keystoneclient.contrib.auth.v3.oidc.
OidcPassword
(auth_url, identity_provider, protocol, username, password, client_id, client_secret, access_token_endpoint, scope='profile', grant_type='password')¶Bases: keystoneclient.auth.identity.v3.federated.FederatedBaseAuth
Implement authentication plugin for OpenID Connect protocol.
OIDC or OpenID Connect is a protocol for federated authentication.
The OpenID Connect specification can be found at::
http://openid.net/specs/openid-connect-core-1_0.html
get_options
()¶get_unscoped_auth_ref
(session)¶Authenticate with OpenID Connect and get back claims.
This is a multi-step process. First an access token must be retrieved, to do this, the username and password, the OpenID Connect client ID and secret, and the access token endpoint must be known.
Secondly, we then exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.
Parameters: | session (keystoneclient.session.Session) – a session object to send out HTTP requests. |
---|---|
Returns: | a token data representation |
Return type: | keystoneclient.access.AccessInfo |
password
¶username
¶keystoneclient.contrib.auth.v3.saml2.
ADFSUnscopedToken
(auth_url, identity_provider, identity_provider_url, service_provider_endpoint, username, password, **kwargs)¶Bases: keystoneclient.contrib.auth.v3.saml2._BaseSAMLPlugin
Authentication plugin for Microsoft ADFS2.0 IdPs.
Parameters: |
|
---|
ADFS_ASSERTION_XPATH
= '/s:Envelope/s:Body/t:RequestSecurityTokenResponseCollection/t:RequestSecurityTokenResponse'¶ADFS_TOKEN_NAMESPACES
= {'t': 'http://docs.oasis-open.org/ws-sx/ws-trust/200512', 's': 'http://www.w3.org/2003/05/soap-envelope'}¶DEFAULT_ADFS_TOKEN_EXPIRATION
= 120¶HEADER_SOAP
= {'Content-Type': 'application/soap+xml; charset=utf-8'}¶HEADER_X_FORM
= {'Content-Type': 'application/x-www-form-urlencoded'}¶NAMESPACES
= {'u': 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd', 'a': 'http://www.w3.org/2005/08/addressing', 's': 'http://www.w3.org/2003/05/soap-envelope'}¶get_auth_ref
(session, **kwargs)¶get_options
()¶password
¶username
¶keystoneclient.contrib.auth.v3.saml2.
Saml2ScopedToken
(auth_url, token, **kwargs)¶Bases: keystoneclient.auth.identity.v3.token.Token
Class for scoping unscoped saml2 token.
keystoneclient.contrib.auth.v3.saml2.
Saml2ScopedTokenMethod
(**kwargs)¶Bases: keystoneclient.auth.identity.v3.token.TokenMethod
get_auth_data
(session, auth, headers, **kwargs)¶Build and return request body for token scoping step.
keystoneclient.contrib.auth.v3.saml2.
Saml2UnscopedToken
(auth_url, identity_provider, identity_provider_url, username, password, **kwargs)¶Bases: keystoneclient.contrib.auth.v3.saml2._BaseSAMLPlugin
Implement authentication plugin for SAML2 protocol.
ECP stands for Enhanced Client or Proxy and is a SAML2 extension for federated authentication where a transportation layer consists of HTTP protocol and XML SOAP messages.
Read for more information on ECP.
Reference the SAML2 ECP specification.
Currently only HTTPBasicAuth mechanism is available for the IdP authenication.
Parameters: |
|
---|
ECP_IDP_CONSUMER_URL
= '/S:Envelope/S:Header/ecp:Response/@AssertionConsumerServiceURL'¶ECP_RELAY_STATE
= '//ecp:RelayState'¶ECP_SAML2_NAMESPACES
= {'ecp': 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp', 'paos': 'urn:liberty:paos:2003-08', 'S': 'http://schemas.xmlsoap.org/soap/envelope/'}¶ECP_SERVICE_PROVIDER_CONSUMER_URL
= '/S:Envelope/S:Header/paos:Request/@responseConsumerURL'¶ECP_SP_EMPTY_REQUEST_HEADERS
= {'Accept': 'text/html, application/vnd.paos+xml', 'PAOS': 'ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"'}¶ECP_SP_SAML2_REQUEST_HEADERS
= {'Content-Type': 'application/vnd.paos+xml'}¶SAML2_HEADER_INDEX
= 0¶SOAP_FAULT
= '\n <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">\n <S:Body>\n <S:Fault>\n <faultcode>S:Server</faultcode>\n <faultstring>responseConsumerURL from SP and\n assertionConsumerServiceURL from IdP do not match\n </faultstring>\n </S:Fault>\n </S:Body>\n </S:Envelope>\n '¶get_auth_ref
(session, **kwargs)¶Authenticate via SAML2 protocol and retrieve unscoped token.
This is a multi-step process where a client does federated authn receives an unscoped token.
Federated authentication utilizing SAML2 Enhanced Client or Proxy
extension. See Saml2UnscopedToken_get_unscoped_token()
for more information on that step.
Upon successful authentication and assertion mapping an
unscoped token is returned and stored within the plugin object for
further use.
:param session : a session object to send out HTTP requests. :type session: keystoneclient.session.Session
Returns: | an object with scoped token’s id and unscoped token json included. |
---|---|
Return type: | keystoneclient.access.AccessInfoV3 |
password
¶username
¶keystoneclient.contrib.auth.v3.saml2.
Saml2UnscopedTokenAuthMethod
(**kwargs)¶Bases: keystoneclient.auth.identity.v3.base.AuthMethod
get_auth_data
(session, auth, headers, **kwargs)¶Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.