keystoneauth1.identity.v3 package

Submodules

• keystoneauth1.identity.v3.application_credential module
• keystoneauth1.identity.v3.base module
• keystoneauth1.identity.v3.federation module
• keystoneauth1.identity.v3.k2k module
• keystoneauth1.identity.v3.multi_factor module
• keystoneauth1.identity.v3.oauth2_client_credential module
• keystoneauth1.identity.v3.oauth2_mtls_client_credential module
• keystoneauth1.identity.v3.oidc module
• keystoneauth1.identity.v3.password module
• keystoneauth1.identity.v3.receipt module
• keystoneauth1.identity.v3.token module
• keystoneauth1.identity.v3.tokenless_auth module
• keystoneauth1.identity.v3.totp module

Module contents

class keystoneauth1.identity.v3.ApplicationCredential(auth_url: str, *args: Any, unscoped: bool = False, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, **kwargs: Any)

Bases: AuthConstructor

A plugin for authenticating with an application credential.

Parameters:

• auth_url (string) – Identity service endpoint for authentication.

• application_credential_secret (string) – Application credential secret.

• application_credential_id (string) – Application credential ID.

• application_credential_name (string) – Application credential name.

• username (string) – Username for authentication.

• user_id (string) – User ID for authentication.

• user_domain_id (string) – User’s domain ID for authentication.

• user_domain_name (string) – User’s domain name for authentication.

• reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_auth_method_class': 'ty.Type[AuthMethod]', '_discovery_cache': 'ty.Dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'reauthenticate': 'bool'}

__doc__ = "A plugin for authenticating with an application credential.\n\n    :param string auth_url: Identity service endpoint for authentication.\n    :param string application_credential_secret: Application credential secret.\n    :param string application_credential_id: Application credential ID.\n    :param string application_credential_name: Application credential name.\n    :param string username: Username for authentication.\n    :param string user_id: User ID for authentication.\n    :param string user_domain_id: User's domain ID for authentication.\n    :param string user_domain_name: User's domain name for authentication.\n    :param bool reauthenticate: Allow fetching a new token if the current one\n                                is going to expire. (optional) default True\n    "

__module__ = 'keystoneauth1.identity.v3.application_credential'

_abc_impl = <_abc._abc_data object>

_auth_method_class

alias of ApplicationCredentialMethod

class keystoneauth1.identity.v3.ApplicationCredentialMethod(**kwargs: object)

Bases: AuthMethod

Construct a User/Passcode based authentication method.

Parameters:

• application_credential_secret (string) – Application credential secret.

• application_credential_id (string) – Application credential id.

• application_credential_name (string) – The name of the application credential, if an ID is not provided.

• username (string) – Username for authentication, if an application credential ID is not provided.

• user_id (string) – User ID for authentication, if an application credential ID is not provided.

• user_domain_id (string) – User’s domain ID for authentication, if an application credential ID is not provided.

• user_domain_name (string) – User’s domain name for authentication, if an application credential ID is not provided.

__abstractmethods__ = frozenset({})

__annotations__ = {'_method_parameters': 'ty.List[str]', 'application_credential_id': <class 'str'>, 'application_credential_name': <class 'str'>, 'application_credential_secret': <class 'str'>, 'user_domain_id': <class 'str'>, 'user_domain_name': <class 'str'>, 'user_id': <class 'str'>, 'username': <class 'str'>}

__doc__ = "Construct a User/Passcode based authentication method.\n\n    :param string application_credential_secret: Application credential secret.\n    :param string application_credential_id: Application credential id.\n    :param string application_credential_name: The name of the application\n                                               credential, if an ID is not\n                                               provided.\n    :param string username: Username for authentication, if an application\n                            credential ID is not provided.\n    :param string user_id: User ID for authentication, if an application\n                           credential ID is not provided.\n    :param string user_domain_id: User's domain ID for authentication, if an\n                                  application credential ID is not provided.\n    :param string user_domain_name: User's domain name for authentication, if\n                                    an application credential ID is not\n                                    provided.\n    "

__module__ = 'keystoneauth1.identity.v3.application_credential'

_abc_impl = <_abc._abc_data object>

_method_parameters: List[str] = ['application_credential_secret', 'application_credential_id', 'application_credential_name', 'user_id', 'username', 'user_domain_id', 'user_domain_name']

application_credential_id: str

application_credential_name: str

application_credential_secret: str

get_auth_data(session: Session, auth: Auth, headers: Dict[str, str], request_kwargs: Dict[str, object], **kwargs: Any) → Tuple[None, None] | Tuple[str, Mapping[str, object]]

Return the authentication section of an auth plugin.

Parameters:

• session (keystoneauth1.session.Session) – The communication session.

• auth (base.Auth) – The auth plugin calling the method.

• headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.

Returns:

The identifier of this plugin and a dict of authentication data for the auth type.

Return type:

tuple(string, dict)

get_cache_id_elements() → Dict[str, str | None]

Get the elements for this auth method that make it unique.

These elements will be used as part of the keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id() to allow caching of the auth plugin.

Plugins should override this if they want to allow caching of their state.

To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.

user_domain_id: str

user_domain_name: str

user_id: str

username: str

class keystoneauth1.identity.v3.Auth(auth_url: str, auth_methods: List[AuthMethod], *, unscoped: bool = False, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: BaseAuth

Identity V3 Authentication Plugin.

Parameters:

• auth_url (string) – Identity service endpoint for authentication.

• auth_methods (list) – A collection of methods to authenticate with.

• trust_id (string) – Trust ID for trust scoping.

• domain_id (string) – Domain ID for domain scoping.

• domain_name (string) – Domain name for domain scoping.

• project_id (string) – Project ID for project scoping.

• project_name (string) – Project name for project scoping.

• project_domain_id (string) – Project’s domain ID for project.

• project_domain_name (string) – Project’s domain name for project.

• reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True

• include_catalog (bool) – Include the service catalog in the returned token. (optional) default True.

• unscoped (bool) – Force the return of an unscoped token. This will make the keystone server return an unscoped token even if a default_project_id is set for this user.

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'reauthenticate': 'bool'}

__doc__ = "Identity V3 Authentication Plugin.\n\n    :param string auth_url: Identity service endpoint for authentication.\n    :param list auth_methods: A collection of methods to authenticate with.\n    :param string trust_id: Trust ID for trust scoping.\n    :param string domain_id: Domain ID for domain scoping.\n    :param string domain_name: Domain name for domain scoping.\n    :param string project_id: Project ID for project scoping.\n    :param string project_name: Project name for project scoping.\n    :param string project_domain_id: Project's domain ID for project.\n    :param string project_domain_name: Project's domain name for project.\n    :param bool reauthenticate: Allow fetching a new token if the current one\n                                is going to expire. (optional) default True\n    :param bool include_catalog: Include the service catalog in the returned\n                                 token. (optional) default True.\n    :param bool unscoped: Force the return of an unscoped token. This will make\n                          the keystone server return an unscoped token even if\n                          a default_project_id is set for this user.\n    "

__init__(auth_url: str, auth_methods: List[AuthMethod], *, unscoped: bool = False, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

__module__ = 'keystoneauth1.identity.v3.base'

_abc_impl = <_abc._abc_data object>

add_method(method: AuthMethod) → None

Add an additional initialized AuthMethod instance.

get_auth_ref(session: Session, **kwargs: Any) → AccessInfoV3

Obtain a token from an OpenStack Identity Service.

This method is overridden by the various token version plugins.

This function should not be called independently and is expected to be invoked via the do_authenticate function.

This function will be invoked if the AcessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo when invoked. If you are looking to just retrieve the current auth data then you should use get_access.

Parameters:

session (keystoneauth1.session.Session) – A session object that can be used for communication.

Raises:

• keystoneauth1.exceptions.response.InvalidResponse – The response returned wasn’t appropriate.

• keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.

Returns:

Token access information.

Return type:

keystoneauth1.access.AccessInfo

get_cache_id_elements() → Dict[str, str | None]

Get the elements for this auth plugin that make it unique.

As part of the get_cache_id requirement we need to determine what aspects of this plugin and its values that make up the unique elements.

This should be overridden by plugins that wish to allow caching.

Returns:

The unique attributes and values of this plugin.

Return type:

A flat dict with a str key and str or None value. This is required as we feed these values into a hash. Pairs where the value is None are ignored in the hashed id.

class keystoneauth1.identity.v3.AuthConstructor(auth_url: str, *args: Any, unscoped: bool = False, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, **kwargs: Any)

Bases: Auth

Abstract base class for creating an Auth Plugin.

The Auth Plugin created contains only one authentication method. This is generally the required usage.

An AuthConstructor creates an AuthMethod based on the method’s arguments and the auth_method_class defined by the plugin. It then creates the auth plugin with only that authentication method.

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_auth_method_class': typing.Type[keystoneauth1.identity.v3.base.AuthMethod], '_discovery_cache': 'ty.Dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'reauthenticate': 'bool'}

__doc__ = "Abstract base class for creating an Auth Plugin.\n\n    The Auth Plugin created contains only one authentication method. This\n    is generally the required usage.\n\n    An AuthConstructor creates an AuthMethod based on the method's\n    arguments and the auth_method_class defined by the plugin. It then\n    creates the auth plugin with only that authentication method.\n    "

__init__(auth_url: str, *args: Any, unscoped: bool = False, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, **kwargs: Any)

__module__ = 'keystoneauth1.identity.v3.base'

_abc_impl = <_abc._abc_data object>

_auth_method_class: Type[AuthMethod]

class keystoneauth1.identity.v3.AuthMethod(**kwargs: object)

Bases: object

One part of a V3 Authentication strategy.

V3 Tokens allow multiple methods to be presented when authentication against the server. Each one of these methods is implemented by an AuthMethod.

Note: When implementing an AuthMethod use the method_parameters and do not use positional arguments. Otherwise they can’t be picked up by the factory method and don’t work as well with AuthConstructors.

__abstractmethods__ = frozenset({'get_auth_data'})

__annotations__ = {'_method_parameters': typing.List[str]}

__dict__ = mappingproxy({'__module__': 'keystoneauth1.identity.v3.base', '__annotations__': {'_method_parameters': typing.List[str]}, '__doc__': "One part of a V3 Authentication strategy.\n\n    V3 Tokens allow multiple methods to be presented when authentication\n    against the server. Each one of these methods is implemented by an\n    AuthMethod.\n\n    Note: When implementing an AuthMethod use the method_parameters\n    and do not use positional arguments. Otherwise they can't be picked up by\n    the factory method and don't work as well with AuthConstructors.\n    ", '_method_parameters': [], '__init__': <function AuthMethod.__init__>, '_extract_kwargs': <classmethod(<function AuthMethod._extract_kwargs>)>, 'get_auth_data': <function AuthMethod.get_auth_data>, 'get_cache_id_elements': <function AuthMethod.get_cache_id_elements>, '__dict__': <attribute '__dict__' of 'AuthMethod' objects>, '__weakref__': <attribute '__weakref__' of 'AuthMethod' objects>, '__abstractmethods__': frozenset({'get_auth_data'}), '_abc_impl': <_abc._abc_data object>})

__doc__ = "One part of a V3 Authentication strategy.\n\n    V3 Tokens allow multiple methods to be presented when authentication\n    against the server. Each one of these methods is implemented by an\n    AuthMethod.\n\n    Note: When implementing an AuthMethod use the method_parameters\n    and do not use positional arguments. Otherwise they can't be picked up by\n    the factory method and don't work as well with AuthConstructors.\n    "

__init__(**kwargs: object)

__module__ = 'keystoneauth1.identity.v3.base'

__weakref__

list of weak references to the object (if defined)

_abc_impl = <_abc._abc_data object>

classmethod _extract_kwargs(kwargs: Dict[str, object]) → Dict[str, object]

Remove parameters related to this method from other kwargs.

_method_parameters: List[str] = []

abstract get_auth_data(session: Session, auth: Auth, headers: Dict[str, str], request_kwargs: Dict[str, object], **kwargs: Any) → Tuple[None, None] | Tuple[str, Mapping[str, object]]

Return the authentication section of an auth plugin.

Parameters:

• session (keystoneauth1.session.Session) – The communication session.

• auth (base.Auth) – The auth plugin calling the method.

• headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.

Returns:

The identifier of this plugin and a dict of authentication data for the auth type.

Return type:

tuple(string, dict)

get_cache_id_elements() → Dict[str, str | None]

Get the elements for this auth method that make it unique.

These elements will be used as part of the keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id() to allow caching of the auth plugin.

Plugins should override this if they want to allow caching of their state.

To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.

class keystoneauth1.identity.v3.BaseAuth(auth_url: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: BaseIdentityPlugin

Identity V3 Authentication Plugin.

Parameters:

• auth_url (string) – Identity service endpoint for authentication.

• trust_id (string) – Trust ID for trust scoping.

• system_scope (string) – System information to scope to.

• domain_id (string) – Domain ID for domain scoping.

• domain_name (string) – Domain name for domain scoping.

• project_id (string) – Project ID for project scoping.

• project_name (string) – Project name for project scoping.

• project_domain_id (string) – Project’s domain ID for project.

• project_domain_name (string) – Project’s domain name for project.

• reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True

• include_catalog (bool) – Include the service catalog in the returned token. (optional) default True.

__abstractmethods__ = frozenset({'get_auth_ref'})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': <class 'str'>, 'reauthenticate': 'bool'}

__doc__ = "Identity V3 Authentication Plugin.\n\n    :param string auth_url: Identity service endpoint for authentication.\n    :param string trust_id: Trust ID for trust scoping.\n    :param string system_scope: System information to scope to.\n    :param string domain_id: Domain ID for domain scoping.\n    :param string domain_name: Domain name for domain scoping.\n    :param string project_id: Project ID for project scoping.\n    :param string project_name: Project name for project scoping.\n    :param string project_domain_id: Project's domain ID for project.\n    :param string project_domain_name: Project's domain name for project.\n    :param bool reauthenticate: Allow fetching a new token if the current one\n                                is going to expire. (optional) default True\n    :param bool include_catalog: Include the service catalog in the returned\n                                 token. (optional) default True.\n    "

__init__(auth_url: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

__module__ = 'keystoneauth1.identity.v3.base'

_abc_impl = <_abc._abc_data object>

auth_url: str

property has_scope_parameters: bool

Return true if parameters can be used to create a scoped token.

property token_url: str

The full URL where we will send authentication data.

class keystoneauth1.identity.v3.FederationBaseAuth(auth_url: str, identity_provider: str, protocol: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: _Rescoped

Federation authentication plugin.

Parameters:

• auth_url (string) – URL of the Identity Service

• identity_provider (string) – name of the Identity Provider the client will authenticate against. This parameter will be used to build a dynamic URL used to obtain unscoped OpenStack token.

• protocol (string) – name of the protocol the client will authenticate against.

__abstractmethods__ = frozenset({'get_unscoped_auth_ref'})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'reauthenticate': 'bool'}

__doc__ = 'Federation authentication plugin.\n\n    :param auth_url: URL of the Identity Service\n    :type auth_url: string\n    :param identity_provider: name of the Identity Provider the client\n                              will authenticate against. This parameter\n                              will be used to build a dynamic URL used to\n                              obtain unscoped OpenStack token.\n    :type identity_provider: string\n    :param protocol: name of the protocol the client will authenticate\n                     against.\n    :type protocol: string\n\n    '

__init__(auth_url: str, identity_provider: str, protocol: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

__module__ = 'keystoneauth1.identity.v3.federation'

_abc_impl = <_abc._abc_data object>

property federated_token_url: str

Full URL where authorization data is sent.

class keystoneauth1.identity.v3.Keystone2Keystone(base_plugin: BaseIdentityPlugin, service_provider: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: _Rescoped

Plugin to execute the Keystone to Keyestone authentication flow.

In this plugin, an ECP wrapped SAML assertion provided by a keystone Identity Provider (IdP) is used to request an OpenStack unscoped token from a keystone Service Provider (SP).

Parameters:

• base_plugin (keystoneauth1.identity.v3.base.BaseAuth) – Auth plugin already authenticated against the keystone IdP.

• service_provider (str) – The Service Provider ID as returned by ServiceProviderManager.list()

HTTP_MOVED_TEMPORARILY = 302

HTTP_SEE_OTHER = 303

REQUEST_ECP_URL = '/auth/OS-FEDERATION/saml2/ecp'

Path where the ECP wrapped SAML assertion should be presented to the Keystone Service Provider.

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'reauthenticate': 'bool'}

__doc__ = 'Plugin to execute the Keystone to Keyestone authentication flow.\n\n    In this plugin, an ECP wrapped SAML assertion provided by a keystone\n    Identity Provider (IdP) is used to request an OpenStack unscoped token\n    from a keystone Service Provider (SP).\n\n    :param base_plugin: Auth plugin already authenticated against the keystone\n                        IdP.\n    :type base_plugin: keystoneauth1.identity.v3.base.BaseAuth\n\n    :param service_provider: The Service Provider ID as returned by\n                             ServiceProviderManager.list()\n    :type service_provider: str\n\n    '

__init__(base_plugin: BaseIdentityPlugin, service_provider: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

__module__ = 'keystoneauth1.identity.v3.k2k'

_abc_impl = <_abc._abc_data object>

_get_ecp_assertion(session: Session) → str

classmethod _remote_auth_url(auth_url: str) → str

Return auth_url of the remote Keystone Service Provider.

Remote cloud’s auth_url is an endpoint for getting federated unscoped token, typically that would be https://remote.example.com:5000/v3/OS-FEDERATION/identity_providers/ <idp>/protocols/<protocol_id>/auth. However we need to generate a real auth_url, used for token scoping. This function assumes there are static values today in the remote auth_url stored in the Service Provider attribute and those can be used as a delimiter. If the sp_auth_url doesn’t comply with standard federation auth url the function will simply return whole string.

Parameters:

auth_url (str) – auth_url of the remote cloud

Returns:

auth_url of remote cloud where a token can be validated or scoped.

Return type:

str

_send_service_provider_ecp_authn_response(session: Session, sp_url: str, sp_auth_url: str) → Response

Present ECP wrapped SAML assertion to the keystone SP.

The assertion is issued by the keystone IdP and it is targeted to the keystone that will serve as Service Provider.

Parameters:

• session – a session object to send out HTTP requests.

• sp_url (str) – URL where the ECP wrapped SAML assertion will be presented to the keystone SP. Usually, something like: https://sp.com/Shibboleth.sso/SAML2/ECP

• sp_auth_url (str) – Federated authentication URL of the keystone SP. It is specified by IdP, for example: https://sp.com/v3/OS-FEDERATION/identity_providers/ idp_id/protocols/protocol_id/auth

get_unscoped_auth_ref(session: Session, **kwargs: Any) → AccessInfoV3

Fetch unscoped federated token.

class keystoneauth1.identity.v3.MultiFactor(auth_url: str, auth_methods: List[str], *, unscoped: bool = False, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, **kwargs: Any)

Bases: Auth

A plugin for authenticating with multiple auth methods.

Parameters:

• auth_url (string) – Identity service endpoint for authentication.

• auth_methods (string) – names of the methods to authenticate with.

• trust_id (string) – Trust ID for trust scoping.

• system_scope (string) – System information to scope to.

• domain_id (string) – Domain ID for domain scoping.

• domain_name (string) – Domain name for domain scoping.

• project_id (string) – Project ID for project scoping.

• project_name (string) – Project name for project scoping.

• project_domain_id (string) – Project’s domain ID for project.

• project_domain_name (string) – Project’s domain name for project.

• reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True

Also accepts various keyword args based on which methods are specified.

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'reauthenticate': 'bool'}

__doc__ = "A plugin for authenticating with multiple auth methods.\n\n    :param string auth_url: Identity service endpoint for authentication.\n    :param string auth_methods: names of the methods to authenticate with.\n    :param string trust_id: Trust ID for trust scoping.\n    :param string system_scope: System information to scope to.\n    :param string domain_id: Domain ID for domain scoping.\n    :param string domain_name: Domain name for domain scoping.\n    :param string project_id: Project ID for project scoping.\n    :param string project_name: Project name for project scoping.\n    :param string project_domain_id: Project's domain ID for project.\n    :param string project_domain_name: Project's domain name for project.\n    :param bool reauthenticate: Allow fetching a new token if the current one\n                                is going to expire. (optional) default True\n\n    Also accepts various keyword args based on which methods are specified.\n    "

__init__(auth_url: str, auth_methods: List[str], *, unscoped: bool = False, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, **kwargs: Any)

__module__ = 'keystoneauth1.identity.v3.multi_factor'

_abc_impl = <_abc._abc_data object>

class keystoneauth1.identity.v3.OAuth2ClientCredential(auth_url: str, oauth2_endpoint: str, oauth2_client_id: str, oauth2_client_secret: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: AuthConstructor

A plugin for authenticating via an OAuth2.0 client credential.

Parameters:

• auth_url (string) – Identity service endpoint for authentication.

• oauth2_endpoint (string) – OAuth2.0 endpoint.

• oauth2_client_id (string) – OAuth2.0 client credential id.

• oauth2_client_secret (string) – OAuth2.0 client credential secret.

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_auth_method_class': 'ty.Type[AuthMethod]', '_discovery_cache': 'ty.Dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'reauthenticate': 'bool'}

__doc__ = 'A plugin for authenticating via an OAuth2.0 client credential.\n\n    :param string auth_url: Identity service endpoint for authentication.\n    :param string oauth2_endpoint: OAuth2.0 endpoint.\n    :param string oauth2_client_id: OAuth2.0 client credential id.\n    :param string oauth2_client_secret: OAuth2.0 client credential secret.\n    '

__init__(auth_url: str, oauth2_endpoint: str, oauth2_client_id: str, oauth2_client_secret: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

__module__ = 'keystoneauth1.identity.v3.oauth2_client_credential'

_abc_impl = <_abc._abc_data object>

_auth_method_class

alias of OAuth2ClientCredentialMethod

get_headers(session: Session, **kwargs: Any) → Dict[str, str] | None

Fetch authentication headers for message.

Parameters:

session (keystoneauth1.session.Session) – The session object that the auth_plugin belongs to.

Returns:

Headers that are set to authenticate a message or None for failure. Note that when checking this value that the empty dict is a valid, non-failure response.

Return type:

dict

class keystoneauth1.identity.v3.OAuth2ClientCredentialMethod(**kwargs: object)

Bases: AuthMethod

An auth method to fetch a token via an OAuth2.0 client credential.

Parameters:

• oauth2_endpoint (string) – OAuth2.0 endpoint.

• oauth2_client_id (string) – OAuth2.0 client credential id.

• oauth2_client_secret (string) – OAuth2.0 client credential secret.

__abstractmethods__ = frozenset({})

__annotations__ = {'_method_parameters': 'ty.List[str]', 'oauth2_client_id': <class 'str'>, 'oauth2_client_secret': <class 'str'>, 'oauth2_endpoint': <class 'str'>}

__doc__ = 'An auth method to fetch a token via an OAuth2.0 client credential.\n\n    :param string oauth2_endpoint: OAuth2.0 endpoint.\n    :param string oauth2_client_id: OAuth2.0 client credential id.\n    :param string oauth2_client_secret: OAuth2.0 client credential secret.\n    '

__module__ = 'keystoneauth1.identity.v3.oauth2_client_credential'

_abc_impl = <_abc._abc_data object>

_method_parameters: List[str] = ['oauth2_endpoint', 'oauth2_client_id', 'oauth2_client_secret']

get_auth_data(session: Session, auth: Auth, headers: Dict[str, str], request_kwargs: Dict[str, object], **kwargs: Any) → Tuple[None, None] | Tuple[str, Mapping[str, object]]

Return the authentication section of an auth plugin.

Parameters:

• session (keystoneauth1.session.Session) – The communication session.

• auth (base.Auth) – The auth plugin calling the method.

• headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.

Returns:

The identifier of this plugin and a dict of authentication data for the auth type.

Return type:

tuple(string, dict)

get_cache_id_elements() → Dict[str, str | None]

Get the elements for this auth method that make it unique.

These elements will be used as part of the keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id() to allow caching of the auth plugin.

Plugins should override this if they want to allow caching of their state.

To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.

oauth2_client_id: str

oauth2_client_secret: str

oauth2_endpoint: str

class keystoneauth1.identity.v3.OAuth2mTlsClientCredential(auth_url: str, oauth2_endpoint: str, oauth2_client_id: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: BaseAuth

A plugin for authenticating via an OAuth2.0 mTLS client credential.

Parameters:

• auth_url (string) – keystone authorization endpoint.

• oauth2_endpoint (string) – OAuth2.0 endpoint.

• oauth2_client_id (string) – OAuth2.0 client credential id.

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'reauthenticate': 'bool'}

__doc__ = 'A plugin for authenticating via an OAuth2.0 mTLS client credential.\n\n    :param string auth_url: keystone authorization endpoint.\n    :param string oauth2_endpoint: OAuth2.0 endpoint.\n    :param string oauth2_client_id: OAuth2.0 client credential id.\n    '

__init__(auth_url: str, oauth2_endpoint: str, oauth2_client_id: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

__module__ = 'keystoneauth1.identity.v3.oauth2_mtls_client_credential'

_abc_impl = <_abc._abc_data object>

get_auth_ref(session: Session, **kwargs: Any) → AccessInfoV3

Obtain a token from an OpenStack Identity Service.

This method is overridden by the various token version plugins.

This function should not be called independently and is expected to be invoked via the do_authenticate function.

This function will be invoked if the AcessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo when invoked. If you are looking to just retrieve the current auth data then you should use get_access.

Parameters:

session (keystoneauth1.session.Session) – A session object that can be used for communication.

Raises:

• keystoneauth1.exceptions.response.InvalidResponse – The response returned wasn’t appropriate.

• keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.

• keystoneauth1.exceptions.ClientException – An error from getting OAuth2.0 access token.

Returns:

Token access information.

Return type:

keystoneauth1.access.AccessInfo

get_headers(session: Session, **kwargs: Any) → Dict[str, str] | None

Fetch authentication headers for message.

Parameters:

session (keystoneauth1.session.Session) – The session object that the auth_plugin belongs to.

Returns:

Headers that are set to authenticate a message or None for failure. Note that when checking this value that the empty dict is a valid, non-failure response.

Return type:

dict

class keystoneauth1.identity.v3.OidcAccessToken(auth_url: str, identity_provider: str, protocol: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, access_token: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: _OidcBase

Implementation for OpenID Connect access token reuse.

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}

__doc__ = 'Implementation for OpenID Connect access token reuse.'

__init__(auth_url: str, identity_provider: str, protocol: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, access_token: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

The OpenID Connect plugin based on the Access Token.

It expects the following:

Parameters:

• auth_url (string) – URL of the Identity Service

• identity_provider (string) – Name of the Identity Provider the client will authenticate against

• protocol (string) – Protocol name as configured in keystone

• access_token (string) – OpenID Connect Access token

__module__ = 'keystoneauth1.identity.v3.oidc'

_abc_impl = <_abc._abc_data object>

get_payload(session: Session) → Dict[str, str | None]

OidcAccessToken does not require a payload.

get_unscoped_auth_ref(session: Session, **kwargs: Any) → AccessInfoV3

Authenticate with OpenID Connect and get back claims.

We exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

a token data representation

Return type:

keystoneauth1.access.AccessInfoV3

class keystoneauth1.identity.v3.OidcAuthorizationCode(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, code: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, redirect_uri: str | None = None)

Bases: _OidcBase

Implementation for OpenID Connect Authorization Code.

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}

__doc__ = 'Implementation for OpenID Connect Authorization Code.'

__init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, code: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, redirect_uri: str | None = None)

The OpenID Authorization Code plugin expects the following.

Parameters:

• redirect_uri (string) – OpenID Connect Client Redirect URL

• code (string) – OAuth 2.0 Authorization Code

__module__ = 'keystoneauth1.identity.v3.oidc'

_abc_impl = <_abc._abc_data object>

get_payload(session: Session) → Dict[str, str | None]

Get an authorization grant for the “authorization_code” grant type.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

a python dictionary containing the payload to be exchanged

Return type:

dict

grant_type: ty.ClassVar[str] = 'authorization_code'

class keystoneauth1.identity.v3.OidcClientCredentials(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: _OidcBase

Implementation for OpenID Connect Client Credentials.

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}

__doc__ = 'Implementation for OpenID Connect Client Credentials.'

__init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

The OpenID Client Credentials expects the following.

Parameters:

• client_id – Client ID used to authenticate

• client_secret – Client Secret used to authenticate

__module__ = 'keystoneauth1.identity.v3.oidc'

_abc_impl = <_abc._abc_data object>

get_payload(session: Session) → Dict[str, str | None]

Get an authorization grant for the client credentials grant type.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

a python dictionary containing the payload to be exchanged

Return type:

dict

grant_type: ty.ClassVar[str] = 'client_credentials'

class keystoneauth1.identity.v3.OidcPassword(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, username: str | None = None, password: str | None = None, idp_otp_key: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: _OidcBase

Implementation for OpenID Connect Resource Owner Password Credential.

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', '_discovery_document': 'ty.Dict[str, object]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}

__doc__ = 'Implementation for OpenID Connect Resource Owner Password Credential.'

__init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, username: str | None = None, password: str | None = None, idp_otp_key: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

The OpenID Password plugin expects the following.

Parameters:

• username (string) – Username used to authenticate

• password (string) – Password used to authenticate

__module__ = 'keystoneauth1.identity.v3.oidc'

_abc_impl = <_abc._abc_data object>

get_payload(session: Session) → Dict[str, str | None]

Get an authorization grant for the “password” grant type.

Parameters:

session (keystoneauth1.session.Session) – a session object to send out HTTP requests.

Returns:

a python dictionary containing the payload to be exchanged

Return type:

dict

grant_type: ty.ClassVar[str] = 'password'

manage_otp_from_session_or_request_to_the_user(payload: Dict[str, str | None], session: Session) → None

Get the OTP code from the session or else request to the user.

When the OS_IDP_OTP_KEY environment variable is set, this method will verify if there is an OTP value in the current session, if it exists, we use it (the OTP from session) to send to the Identity Provider when retrieving the access token. If there is no OTP in the current session, we ask the user to enter it (the OTP), and we add it to the session to execute the authentication flow.

The OTP is being stored in the session because in some flows, the CLI is doing the authentication process two times, so saving the OTP in the session, allow us to use the same OTP in a short time interval, avoiding to request it to the user twice in a row.

Parameters:

• payload

• session

Returns:

class keystoneauth1.identity.v3.Password(auth_url: str, *args: Any, unscoped: bool = False, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, **kwargs: Any)

Bases: AuthConstructor

A plugin for authenticating with a username and password.

Parameters:

• auth_url (string) – Identity service endpoint for authentication.

• password (string) – Password for authentication.

• username (string) – Username for authentication.

• user_id (string) – User ID for authentication.

• user_domain_id (string) – User’s domain ID for authentication.

• user_domain_name (string) – User’s domain name for authentication.

• trust_id (string) – Trust ID for trust scoping.

• system_scope (string) – System information to scope to.

• domain_id (string) – Domain ID for domain scoping.

• domain_name (string) – Domain name for domain scoping.

• project_id (string) – Project ID for project scoping.

• project_name (string) – Project name for project scoping.

• project_domain_id (string) – Project’s domain ID for project.

• project_domain_name (string) – Project’s domain name for project.

• reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_auth_method_class': 'ty.Type[AuthMethod]', '_discovery_cache': 'ty.Dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'reauthenticate': 'bool'}

__doc__ = "A plugin for authenticating with a username and password.\n\n    :param string auth_url: Identity service endpoint for authentication.\n    :param string password: Password for authentication.\n    :param string username: Username for authentication.\n    :param string user_id: User ID for authentication.\n    :param string user_domain_id: User's domain ID for authentication.\n    :param string user_domain_name: User's domain name for authentication.\n    :param string trust_id: Trust ID for trust scoping.\n    :param string system_scope: System information to scope to.\n    :param string domain_id: Domain ID for domain scoping.\n    :param string domain_name: Domain name for domain scoping.\n    :param string project_id: Project ID for project scoping.\n    :param string project_name: Project name for project scoping.\n    :param string project_domain_id: Project's domain ID for project.\n    :param string project_domain_name: Project's domain name for project.\n    :param bool reauthenticate: Allow fetching a new token if the current one\n                                is going to expire. (optional) default True\n    "

__module__ = 'keystoneauth1.identity.v3.password'

_abc_impl = <_abc._abc_data object>

_auth_method_class

alias of PasswordMethod

class keystoneauth1.identity.v3.PasswordMethod(**kwargs: object)

Bases: AuthMethod

Construct a User/Password based authentication method.

Parameters:

• password (string) – Password for authentication.

• username (string) – Username for authentication.

• user_id (string) – User ID for authentication.

• user_domain_id (string) – User’s domain ID for authentication.

• user_domain_name (string) – User’s domain name for authentication.

__abstractmethods__ = frozenset({})

__annotations__ = {'_method_parameters': 'ty.List[str]', 'password': <class 'str'>, 'user_domain_id': <class 'str'>, 'user_domain_name': <class 'str'>, 'user_id': <class 'str'>, 'username': <class 'str'>}

__doc__ = "Construct a User/Password based authentication method.\n\n    :param string password: Password for authentication.\n    :param string username: Username for authentication.\n    :param string user_id: User ID for authentication.\n    :param string user_domain_id: User's domain ID for authentication.\n    :param string user_domain_name: User's domain name for authentication.\n    "

__module__ = 'keystoneauth1.identity.v3.password'

_abc_impl = <_abc._abc_data object>

_method_parameters: List[str] = ['user_id', 'username', 'user_domain_id', 'user_domain_name', 'password']

get_auth_data(session: Session, auth: Auth, headers: Dict[str, str], request_kwargs: Dict[str, object], **kwargs: Any) → Tuple[None, None] | Tuple[str, Mapping[str, object]]

Return the authentication section of an auth plugin.

Parameters:

• session (keystoneauth1.session.Session) – The communication session.

• auth (base.Auth) – The auth plugin calling the method.

• headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.

Returns:

The identifier of this plugin and a dict of authentication data for the auth type.

Return type:

tuple(string, dict)

get_cache_id_elements() → Dict[str, str | None]

Get the elements for this auth method that make it unique.

These elements will be used as part of the keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id() to allow caching of the auth plugin.

Plugins should override this if they want to allow caching of their state.

To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.

password: str

user_domain_id: str

user_domain_name: str

user_id: str

username: str

class keystoneauth1.identity.v3.ReceiptMethod(**kwargs: object)

Bases: AuthMethod

Construct an Auth plugin to continue authentication with a receipt.

Parameters:

receipt (string) – Receipt for authentication.

__abstractmethods__ = frozenset({})

__annotations__ = {'_method_parameters': 'ty.List[str]', 'receipt': <class 'str'>}

__doc__ = 'Construct an Auth plugin to continue authentication with a receipt.\n\n    :param string receipt: Receipt for authentication.\n    '

__module__ = 'keystoneauth1.identity.v3.receipt'

_abc_impl = <_abc._abc_data object>

_method_parameters: List[str] = ['receipt']

get_auth_data(session: Session, auth: Auth, headers: Dict[str, str], request_kwargs: Dict[str, object], **kwargs: Any) → Tuple[None, None] | Tuple[str, Mapping[str, object]]

Add the auth receipt to the headers.

We explicitly return None to avoid being added to the request methods, or body.

get_cache_id_elements() → Dict[str, str | None]

Get the elements for this auth method that make it unique.

These elements will be used as part of the keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id() to allow caching of the auth plugin.

Plugins should override this if they want to allow caching of their state.

To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.

receipt: str

class keystoneauth1.identity.v3.TOTP(auth_url: str, *args: Any, unscoped: bool = False, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, **kwargs: Any)

Bases: AuthConstructor

A plugin for authenticating with a username and TOTP passcode.

Parameters:

• auth_url (string) – Identity service endpoint for authentication.

• passcode (string) – TOTP passcode for authentication.

• username (string) – Username for authentication.

• user_id (string) – User ID for authentication.

• user_domain_id (string) – User’s domain ID for authentication.

• user_domain_name (string) – User’s domain name for authentication.

• trust_id (string) – Trust ID for trust scoping.

• domain_id (string) – Domain ID for domain scoping.

• domain_name (string) – Domain name for domain scoping.

• project_id (string) – Project ID for project scoping.

• project_name (string) – Project name for project scoping.

• project_domain_id (string) – Project’s domain ID for project.

• project_domain_name (string) – Project’s domain name for project.

• reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_auth_method_class': 'ty.Type[AuthMethod]', '_discovery_cache': 'ty.Dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'reauthenticate': 'bool'}

__doc__ = "A plugin for authenticating with a username and TOTP passcode.\n\n    :param string auth_url: Identity service endpoint for authentication.\n    :param string passcode: TOTP passcode for authentication.\n    :param string username: Username for authentication.\n    :param string user_id: User ID for authentication.\n    :param string user_domain_id: User's domain ID for authentication.\n    :param string user_domain_name: User's domain name for authentication.\n    :param string trust_id: Trust ID for trust scoping.\n    :param string domain_id: Domain ID for domain scoping.\n    :param string domain_name: Domain name for domain scoping.\n    :param string project_id: Project ID for project scoping.\n    :param string project_name: Project name for project scoping.\n    :param string project_domain_id: Project's domain ID for project.\n    :param string project_domain_name: Project's domain name for project.\n    :param bool reauthenticate: Allow fetching a new token if the current one\n                                is going to expire. (optional) default True\n    "

__module__ = 'keystoneauth1.identity.v3.totp'

_abc_impl = <_abc._abc_data object>

_auth_method_class

alias of TOTPMethod

class keystoneauth1.identity.v3.TOTPMethod(**kwargs: object)

Bases: AuthMethod

Construct a User/Passcode based authentication method.

Parameters:

• passcode (string) – TOTP passcode for authentication.

• username (string) – Username for authentication.

• user_id (string) – User ID for authentication.

• user_domain_id (string) – User’s domain ID for authentication.

• user_domain_name (string) – User’s domain name for authentication.

__abstractmethods__ = frozenset({})

__annotations__ = {'_method_parameters': 'ty.List[str]', 'passcode': <class 'str'>, 'user_domain_id': <class 'str'>, 'user_domain_name': <class 'str'>, 'user_id': <class 'str'>, 'username': <class 'str'>}

__doc__ = "Construct a User/Passcode based authentication method.\n\n    :param string passcode: TOTP passcode for authentication.\n    :param string username: Username for authentication.\n    :param string user_id: User ID for authentication.\n    :param string user_domain_id: User's domain ID for authentication.\n    :param string user_domain_name: User's domain name for authentication.\n    "

__module__ = 'keystoneauth1.identity.v3.totp'

_abc_impl = <_abc._abc_data object>

_method_parameters: List[str] = ['user_id', 'username', 'user_domain_id', 'user_domain_name', 'passcode']

get_auth_data(session: Session, auth: Auth, headers: Dict[str, str], request_kwargs: Dict[str, object], **kwargs: Any) → Tuple[None, None] | Tuple[str, Mapping[str, object]]

Return the authentication section of an auth plugin.

Parameters:

• session (keystoneauth1.session.Session) – The communication session.

• auth (base.Auth) – The auth plugin calling the method.

• headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.

Returns:

The identifier of this plugin and a dict of authentication data for the auth type.

Return type:

tuple(string, dict)

get_cache_id_elements() → Dict[str, str | None]

Get the elements for this auth method that make it unique.

These elements will be used as part of the keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id() to allow caching of the auth plugin.

Plugins should override this if they want to allow caching of their state.

To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.

passcode: str

user_domain_id: str

user_domain_name: str

user_id: str

username: str

class keystoneauth1.identity.v3.Token(auth_url: str, token: str, *, unscoped: bool = False, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, **kwargs: Any)

Bases: AuthConstructor

A plugin for authenticating with an existing Token.

Parameters:

• auth_url (string) – Identity service endpoint for authentication.

• token (string) – Token for authentication.

• trust_id (string) – Trust ID for trust scoping.

• domain_id (string) – Domain ID for domain scoping.

• domain_name (string) – Domain name for domain scoping.

• project_id (string) – Project ID for project scoping.

• project_name (string) – Project name for project scoping.

• project_domain_id (string) – Project’s domain ID for project.

• project_domain_name (string) – Project’s domain name for project.

• reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True

__abstractmethods__ = frozenset({})

__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_auth_method_class': 'ty.Type[AuthMethod]', '_discovery_cache': 'ty.Dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'reauthenticate': 'bool'}

__doc__ = "A plugin for authenticating with an existing Token.\n\n    :param string auth_url: Identity service endpoint for authentication.\n    :param string token: Token for authentication.\n    :param string trust_id: Trust ID for trust scoping.\n    :param string domain_id: Domain ID for domain scoping.\n    :param string domain_name: Domain name for domain scoping.\n    :param string project_id: Project ID for project scoping.\n    :param string project_name: Project name for project scoping.\n    :param string project_domain_id: Project's domain ID for project.\n    :param string project_domain_name: Project's domain name for project.\n    :param bool reauthenticate: Allow fetching a new token if the current one\n                                is going to expire. (optional) default True\n    "

__init__(auth_url: str, token: str, *, unscoped: bool = False, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, **kwargs: Any)

__module__ = 'keystoneauth1.identity.v3.token'

_abc_impl = <_abc._abc_data object>

_auth_method_class

alias of TokenMethod

class keystoneauth1.identity.v3.TokenMethod(**kwargs: object)

Bases: AuthMethod

Construct an Auth plugin to fetch a token from a token.

Parameters:

token (string) – Token for authentication.

__abstractmethods__ = frozenset({})

__annotations__ = {'_method_parameters': 'ty.List[str]', 'token': <class 'str'>}

__doc__ = 'Construct an Auth plugin to fetch a token from a token.\n\n    :param string token: Token for authentication.\n    '

__module__ = 'keystoneauth1.identity.v3.token'

_abc_impl = <_abc._abc_data object>

_method_parameters: List[str] = ['token']

get_auth_data(session: Session, auth: Auth, headers: Dict[str, str], request_kwargs: Dict[str, object], **kwargs: Any) → Tuple[None, None] | Tuple[str, Mapping[str, object]]

Return the authentication section of an auth plugin.

Parameters:

• session (keystoneauth1.session.Session) – The communication session.

• auth (base.Auth) – The auth plugin calling the method.

• headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.

Returns:

The identifier of this plugin and a dict of authentication data for the auth type.

Return type:

tuple(string, dict)

get_cache_id_elements() → Dict[str, str | None]

Get the elements for this auth method that make it unique.

These elements will be used as part of the keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id() to allow caching of the auth plugin.

Plugins should override this if they want to allow caching of their state.

To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.

token: str

class keystoneauth1.identity.v3.TokenlessAuth(auth_url: str, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None)

Bases: BaseAuthPlugin

A plugin for authenticating with Tokenless Auth.

This is for Tokenless Authentication. Scoped information like domain name and project ID will be passed in the headers and token validation request will be authenticated based on the provided HTTPS certificate along with the scope information.

__abstractmethods__ = frozenset({})

__annotations__ = {'_discovery_cache': 'ty.Dict[str, discover.Discover]'}

__doc__ = 'A plugin for authenticating with Tokenless Auth.\n\n    This is for Tokenless Authentication. Scoped information\n    like domain name and project ID will be passed in the headers and\n    token validation request will be authenticated based on\n    the provided HTTPS certificate along with the scope information.\n    '

__init__(auth_url: str, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None)

A init method for TokenlessAuth.

Parameters:

• auth_url (string) – Identity service endpoint for authentication. The URL must include a version or any request will result in a 404 NotFound error.

• domain_id (string) – Domain ID for domain scoping.

• domain_name (string) – Domain name for domain scoping.

• project_id (string) – Project ID for project scoping.

• project_name (string) – Project name for project scoping.

• project_domain_id (string) – Project’s domain ID for project.

• project_domain_name (string) – Project’s domain name for project.

__module__ = 'keystoneauth1.identity.v3.tokenless_auth'

_abc_impl = <_abc._abc_data object>

get_endpoint(session: ks_session.Session, service_type: str | None = None, **kwargs: Any) → str | None

Return a valid endpoint for a service.

Parameters:

• session (keystoneauth1.session.Session) – A session object that can be used for communication.

• service_type (string) – The type of service to lookup the endpoint for. This plugin will return None (failure) if service_type is not provided.

Returns:

A valid endpoint URL or None if not available.

Return type:

string or None

get_headers(session: ks_session.Session, **kwargs: Any) → Dict[str, str] | None

Fetch authentication headers for message.

This is to override the default get_headers method to provide tokenless auth scope headers if token is not provided in the session.

Parameters:

session (keystoneauth1.session.Session) – The session object that the auth_plugin belongs to.

Returns:

Headers that are set to authenticate a message or None for failure. Note that when checking this value that the empty dict is a valid, non-failure response.

Return type:

dict