request_token)[source]¶

check_verifier(verifier)[source]¶

enforce_ssl¶

get_access_token_secret(client_key, token, request)[source]¶

get_client_secret(client_key, request)[source]¶

get_default_realms(client_key, request)[source]¶

get_realms(token, request)[source]¶

get_redirect_uri(token, request)[source]¶

get_request_token_secret(client_key, token, request)[source]¶

get_rsa_key(client_key, request)[source]¶

invalidate_request_token(client_key, request_token, request)[source]¶

safe_characters¶

save_access_token(token, request)[source]¶

save_request_token(token, request)[source]¶

save_verifier(token, verifier, request)[source]¶

validate_access_token(client_key, token, request)[source]¶

validate_client_key(client_key, request)[source]¶

validate_realms(client_key, token, request, uri=None, realms=None)[source]¶

validate_redirect_uri(client_key, redirect_uri, request)[source]¶

validate_request_token(client_key, token, request)[source]¶

validate_requested_realms(client_key, realms, request)[source]¶

validate_timestamp_and_nonce(client_key, timestamp, nonce, request, request_token=None, access_token=None)[source]¶

validate_verifier(client_key, token, verifier, request)[source]¶

verify_realms(token, realms, request)[source]¶

verify_request_token(token, request)[source]¶

Module contents¶