keystone.token.token_formatters module

class keystone.token.token_formatters.ApplicationCredentialScopedPayload[source]

Bases: BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]

Assemble the payload of a token.

Parameters:

  • user_id – identifier of the user in the token request

  • methods – list of authentication methods used

  • system – a string including system scope information

  • project_id – ID of the project to scope to

  • domain_id – ID of the domain to scope to

  • expires_at – datetime of the token’s expiration

  • audit_ids – list of the token’s audit IDs

  • trust_id – ID of the trust in effect

  • federated_group_ids – list of group IDs from SAML assertion

  • identity_provider_id – ID of the user’s identity provider

  • protocol_id – federated protocol used for authentication

  • access_token_id – ID of the secret in OAuth1 authentication

  • app_cred_id – ID of the application credential in effect

  • thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:

payload – this variant of payload

Returns:

a tuple of the payloads component data

version = 9
class keystone.token.token_formatters.BasePayload[source]

Bases: object

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]

Assemble the payload of a token.

Parameters:

  • user_id – identifier of the user in the token request

  • methods – list of authentication methods used

  • system – a string including system scope information

  • project_id – ID of the project to scope to

  • domain_id – ID of the domain to scope to

  • expires_at – datetime of the token’s expiration

  • audit_ids – list of the token’s audit IDs

  • trust_id – ID of the trust in effect

  • federated_group_ids – list of group IDs from SAML assertion

  • identity_provider_id – ID of the user’s identity provider

  • protocol_id – federated protocol used for authentication

  • access_token_id – ID of the secret in OAuth1 authentication

  • app_cred_id – ID of the application credential in effect

  • thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod attempt_convert_uuid_hex_to_bytes(value)[source]

Attempt to convert value to bytes or return value.

Parameters:

value – value to attempt to convert to bytes

Returns:

tuple containing boolean indicating whether user_id was stored as bytes and uuid value as bytes or the original value

classmethod base64_encode(s)[source]

Encode a URL-safe string.

Return type:

str

classmethod convert_uuid_bytes_to_hex(uuid_byte_string)[source]

Generate uuid.hex format based on byte string.

Parameters:

uuid_byte_string – uuid string to generate from

Returns:

uuid hex formatted string

classmethod convert_uuid_hex_to_bytes(uuid_string)[source]

Compress UUID formatted strings to bytes.

Parameters:

uuid_string – uuid string to compress to bytes

Returns:

a byte representation of the uuid

classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:

payload – this variant of payload

Returns:

a tuple of the payloads component data

classmethod random_urlsafe_str_to_bytes(s)[source]

Convert string from random_urlsafe_str() to bytes.

Return type:

bytes

version = None
class keystone.token.token_formatters.DomainScopedPayload[source]

Bases: BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]

Assemble the payload of a token.

Parameters:

  • user_id – identifier of the user in the token request

  • methods – list of authentication methods used

  • system – a string including system scope information

  • project_id – ID of the project to scope to

  • domain_id – ID of the domain to scope to

  • expires_at – datetime of the token’s expiration

  • audit_ids – list of the token’s audit IDs

  • trust_id – ID of the trust in effect

  • federated_group_ids – list of group IDs from SAML assertion

  • identity_provider_id – ID of the user’s identity provider

  • protocol_id – federated protocol used for authentication

  • access_token_id – ID of the secret in OAuth1 authentication

  • app_cred_id – ID of the application credential in effect

  • thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:

payload – this variant of payload

Returns:

a tuple of the payloads component data

version = 1
class keystone.token.token_formatters.FederatedDomainScopedPayload[source]

Bases: FederatedScopedPayload

version = 6
class keystone.token.token_formatters.FederatedProjectScopedPayload[source]

Bases: FederatedScopedPayload

version = 5
class keystone.token.token_formatters.FederatedScopedPayload[source]

Bases: FederatedUnscopedPayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]

Assemble the payload of a token.

Parameters:

  • user_id – identifier of the user in the token request

  • methods – list of authentication methods used

  • system – a string including system scope information

  • project_id – ID of the project to scope to

  • domain_id – ID of the domain to scope to

  • expires_at – datetime of the token’s expiration

  • audit_ids – list of the token’s audit IDs

  • trust_id – ID of the trust in effect

  • federated_group_ids – list of group IDs from SAML assertion

  • identity_provider_id – ID of the user’s identity provider

  • protocol_id – federated protocol used for authentication

  • access_token_id – ID of the secret in OAuth1 authentication

  • app_cred_id – ID of the application credential in effect

  • thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:

payload – this variant of payload

Returns:

a tuple of the payloads component data

version = None
class keystone.token.token_formatters.FederatedUnscopedPayload[source]

Bases: BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]

Assemble the payload of a token.

Parameters:

  • user_id – identifier of the user in the token request

  • methods – list of authentication methods used

  • system – a string including system scope information

  • project_id – ID of the project to scope to

  • domain_id – ID of the domain to scope to

  • expires_at – datetime of the token’s expiration

  • audit_ids – list of the token’s audit IDs

  • trust_id – ID of the trust in effect

  • federated_group_ids – list of group IDs from SAML assertion

  • identity_provider_id – ID of the user’s identity provider

  • protocol_id – federated protocol used for authentication

  • access_token_id – ID of the secret in OAuth1 authentication

  • app_cred_id – ID of the application credential in effect

  • thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:

payload – this variant of payload

Returns:

a tuple of the payloads component data

classmethod pack_group_id(group_dict)[source]
classmethod unpack_group_id(group_id_in_bytes)[source]
version = 4
class keystone.token.token_formatters.Oauth2CredentialsScopedPayload[source]

Bases: BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]

Assemble the payload of a token.

Parameters:

  • user_id – identifier of the user in the token request

  • methods – list of authentication methods used

  • system – a string including system scope information

  • project_id – ID of the project to scope to

  • domain_id – ID of the domain to scope to

  • expires_at – datetime of the token’s expiration

  • audit_ids – list of the token’s audit IDs

  • trust_id – ID of the trust in effect

  • federated_group_ids – list of group IDs from SAML assertion

  • identity_provider_id – ID of the user’s identity provider

  • protocol_id – federated protocol used for authentication

  • access_token_id – ID of the secret in OAuth1 authentication

  • app_cred_id – ID of the application credential in effect

  • thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:

payload – this variant of payload

Returns:

a tuple of the payloads component data

version = 10
class keystone.token.token_formatters.OauthScopedPayload[source]

Bases: BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]

Assemble the payload of a token.

Parameters:

  • user_id – identifier of the user in the token request

  • methods – list of authentication methods used

  • system – a string including system scope information

  • project_id – ID of the project to scope to

  • domain_id – ID of the domain to scope to

  • expires_at – datetime of the token’s expiration

  • audit_ids – list of the token’s audit IDs

  • trust_id – ID of the trust in effect

  • federated_group_ids – list of group IDs from SAML assertion

  • identity_provider_id – ID of the user’s identity provider

  • protocol_id – federated protocol used for authentication

  • access_token_id – ID of the secret in OAuth1 authentication

  • app_cred_id – ID of the application credential in effect

  • thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:

payload – this variant of payload

Returns:

a tuple of the payloads component data

version = 7
class keystone.token.token_formatters.ProjectScopedPayload[source]

Bases: BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]

Assemble the payload of a token.

Parameters:

  • user_id – identifier of the user in the token request

  • methods – list of authentication methods used

  • system – a string including system scope information

  • project_id – ID of the project to scope to

  • domain_id – ID of the domain to scope to

  • expires_at – datetime of the token’s expiration

  • audit_ids – list of the token’s audit IDs

  • trust_id – ID of the trust in effect

  • federated_group_ids – list of group IDs from SAML assertion

  • identity_provider_id – ID of the user’s identity provider

  • protocol_id – federated protocol used for authentication

  • access_token_id – ID of the secret in OAuth1 authentication

  • app_cred_id – ID of the application credential in effect

  • thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:

payload – this variant of payload

Returns:

a tuple of the payloads component data

version = 2
class keystone.token.token_formatters.SystemScopedPayload[source]

Bases: BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]

Assemble the payload of a token.

Parameters:

  • user_id – identifier of the user in the token request

  • methods – list of authentication methods used

  • system – a string including system scope information

  • project_id – ID of the project to scope to

  • domain_id – ID of the domain to scope to

  • expires_at – datetime of the token’s expiration

  • audit_ids – list of the token’s audit IDs

  • trust_id – ID of the trust in effect

  • federated_group_ids – list of group IDs from SAML assertion

  • identity_provider_id – ID of the user’s identity provider

  • protocol_id – federated protocol used for authentication

  • access_token_id – ID of the secret in OAuth1 authentication

  • app_cred_id – ID of the application credential in effect

  • thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:

payload – this variant of payload

Returns:

a tuple of the payloads component data

version = 8
class keystone.token.token_formatters.TokenFormatter[source]

Bases: object

Packs and unpacks payloads into tokens for transport.

create_token(user_id, expires_at, audit_ids, payload_class, methods=None, system=None, domain_id=None, project_id=None, trust_id=None, federated_group_ids=None, identity_provider_id=None, protocol_id=None, access_token_id=None, app_cred_id=None, thumbprint=None)[source]

Given a set of payload attributes, generate a Fernet token.

classmethod creation_time(fernet_token)[source]

Return the creation time of a valid Fernet token.

property crypto

Return a cryptography instance.

You can extend this class with a custom crypto @property to provide your own token encoding / decoding. For example, using a different cryptography library (e.g. python-keyczar) or to meet arbitrary security requirements.

This @property just needs to return an object that implements encrypt(plaintext) and decrypt(ciphertext).

pack(payload)[source]

Pack a payload for transport as a token.

Return type:

str

classmethod restore_padding(token)[source]

Restore padding based on token size.

Parameters:

token (str) – token to restore padding on

Returns:

token with correct padding

unpack(token)[source]

Unpack a token, and validate the payload.

Return type:

bytes

validate_token(token)[source]

Validate a Fernet token and returns the payload attributes.

class keystone.token.token_formatters.TrustScopedPayload[source]

Bases: BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]

Assemble the payload of a token.

Parameters:

  • user_id – identifier of the user in the token request

  • methods – list of authentication methods used

  • system – a string including system scope information

  • project_id – ID of the project to scope to

  • domain_id – ID of the domain to scope to

  • expires_at – datetime of the token’s expiration

  • audit_ids – list of the token’s audit IDs

  • trust_id – ID of the trust in effect

  • federated_group_ids – list of group IDs from SAML assertion

  • identity_provider_id – ID of the user’s identity provider

  • protocol_id – federated protocol used for authentication

  • access_token_id – ID of the secret in OAuth1 authentication

  • app_cred_id – ID of the application credential in effect

  • thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:

payload – this variant of payload

Returns:

a tuple of the payloads component data

version = 3
class keystone.token.token_formatters.UnscopedPayload[source]

Bases: BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]

Assemble the payload of a token.

Parameters:

  • user_id – identifier of the user in the token request

  • methods – list of authentication methods used

  • system – a string including system scope information

  • project_id – ID of the project to scope to

  • domain_id – ID of the domain to scope to

  • expires_at – datetime of the token’s expiration

  • audit_ids – list of the token’s audit IDs

  • trust_id – ID of the trust in effect

  • federated_group_ids – list of group IDs from SAML assertion

  • identity_provider_id – ID of the user’s identity provider

  • protocol_id – federated protocol used for authentication

  • access_token_id – ID of the secret in OAuth1 authentication

  • app_cred_id – ID of the application credential in effect

  • thumbprint – thumbprint of the certificate in OAuth2 mTLS

Returns:

the payload of a token

classmethod disassemble(payload)[source]

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

  • methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters:

payload – this variant of payload

Returns:

a tuple of the payloads component data

version = 0