keystoneauth1.identity.v3.oidc module¶

class keystoneauth1.identity.v3.oidc.OidcAccessToken(auth_url, identity_provider, protocol, access_token, **kwargs)

Bases: _OidcBase

Implementation for OpenID Connect access token reuse.

get_payload(session): OidcAccessToken does not require a payload.

get_unscoped_auth_ref(session)

Authenticate with OpenID Connect and get back claims.

We exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.

Parameters:: session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
Returns:: a token data representation
Return type:: keystoneauth1.access.AccessInfoV3

class keystoneauth1.identity.v3.oidc.OidcAuthorizationCode(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint=None, discovery_endpoint=None, access_token_type='access_token', redirect_uri=None, code=None, **kwargs)

Bases: _OidcBase

Implementation for OpenID Connect Authorization Code.

get_payload(session)

Get an authorization grant for the “authorization_code” grant type.

Parameters:: session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
Returns:: a python dictionary containing the payload to be exchanged
Return type:: dict

grant_type = 'authorization_code'

class keystoneauth1.identity.v3.oidc.OidcClientCredentials(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint=None, discovery_endpoint=None, access_token_type='access_token', **kwargs)

Bases: _OidcBase

Implementation for OpenID Connect Client Credentials.

get_payload(session)

Get an authorization grant for the client credentials grant type.

Parameters:: session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
Returns:: a python dictionary containing the payload to be exchanged
Return type:: dict

grant_type = 'client_credentials'

class keystoneauth1.identity.v3.oidc.OidcPassword(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint=None, discovery_endpoint=None, access_token_type='access_token', username=None, password=None, idp_otp_key=None, **kwargs)

Bases: _OidcBase

Implementation for OpenID Connect Resource Owner Password Credential.

get_payload(session)

Get an authorization grant for the “password” grant type.

Parameters:: session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
Returns:: a python dictionary containing the payload to be exchanged
Return type:: dict

grant_type = 'password'

manage_otp_from_session_or_request_to_the_user(payload, session)

Get the OTP code from the session or else request to the user.

When the OS_IDP_OTP_KEY environment variable is set, this method will verify if there is an OTP value in the current session, if it exists, we use it (the OTP from session) to send to the Identity Provider when retrieving the access token. If there is no OTP in the current session, we ask the user to enter it (the OTP), and we add it to the session to execute the authentication flow.

The OTP is being stored in the session because in some flows, the CLI is doing the authentication process two times, so saving the OTP in the session, allow us to use the same OTP in a short time interval, avoiding to request it to the user twice in a row.

Parameters:

payload
session

Returns:

keystoneauth1.identity.v3.oidc module

keystoneauth1.identity.v3.oidc module¶

keystoneauth1 5.8.1.dev3