keystoneclient.contrib.auth.v3 package¶
Submodules¶
keystoneclient.contrib.auth.v3.oidc module¶
- class keystoneclient.contrib.auth.v3.oidc.OidcPassword(auth_url, identity_provider, protocol, username, password, client_id, client_secret, access_token_endpoint, scope='profile', grant_type='password')¶
Bases:
FederatedBaseAuth
Implement authentication plugin for OpenID Connect protocol.
OIDC or OpenID Connect is a protocol for federated authentication.
The OpenID Connect specification can be found at::
http://openid.net/specs/openid-connect-core-1_0.html
- classmethod get_options()¶
Return the list of parameters associated with the auth plugin.
This list may be used to generate CLI or config arguments.
- Returns:
A list of Param objects describing available plugin parameters.
- Return type:
List
- get_unscoped_auth_ref(session)¶
Authenticate with OpenID Connect and get back claims.
This is a multi-step process. First an access token must be retrieved, to do this, the username and password, the OpenID Connect client ID and secret, and the access token endpoint must be known.
Secondly, we then exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.
- Parameters:
session (keystoneclient.session.Session) – a session object to send out HTTP requests.
- Returns:
a token data representation
- Return type:
- property password¶
Deprecated as of the 1.7.0 release.
It may be removed in the 2.0.0 release.
- property username¶
Deprecated as of the 1.7.0 release.
It may be removed in the 2.0.0 release.
keystoneclient.contrib.auth.v3.saml2 module¶
- class keystoneclient.contrib.auth.v3.saml2.ADFSUnscopedToken(auth_url, identity_provider, identity_provider_url, service_provider_endpoint, username, password, **kwargs)¶
Bases:
_BaseSAMLPlugin
Authentication plugin for Microsoft ADFS2.0 IdPs.
- Parameters:
auth_url (string) – URL of the Identity Service
identity_provider (string) – name of the Identity Provider the client will authenticate against. This parameter will be used to build a dynamic URL used to obtain unscoped OpenStack token.
identity_provider_url (string) – An Identity Provider URL, where the SAML2 authentication request will be sent.
service_provider_endpoint (string) – Endpoint where an assertion is being sent, for instance:
https://host.domain/Shibboleth.sso/ADFS
username (string) – User’s login
password (string) – User’s password
- ADFS_ASSERTION_XPATH = '/s:Envelope/s:Body/t:RequestSecurityTokenResponseCollection/t:RequestSecurityTokenResponse'¶
- ADFS_TOKEN_NAMESPACES = {'s': 'http://www.w3.org/2003/05/soap-envelope', 't': 'http://docs.oasis-open.org/ws-sx/ws-trust/200512'}¶
- DEFAULT_ADFS_TOKEN_EXPIRATION = 120¶
- HEADER_SOAP = {'Content-Type': 'application/soap+xml; charset=utf-8'}¶
- HEADER_X_FORM = {'Content-Type': 'application/x-www-form-urlencoded'}¶
- NAMESPACES = {'a': 'http://www.w3.org/2005/08/addressing', 's': 'http://www.w3.org/2003/05/soap-envelope', 'u': 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'}¶
- get_auth_ref(session, **kwargs)¶
Obtain a token from an OpenStack Identity Service.
This method is overridden by the various token version plugins.
This method should not be called independently and is expected to be invoked via the do_authenticate() method.
This method will be invoked if the AccessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo when invoked. If you are looking to just retrieve the current auth data then you should use get_access().
- Parameters:
session (keystoneclient.session.Session) – A session object that can be used for communication.
- Raises:
keystoneclient.exceptions.InvalidResponse – The response returned wasn’t appropriate.
keystoneclient.exceptions.HttpError – An error from an invalid HTTP response.
- Returns:
Token access information.
- Return type:
- classmethod get_options()¶
Return the list of parameters associated with the auth plugin.
This list may be used to generate CLI or config arguments.
- Returns:
A list of Param objects describing available plugin parameters.
- Return type:
List
- property password¶
Deprecated as of the 1.7.0 release.
It may be removed in the 2.0.0 release.
- property username¶
Deprecated as of the 1.7.0 release.
It may be removed in the 2.0.0 release.
- class keystoneclient.contrib.auth.v3.saml2.Saml2ScopedToken(auth_url, token, **kwargs)¶
Bases:
Token
Class for scoping unscoped saml2 token.
- class keystoneclient.contrib.auth.v3.saml2.Saml2ScopedTokenMethod(**kwargs)¶
Bases:
TokenMethod
- get_auth_data(session, auth, headers, **kwargs)¶
Build and return request body for token scoping step.
- class keystoneclient.contrib.auth.v3.saml2.Saml2UnscopedToken(auth_url, identity_provider, identity_provider_url, username, password, **kwargs)¶
Bases:
_BaseSAMLPlugin
Implement authentication plugin for SAML2 protocol.
ECP stands for Enhanced Client or Proxy and is a SAML2 extension for federated authentication where a transportation layer consists of HTTP protocol and XML SOAP messages.
Read for more information on ECP.
Reference the SAML2 ECP specification.
Currently only HTTPBasicAuth mechanism is available for the IdP authenication.
- Parameters:
auth_url (string) – URL of the Identity Service
identity_provider (string) – name of the Identity Provider the client will authenticate against. This parameter will be used to build a dynamic URL used to obtain unscoped OpenStack token.
identity_provider_url (string) – An Identity Provider URL, where the SAML2 authn request will be sent.
username (string) – User’s login
password (string) – User’s password
- ECP_IDP_CONSUMER_URL = '/S:Envelope/S:Header/ecp:Response/@AssertionConsumerServiceURL'¶
- ECP_RELAY_STATE = '//ecp:RelayState'¶
- ECP_SAML2_NAMESPACES = {'S': 'http://schemas.xmlsoap.org/soap/envelope/', 'ecp': 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp', 'paos': 'urn:liberty:paos:2003-08'}¶
- ECP_SERVICE_PROVIDER_CONSUMER_URL = '/S:Envelope/S:Header/paos:Request/@responseConsumerURL'¶
- ECP_SP_EMPTY_REQUEST_HEADERS = {'Accept': 'text/html, application/vnd.paos+xml', 'PAOS': 'ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"'}¶
- ECP_SP_SAML2_REQUEST_HEADERS = {'Content-Type': 'application/vnd.paos+xml'}¶
- SAML2_HEADER_INDEX = 0¶
- SOAP_FAULT = '\n <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">\n <S:Body>\n <S:Fault>\n <faultcode>S:Server</faultcode>\n <faultstring>responseConsumerURL from SP and\n assertionConsumerServiceURL from IdP do not match\n </faultstring>\n </S:Fault>\n </S:Body>\n </S:Envelope>\n '¶
- get_auth_ref(session, **kwargs)¶
Authenticate via SAML2 protocol and retrieve unscoped token.
This is a multi-step process where a client does federated authn receives an unscoped token.
Federated authentication utilizing SAML2 Enhanced Client or Proxy extension. See
Saml2UnscopedToken_get_unscoped_token()
for more information on that step. Upon successful authentication and assertion mapping an unscoped token is returned and stored within the plugin object for further use.:param session : a session object to send out HTTP requests. :type session: keystoneclient.session.Session
- Returns:
an object with scoped token’s id and unscoped token json included.
- Return type:
- property password¶
Deprecated as of the 1.7.0 release.
It may be removed in the 2.0.0 release.
- property username¶
Deprecated as of the 1.7.0 release.
It may be removed in the 2.0.0 release.
- class keystoneclient.contrib.auth.v3.saml2.Saml2UnscopedTokenAuthMethod(**kwargs)¶
Bases:
AuthMethod
- get_auth_data(session, auth, headers, **kwargs)¶
Return the authentication section of an auth plugin.
- Parameters:
session (keystoneclient.session.Session) – The communication session.
auth (base.Auth) – The auth plugin calling the method.
headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.
- Returns:
The identifier of this plugin and a dict of authentication data for the auth type.
- Return type: