keystone.token.token_formatters module¶
- class keystone.token.token_formatters.ApplicationCredentialScopedPayload[source]¶
Bases:
BasePayload
- classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]¶
Assemble the payload of a token.
- Parameters:
user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS
- Returns:
the payload of a token
- classmethod disassemble(payload)[source]¶
Disassemble an unscoped payload into the component data.
The tuple consists of:
(user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id,` access_token_id, app_cred_id)
methods
are the auth methods.
Fields will be set to None if they didn’t apply to this payload type.
- Parameters:
payload – this variant of payload
- Returns:
a tuple of the payloads component data
- version: int = 9¶
- class keystone.token.token_formatters.BasePayload[source]¶
Bases:
object
- classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]¶
Assemble the payload of a token.
- Parameters:
user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS
- Returns:
the payload of a token
- classmethod attempt_convert_uuid_hex_to_bytes(value)[source]¶
Attempt to convert value to bytes or return value.
- Parameters:
value – value to attempt to convert to bytes
- Returns:
tuple containing boolean indicating whether user_id was stored as bytes and uuid value as bytes or the original value
- classmethod convert_uuid_bytes_to_hex(uuid_byte_string)[source]¶
Generate uuid.hex format based on byte string.
- Parameters:
uuid_byte_string – uuid string to generate from
- Returns:
uuid hex formatted string
- classmethod convert_uuid_hex_to_bytes(uuid_string)[source]¶
Compress UUID formatted strings to bytes.
- Parameters:
uuid_string – uuid string to compress to bytes
- Returns:
a byte representation of the uuid
- classmethod disassemble(payload)[source]¶
Disassemble an unscoped payload into the component data.
The tuple consists of:
(user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id,` access_token_id, app_cred_id)
methods
are the auth methods.
Fields will be set to None if they didn’t apply to this payload type.
- Parameters:
payload – this variant of payload
- Returns:
a tuple of the payloads component data
- classmethod random_urlsafe_str_to_bytes(s)[source]¶
Convert string from
random_urlsafe_str()
to bytes.- Return type:
bytes
- version: int¶
- class keystone.token.token_formatters.DomainScopedPayload[source]¶
Bases:
BasePayload
- classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]¶
Assemble the payload of a token.
- Parameters:
user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS
- Returns:
the payload of a token
- classmethod disassemble(payload)[source]¶
Disassemble an unscoped payload into the component data.
The tuple consists of:
(user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id,` access_token_id, app_cred_id)
methods
are the auth methods.
Fields will be set to None if they didn’t apply to this payload type.
- Parameters:
payload – this variant of payload
- Returns:
a tuple of the payloads component data
- version: int = 1¶
- class keystone.token.token_formatters.FederatedDomainScopedPayload[source]¶
Bases:
FederatedScopedPayload
- version: int = 6¶
- class keystone.token.token_formatters.FederatedProjectScopedPayload[source]¶
Bases:
FederatedScopedPayload
- version: int = 5¶
- class keystone.token.token_formatters.FederatedScopedPayload[source]¶
Bases:
FederatedUnscopedPayload
- classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]¶
Assemble the payload of a token.
- Parameters:
user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS
- Returns:
the payload of a token
- classmethod disassemble(payload)[source]¶
Disassemble an unscoped payload into the component data.
The tuple consists of:
(user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id,` access_token_id, app_cred_id)
methods
are the auth methods.
Fields will be set to None if they didn’t apply to this payload type.
- Parameters:
payload – this variant of payload
- Returns:
a tuple of the payloads component data
- class keystone.token.token_formatters.FederatedUnscopedPayload[source]¶
Bases:
BasePayload
- classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]¶
Assemble the payload of a token.
- Parameters:
user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS
- Returns:
the payload of a token
- classmethod disassemble(payload)[source]¶
Disassemble an unscoped payload into the component data.
The tuple consists of:
(user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id,` access_token_id, app_cred_id)
methods
are the auth methods.
Fields will be set to None if they didn’t apply to this payload type.
- Parameters:
payload – this variant of payload
- Returns:
a tuple of the payloads component data
- version: int = 4¶
- class keystone.token.token_formatters.Oauth2CredentialsScopedPayload[source]¶
Bases:
BasePayload
- classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]¶
Assemble the payload of a token.
- Parameters:
user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS
- Returns:
the payload of a token
- classmethod disassemble(payload)[source]¶
Disassemble an unscoped payload into the component data.
The tuple consists of:
(user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id,` access_token_id, app_cred_id)
methods
are the auth methods.
Fields will be set to None if they didn’t apply to this payload type.
- Parameters:
payload – this variant of payload
- Returns:
a tuple of the payloads component data
- version: int = 10¶
- class keystone.token.token_formatters.OauthScopedPayload[source]¶
Bases:
BasePayload
- classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]¶
Assemble the payload of a token.
- Parameters:
user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS
- Returns:
the payload of a token
- classmethod disassemble(payload)[source]¶
Disassemble an unscoped payload into the component data.
The tuple consists of:
(user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id,` access_token_id, app_cred_id)
methods
are the auth methods.
Fields will be set to None if they didn’t apply to this payload type.
- Parameters:
payload – this variant of payload
- Returns:
a tuple of the payloads component data
- version: int = 7¶
- class keystone.token.token_formatters.ProjectScopedPayload[source]¶
Bases:
BasePayload
- classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]¶
Assemble the payload of a token.
- Parameters:
user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS
- Returns:
the payload of a token
- classmethod disassemble(payload)[source]¶
Disassemble an unscoped payload into the component data.
The tuple consists of:
(user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id,` access_token_id, app_cred_id)
methods
are the auth methods.
Fields will be set to None if they didn’t apply to this payload type.
- Parameters:
payload – this variant of payload
- Returns:
a tuple of the payloads component data
- version: int = 2¶
- class keystone.token.token_formatters.SystemScopedPayload[source]¶
Bases:
BasePayload
- classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]¶
Assemble the payload of a token.
- Parameters:
user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS
- Returns:
the payload of a token
- classmethod disassemble(payload)[source]¶
Disassemble an unscoped payload into the component data.
The tuple consists of:
(user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id,` access_token_id, app_cred_id)
methods
are the auth methods.
Fields will be set to None if they didn’t apply to this payload type.
- Parameters:
payload – this variant of payload
- Returns:
a tuple of the payloads component data
- version: int = 8¶
- class keystone.token.token_formatters.TokenFormatter[source]¶
Bases:
object
Packs and unpacks payloads into tokens for transport.
- create_token(user_id, expires_at, audit_ids, payload_class, methods=None, system=None, domain_id=None, project_id=None, trust_id=None, federated_group_ids=None, identity_provider_id=None, protocol_id=None, access_token_id=None, app_cred_id=None, thumbprint=None)[source]¶
Given a set of payload attributes, generate a Fernet token.
- property crypto¶
Return a cryptography instance.
You can extend this class with a custom crypto @property to provide your own token encoding / decoding. For example, using a different cryptography library (e.g.
python-keyczar
) or to meet arbitrary security requirements.This @property just needs to return an object that implements
encrypt(plaintext)
anddecrypt(ciphertext)
.
- class keystone.token.token_formatters.TrustScopedPayload[source]¶
Bases:
BasePayload
- classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]¶
Assemble the payload of a token.
- Parameters:
user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS
- Returns:
the payload of a token
- classmethod disassemble(payload)[source]¶
Disassemble an unscoped payload into the component data.
The tuple consists of:
(user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id,` access_token_id, app_cred_id)
methods
are the auth methods.
Fields will be set to None if they didn’t apply to this payload type.
- Parameters:
payload – this variant of payload
- Returns:
a tuple of the payloads component data
- version: int = 3¶
- class keystone.token.token_formatters.UnscopedPayload[source]¶
Bases:
BasePayload
- classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id, thumbprint)[source]¶
Assemble the payload of a token.
- Parameters:
user_id – identifier of the user in the token request
methods – list of authentication methods used
system – a string including system scope information
project_id – ID of the project to scope to
domain_id – ID of the domain to scope to
expires_at – datetime of the token’s expiration
audit_ids – list of the token’s audit IDs
trust_id – ID of the trust in effect
federated_group_ids – list of group IDs from SAML assertion
identity_provider_id – ID of the user’s identity provider
protocol_id – federated protocol used for authentication
access_token_id – ID of the secret in OAuth1 authentication
app_cred_id – ID of the application credential in effect
thumbprint – thumbprint of the certificate in OAuth2 mTLS
- Returns:
the payload of a token
- classmethod disassemble(payload)[source]¶
Disassemble an unscoped payload into the component data.
The tuple consists of:
(user_id, methods, system, project_id, domain_id, expires_at_str, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id,` access_token_id, app_cred_id)
methods
are the auth methods.
Fields will be set to None if they didn’t apply to this payload type.
- Parameters:
payload – this variant of payload
- Returns:
a tuple of the payloads component data
- version: int = 0¶