keystone.auth.plugins.base module

class keystone.auth.plugins.base.AuthHandlerResponse(status, response_body, response_data)

Bases: tuple

response_body

Alias for field number 1

response_data

Alias for field number 2

status

Alias for field number 0

class keystone.auth.plugins.base.AuthMethodHandler

Bases: ProviderAPIMixin

Abstract base class for an authentication plugin.

abstract authenticate(auth_payload)

Authenticate user and return an authentication context.

Parameters:

auth_payload (dict) – the payload content of the authentication request for a given method

If successful, plugin must set user_id in response_data. method_name is used to convey any additional authentication methods in case authentication is for re-scoping. For example, if the authentication is for re-scoping, plugin must append the previous method names into method_names; NOTE: This behavior is exclusive to the re-scope type action. Here’s an example of response_data on successful authentication:

{"methods": ["password", "token"], "user_id": "abc123"}

Plugins are invoked in the order in which they are specified in the methods attribute of the identity object. For example, custom-plugin is invoked before password, which is invoked before token in the following authentication request:

{
    "auth": {
        "identity": {
            "custom-plugin": {"custom-data": "sdfdfsfsfsdfsf"},
            "methods": ["custom-plugin", "password", "token"],
            "password": {
                "user": {"id": "s23sfad1", "password": "secret"}
            },
            "token": {"id": "sdfafasdfsfasfasdfds"},
        }
    }
}

Returns:

AuthHandlerResponse with status set to True if auth was successful. If status is False and this is a multi-step auth, the response_body can be in a form of a dict for the next step in authentication.

Raises:

keystone.exception.Unauthorized – for authentication failure