Skip to main content

A Python package to handle Cegal Keystone tokens

Project description

Introduction

A Python client to use with Cegal Keystone.

Usage

  1. (Optional) Configure logging
  2. Define an OidcOptions object
  3. Instantiate an OidcClient object passing in the previously created OidcOptions object
    • If you need to select another flow use the OidcFlow enum
  4. There is only one method required, use the OidcClient object to call get_access_token()
  5. Use the access token returned

You should always call .get_access_token() each time you need to use the token. This method takes care of expiration and renewal.

Basic Example (should cover most use cases)

import logging
import sys

# Import the OidcClient and OidcOptions
from cegal.keystone_auth import OidcClient, OidcOptions

# Configure logging
logging.getLogger()
logging.basicConfig(
    format="%(asctime)s %(levelname)s %(message)s",
    level=logging.DEBUG,
    stream=sys.stdout,
)

# Create OidcOptions
options = OidcOptions(
    "python_rp",
    OidcClient.KEYSTONE_URL,
    extra_scopes=["scope1"],
    audiences=["api1"],
)
# Instantiate an OidcClient
client = OidcClient(options)
# Each time you need to use the token call .get_access_token()
token = client.get_access_token()

Example using device flow

import logging
import sys
from time import sleep

from cegal.keystone_auth import OidcClient, OidcOptions, OidcFlow

logging.getLogger()
logging.basicConfig(
    format="%(asctime)s %(levelname)s %(message)s",
    level=logging.DEBUG,
    stream=sys.stdout,
)

options = OidcOptions(
    "python_rp",
    OidcClient.KEYSTONE_STG_URL,
    extra_scopes=["hub_connector_api", "keystone.portal_api.version_scope"],
    audiences=["hub_connector_api"],
    oidc_flow=OidcFlow.device_code,
    no_cache=True,
)

client = OidcClient(options)

token = client.get_access_token()
print(token)

Extra scopes and audience

If you are requesting access to APIs then you will need to include these as a list of strings in the extra_scopes OidcOptions arg.
In Keystone, API scopes are by default associated with an API Resource which will return an audience claim in the access token. You must therefore also supply the API Resource names as the audience when specifying extra_scopes.
An API Resource can have multiple API scopes and they are not necessarily named the same, so you will need to obtain this information from the person setting up the application in Keystone.

Customing the authentication landing browser page

When using interactive login, the library opens an authentication request page at the specified identity server. This server then requests the user's password (or skips this if the browser has the details) and redirects the browser page back to a local web server with the auth code specified in the URL. (This way, the auth-code is communicated to the local process without the local server needing any connection to the internet).

By default, the browser upon successful authentication displays a simple message. You can customize the behaviour by supplying a page_handler object in the OidcClient constructor.

The default page handler is in the cegal.keystone_auth.responses module. A more sophisticated example is TwoStagePageHandler which redirects back to a different page. This is designed currently to be used to PythonToolPro to display a 'welcome' page with version details. Since the page handler is supplied with the auth state (and therefore auth code) the handler can query Keystone for up-to-date version details.

N.b. This API feels very immature; it obviously wants to be a full-fledged http stack with routing, responses and templating etc.

Developer extras

If you are currently developing something and the client settings are changing often there is a helper method available within the client.
Call client.destroy_tokens_for_client() and this will clear your client_id's tokens from disk and memory.

Installing for development

Start a shell in the root of the repository working directory.

Create a venv:

python -m venv .venv

Activate it (varies according to OS and shell):

.venv\Scripts\activate.ps1

Upgrade pip and setuptools:

python -m pip install --upgrade pip
python install --setuptools
pip install -r requirements.txt

Install as live development package:

pip install -e .

Tests

Run pytest to run all the non-interactive tests. Those tests requiring user interaction (e.g. a browser, or device-flow login) can be run using pytest --interactive

Devcontainer

This repository includes a devcontainer which can be used within VSCode. pytest --interactive currently will not function correctly: the browser is launched outside of the container on the developer's machine and the redirect is not able to reach the local server. A future fix for this might be to include firefox in the devcontainer, set $BROWSER to be firefox, and require an X-server on the developer's machine.

License

Copyright (2022) Cegal, As. This library (the "Software") may not be used except in connection with the Licensees use of Cegal software pursuant to an Agreement (defined below) between Licensee (defined below) and Cegal, AS. ("Cegal"). This Software shall be deemed part of the "Subscription Services" under the Agreement. Licensees use of the Software must comply at all times with any restrictions applicable to the Subscription Services, generally, and must be used in accordance with any applicable documentation. If you have not agreed to an Agreement or otherwise do not agree to these terms, you may not use the Software. This license terminates automatically upon the termination of the Agreement or Licensees breach of these terms. Agreement: the agreement between Cegal and Licensee governing the use of the Cegal software, which shall be, with respect to Cegal, and the Cegal Terms of Service located at https://cegal.com/about/terms-and-conditions , in each case unless Licensee has entered into a separate written agreement with Cegal governing the use of the applicable Cegal Services. Licensee: the user of the Software, or, if the Software is being used on behalf of a company, the company.

Addendum

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

cegal_keystoneauth-1.0.dev32802-py3-none-any.whl (41.5 kB view details)

Uploaded Python 3

File details

Details for the file cegal_keystoneauth-1.0.dev32802-py3-none-any.whl.

File metadata

  • Download URL: cegal_keystoneauth-1.0.dev32802-py3-none-any.whl
  • Upload date:
  • Size: 41.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.22.0 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.62.3 importlib-metadata/4.11.0 keyring/18.0.1 rfc3986/2.0.0 colorama/0.4.3 CPython/3.8.10

File hashes

Hashes for cegal_keystoneauth-1.0.dev32802-py3-none-any.whl
Algorithm Hash digest
SHA256 5b63e0136e128d12e73743eebd4d3c0868d48b3f1e78d18b15fcdc296b2d7d1f
MD5 5a656f6c1e8a8139e55482b80201535a
BLAKE2b-256 cfc36dfc59be82cf1596a85cb76c4a9ab4c50635a28fbd19df986111dfe5ab10

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page