keystone.token.token_formatters module

class keystone.token.token_formatters.ApplicationCredentialScopedPayload

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)

Assemble the payload of a token.

Parameters

• user_id – identifier of the user in the token request

• methods – list of authentication methods used

• system – a string including system scope information

• project_id – ID of the project to scope to

• domain_id – ID of the domain to scope to

• expires_at – datetime of the token’s expiration

• audit_ids – list of the token’s audit IDs

• trust_id – ID of the trust in effect

• federated_group_ids – list of group IDs from SAML assertion

• identity_provider_id – ID of the user’s identity provider

• protocol_id – federated protocol used for authentication

• access_token_id – ID of the secret in OAuth1 authentication

• app_cred_id – ID of the application credential in effect

Returns

the payload of a token

classmethod disassemble(payload)

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

• methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters

payload – this variant of payload

Returns

a tuple of the payloads component data

version = 9

class keystone.token.token_formatters.BasePayload

Bases: object

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)

Assemble the payload of a token.

Parameters

• user_id – identifier of the user in the token request

• methods – list of authentication methods used

• system – a string including system scope information

• project_id – ID of the project to scope to

• domain_id – ID of the domain to scope to

• expires_at – datetime of the token’s expiration

• audit_ids – list of the token’s audit IDs

• trust_id – ID of the trust in effect

• federated_group_ids – list of group IDs from SAML assertion

• identity_provider_id – ID of the user’s identity provider

• protocol_id – federated protocol used for authentication

• access_token_id – ID of the secret in OAuth1 authentication

• app_cred_id – ID of the application credential in effect

Returns

the payload of a token

classmethod attempt_convert_uuid_hex_to_bytes(value)

Attempt to convert value to bytes or return value.

Parameters

value – value to attempt to convert to bytes

Returns

tuple containing boolean indicating whether user_id was stored as bytes and uuid value as bytes or the original value

classmethod base64_encode(s)

Encode a URL-safe string.

Return type

str

classmethod convert_uuid_bytes_to_hex(uuid_byte_string)

Generate uuid.hex format based on byte string.

Parameters

uuid_byte_string – uuid string to generate from

Returns

uuid hex formatted string

classmethod convert_uuid_hex_to_bytes(uuid_string)

Compress UUID formatted strings to bytes.

Parameters

uuid_string – uuid string to compress to bytes

Returns

a byte representation of the uuid

classmethod disassemble(payload)

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

• methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters

payload – this variant of payload

Returns

a tuple of the payloads component data

classmethod random_urlsafe_str_to_bytes(s)

Convert string from random_urlsafe_str() to bytes.

Return type

bytes

version = None

class keystone.token.token_formatters.DomainScopedPayload

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)

Assemble the payload of a token.

Parameters

• user_id – identifier of the user in the token request

• methods – list of authentication methods used

• system – a string including system scope information

• project_id – ID of the project to scope to

• domain_id – ID of the domain to scope to

• expires_at – datetime of the token’s expiration

• audit_ids – list of the token’s audit IDs

• trust_id – ID of the trust in effect

• federated_group_ids – list of group IDs from SAML assertion

• identity_provider_id – ID of the user’s identity provider

• protocol_id – federated protocol used for authentication

• access_token_id – ID of the secret in OAuth1 authentication

• app_cred_id – ID of the application credential in effect

Returns

the payload of a token

classmethod disassemble(payload)

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

• methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters

payload – this variant of payload

Returns

a tuple of the payloads component data

version = 1

class keystone.token.token_formatters.FederatedDomainScopedPayload

Bases: keystone.token.token_formatters.FederatedScopedPayload

version = 6

class keystone.token.token_formatters.FederatedProjectScopedPayload

Bases: keystone.token.token_formatters.FederatedScopedPayload

version = 5

class keystone.token.token_formatters.FederatedScopedPayload

Bases: keystone.token.token_formatters.FederatedUnscopedPayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)

Assemble the payload of a token.

Parameters

• user_id – identifier of the user in the token request

• methods – list of authentication methods used

• system – a string including system scope information

• project_id – ID of the project to scope to

• domain_id – ID of the domain to scope to

• expires_at – datetime of the token’s expiration

• audit_ids – list of the token’s audit IDs

• trust_id – ID of the trust in effect

• federated_group_ids – list of group IDs from SAML assertion

• identity_provider_id – ID of the user’s identity provider

• protocol_id – federated protocol used for authentication

• access_token_id – ID of the secret in OAuth1 authentication

• app_cred_id – ID of the application credential in effect

Returns

the payload of a token

classmethod disassemble(payload)

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

• methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters

payload – this variant of payload

Returns

a tuple of the payloads component data

version = None

class keystone.token.token_formatters.FederatedUnscopedPayload

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)

Assemble the payload of a token.

Parameters

• user_id – identifier of the user in the token request

• methods – list of authentication methods used

• system – a string including system scope information

• project_id – ID of the project to scope to

• domain_id – ID of the domain to scope to

• expires_at – datetime of the token’s expiration

• audit_ids – list of the token’s audit IDs

• trust_id – ID of the trust in effect

• federated_group_ids – list of group IDs from SAML assertion

• identity_provider_id – ID of the user’s identity provider

• protocol_id – federated protocol used for authentication

• access_token_id – ID of the secret in OAuth1 authentication

• app_cred_id – ID of the application credential in effect

Returns

the payload of a token

classmethod disassemble(payload)

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

• methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters

payload – this variant of payload

Returns

a tuple of the payloads component data

classmethod pack_group_id(group_dict)

classmethod unpack_group_id(group_id_in_bytes)

version = 4

class keystone.token.token_formatters.OauthScopedPayload

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)

Assemble the payload of a token.

Parameters

• user_id – identifier of the user in the token request

• methods – list of authentication methods used

• system – a string including system scope information

• project_id – ID of the project to scope to

• domain_id – ID of the domain to scope to

• expires_at – datetime of the token’s expiration

• audit_ids – list of the token’s audit IDs

• trust_id – ID of the trust in effect

• federated_group_ids – list of group IDs from SAML assertion

• identity_provider_id – ID of the user’s identity provider

• protocol_id – federated protocol used for authentication

• access_token_id – ID of the secret in OAuth1 authentication

• app_cred_id – ID of the application credential in effect

Returns

the payload of a token

classmethod disassemble(payload)

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

• methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters

payload – this variant of payload

Returns

a tuple of the payloads component data

version = 7

class keystone.token.token_formatters.ProjectScopedPayload

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)

Assemble the payload of a token.

Parameters

• user_id – identifier of the user in the token request

• methods – list of authentication methods used

• system – a string including system scope information

• project_id – ID of the project to scope to

• domain_id – ID of the domain to scope to

• expires_at – datetime of the token’s expiration

• audit_ids – list of the token’s audit IDs

• trust_id – ID of the trust in effect

• federated_group_ids – list of group IDs from SAML assertion

• identity_provider_id – ID of the user’s identity provider

• protocol_id – federated protocol used for authentication

• access_token_id – ID of the secret in OAuth1 authentication

• app_cred_id – ID of the application credential in effect

Returns

the payload of a token

classmethod disassemble(payload)

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

• methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters

payload – this variant of payload

Returns

a tuple of the payloads component data

version = 2

class keystone.token.token_formatters.SystemScopedPayload

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)

Assemble the payload of a token.

Parameters

• user_id – identifier of the user in the token request

• methods – list of authentication methods used

• system – a string including system scope information

• project_id – ID of the project to scope to

• domain_id – ID of the domain to scope to

• expires_at – datetime of the token’s expiration

• audit_ids – list of the token’s audit IDs

• trust_id – ID of the trust in effect

• federated_group_ids – list of group IDs from SAML assertion

• identity_provider_id – ID of the user’s identity provider

• protocol_id – federated protocol used for authentication

• access_token_id – ID of the secret in OAuth1 authentication

• app_cred_id – ID of the application credential in effect

Returns

the payload of a token

classmethod disassemble(payload)

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

• methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters

payload – this variant of payload

Returns

a tuple of the payloads component data

version = 8

class keystone.token.token_formatters.TokenFormatter

Bases: object

Packs and unpacks payloads into tokens for transport.

create_token(user_id, expires_at, audit_ids, payload_class, methods=None, system=None, domain_id=None, project_id=None, trust_id=None, federated_group_ids=None, identity_provider_id=None, protocol_id=None, access_token_id=None, app_cred_id=None)

Given a set of payload attributes, generate a Fernet token.

classmethod creation_time(fernet_token)

Return the creation time of a valid Fernet token.

property crypto

Return a cryptography instance.

You can extend this class with a custom crypto @property to provide your own token encoding / decoding. For example, using a different cryptography library (e.g. python-keyczar) or to meet arbitrary security requirements.

This @property just needs to return an object that implements encrypt(plaintext) and decrypt(ciphertext).

pack(payload)

Pack a payload for transport as a token.

Return type

str

classmethod restore_padding(token)

Restore padding based on token size.

Parameters

token (str) – token to restore padding on

Returns

token with correct padding

unpack(token)

Unpack a token, and validate the payload.

Return type

bytes

validate_token(token)

Validate a Fernet token and returns the payload attributes.

class keystone.token.token_formatters.TrustScopedPayload

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)

Assemble the payload of a token.

Parameters

• user_id – identifier of the user in the token request

• methods – list of authentication methods used

• system – a string including system scope information

• project_id – ID of the project to scope to

• domain_id – ID of the domain to scope to

• expires_at – datetime of the token’s expiration

• audit_ids – list of the token’s audit IDs

• trust_id – ID of the trust in effect

• federated_group_ids – list of group IDs from SAML assertion

• identity_provider_id – ID of the user’s identity provider

• protocol_id – federated protocol used for authentication

• access_token_id – ID of the secret in OAuth1 authentication

• app_cred_id – ID of the application credential in effect

Returns

the payload of a token

classmethod disassemble(payload)

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

• methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters

payload – this variant of payload

Returns

a tuple of the payloads component data

version = 3

class keystone.token.token_formatters.UnscopedPayload

Bases: keystone.token.token_formatters.BasePayload

classmethod assemble(user_id, methods, system, project_id, domain_id, expires_at, audit_ids, trust_id, federated_group_ids, identity_provider_id, protocol_id, access_token_id, app_cred_id)

Assemble the payload of a token.

Parameters

• user_id – identifier of the user in the token request

• methods – list of authentication methods used

• system – a string including system scope information

• project_id – ID of the project to scope to

• domain_id – ID of the domain to scope to

• expires_at – datetime of the token’s expiration

• audit_ids – list of the token’s audit IDs

• trust_id – ID of the trust in effect

• federated_group_ids – list of group IDs from SAML assertion

• identity_provider_id – ID of the user’s identity provider

• protocol_id – federated protocol used for authentication

• access_token_id – ID of the secret in OAuth1 authentication

• app_cred_id – ID of the application credential in effect

Returns

the payload of a token

classmethod disassemble(payload)

Disassemble an unscoped payload into the component data.

The tuple consists of:

(user_id, methods, system, project_id, domain_id,
 expires_at_str, audit_ids, trust_id, federated_group_ids,
 identity_provider_id, protocol_id,` access_token_id, app_cred_id)

• methods are the auth methods.

Fields will be set to None if they didn’t apply to this payload type.

Parameters

payload – this variant of payload

Returns

a tuple of the payloads component data

version = 0