keystone.oauth1 package

Submodules

keystone.oauth1.controllers module

Extensions supporting OAuth1.

class keystone.oauth1.controllers.AccessTokenCrudV3(*args, **kwargs)[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'access_tokens'
delete_access_token(request, *args, **kwargs)[source]
get_access_token(request, *args, **kwargs)[source]
list_access_tokens(request, *args, **kwargs)[source]
member_name = 'access_token'
class keystone.oauth1.controllers.AccessTokenRolesV3(*args, **kwargs)[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'roles'
get_access_token_role(request, *args, **kwargs)[source]
list_access_token_roles(request, *args, **kwargs)[source]
member_name = 'role'
class keystone.oauth1.controllers.ConsumerCrudV3(*args, **kwargs)[source]

Bases: keystone.common.controller.V3Controller

classmethod base_url(context, path=None)[source]

Construct a path and pass it to V3Controller.base_url method.

collection_name = 'consumers'
create_consumer(request, *args, **kwargs)[source]
delete_consumer(request, *args, **kwargs)[source]
get_consumer(request, *args, **kwargs)[source]
list_consumers(request, *args, **kwargs)[source]
member_name = 'consumer'
update_consumer(request, *args, **kwargs)[source]
class keystone.oauth1.controllers.OAuthControllerV3(*args, **kwargs)[source]

Bases: keystone.common.controller.V3Controller

authorize_request_token(request, *args, **kwargs)[source]

An authenticated user is going to authorize a request token.

As a security precaution, the requested roles must match those in the request token. Because this is in a CLI-only world at the moment, there is not another easy way to make sure the user knows which roles are being requested before authorizing.

collection_name = 'not_used'
create_access_token(request)[source]
create_request_token(request)[source]
member_name = 'not_used'

keystone.oauth1.core module

Main entry point into the OAuth1 service.

class keystone.oauth1.core.Manager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the OAuth1 backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

create_access_token(*args, **kwargs)[source]
create_consumer(*args, **kwargs)[source]
create_request_token(*args, **kwargs)[source]
delete_access_token(*args, **kwargs)[source]
delete_consumer(*args, **kwargs)[source]
driver_namespace = 'keystone.oauth1'
update_consumer(*args, **kwargs)[source]
class keystone.oauth1.core.Oauth1DriverV8(*args, **kwargs)[source]

Bases: keystone.oauth1.backends.base.Oauth1DriverV8

class keystone.oauth1.core.Token(key, secret)[source]

Bases: object

set_verifier(verifier)[source]
keystone.oauth1.core.extract_non_oauth_params(query_string)[source]
keystone.oauth1.core.get_oauth_headers(headers)[source]
keystone.oauth1.core.token_generator(*args, **kwargs)[source]

keystone.oauth1.routers module

class keystone.oauth1.routers.Routers[source]

Bases: keystone.common.wsgi.RoutersBase

API Endpoints for the OAuth1 extension.

The goal of this extension is to allow third-party service providers to acquire tokens with a limited subset of a user’s roles for acting on behalf of that user. This is done using an oauth-similar flow and api.

The API looks like:

# Basic admin-only consumer crud
POST /OS-OAUTH1/consumers
GET /OS-OAUTH1/consumers
PATCH /OS-OAUTH1/consumers/{consumer_id}
GET /OS-OAUTH1/consumers/{consumer_id}
DELETE /OS-OAUTH1/consumers/{consumer_id}

# User access token crud
GET /users/{user_id}/OS-OAUTH1/access_tokens
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
GET /users/{user_id}/OS-OAUTH1/access_tokens
    /{access_token_id}/roles/{role_id}
DELETE /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

# OAuth interfaces
POST /OS-OAUTH1/request_token  # create a request token
PUT /OS-OAUTH1/authorize  # authorize a request token
POST /OS-OAUTH1/access_token  # create an access token
append_v3_routers(mapper, routers)[source]

keystone.oauth1.schema module

keystone.oauth1.validator module

oAuthlib request validator.

class keystone.oauth1.validator.OAuthValidator(*args, **kwargs)[source]

Bases: oauthlib.oauth1.rfc5849.request_validator.RequestValidator

check_access_token(access_token)[source]
check_client_key(client_key)[source]
check_nonce(nonce)[source]
check_request_token(request_token)[source]
check_verifier(verifier)[source]
enforce_ssl[source]
get_access_token_secret(client_key, token, request)[source]
get_client_secret(client_key, request)[source]
get_default_realms(client_key, request)[source]
get_realms(token, request)[source]
get_redirect_uri(token, request)[source]
get_request_token_secret(client_key, token, request)[source]
get_rsa_key(client_key, request)[source]
invalidate_request_token(client_key, request_token, request)[source]
safe_characters[source]
save_access_token(token, request)[source]
save_request_token(token, request)[source]
save_verifier(token, verifier, request)[source]
validate_access_token(client_key, token, request)[source]
validate_client_key(client_key, request)[source]
validate_realms(client_key, token, request, uri=None, realms=None)[source]
validate_redirect_uri(client_key, redirect_uri, request)[source]
validate_request_token(client_key, token, request)[source]
validate_requested_realms(client_key, realms, request)[source]
validate_timestamp_and_nonce(client_key, timestamp, nonce, request, request_token=None, access_token=None)[source]
validate_verifier(client_key, token, verifier, request)[source]
verify_realms(token, realms, request)[source]
verify_request_token(token, request)[source]

Module contents