Harmonized Python script for DestinE authentication.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for purnelldj from gravatar.com purnelldj

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache 2.0)
  • Author: David Purnell
  • Tags DestinE , authentication
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

destinepyauth

A Python library for authenticating against DESP (Destination Earth Service Platform) services.

Installation

pip install destinepyauth

Usage

The main entry point is the get_token() function:

from destinepyauth import get_token

# Authenticate (prompts for credentials if not in environment)
result = get_token("highway")

# Access the token
token = result.access_token

Using with requests

from destinepyauth import get_token
import requests

result = get_token("eden")
headers = {"Authorization": f"Bearer {result.access_token}"}
response = requests.get("https://api.example.com/data", headers=headers)

Using with zarr/xarray (netrc support)

For services like CacheB that work with zarr, you can write credentials to ~/.netrc:

from destinepyauth import get_token
import xarray as xr

# Authenticate and write to ~/.netrc
get_token("cacheb", write_netrc=True)

# Now zarr/xarray will use credentials automatically
ds = xr.open_dataset(
    "reference://",
    engine="zarr",
    backend_kwargs={
        "consolidated": False,
        "storage_options": {
            "fo": "https://cacheb.dcms.destine.eu/path/to/data.json",
            "remote_protocol": "https",
            "remote_options": {"client_kwargs": {"trust_env": True}},
        },
    },
)

Available Services

  • cacheb - CacheB data service
  • dea - DEA service
  • eden - Eden broker
  • hda - Harmonized Data Access (includes token exchange)
  • highway - Highway service (includes token exchange)
  • insula - Insula service
  • streamer - Streaming service

Configuration

Service configurations are stored in YAML files in the destinepyauth/configs/ directory. Each service has its own configuration file (e.g., highway.yaml, cacheb.yaml) that defines default values for authentication parameters.

Configuration Priority

The library uses Conflator to merge configurations from multiple sources, with the following priority (highest to lowest):

  1. Command-line arguments (e.g., --iam-client my-client)
  2. Environment variables (e.g., DESPAUTH_IAM_CLIENT=my-client)
  3. User config files (e.g., ~/.despauth.yaml)
  4. Service defaults (from destinepyauth/configs/{service}.yaml)

This allows you to override any service default without modifying the package.

Example: Override IAM Client

# Via environment variable
export DESPAUTH_IAM_CLIENT=my-custom-client
python -c "from destinepyauth import get_token; get_token('highway')"

# Via user config file
echo "iam_client: my-custom-client" > ~/.despauth.yaml
python -c "from destinepyauth import get_token; get_token('highway')"

Credential Handling

When you call get_token(), the library will prompt for your credentials with masked input for both username and password - nothing you type will be visible on screen:

from destinepyauth import get_token
result = get_token("highway")
# Username:   (hidden input)
# Password:   (hidden input)

This ensures credentials cannot be accidentally exposed in terminal logs, screen recordings, or shell history.

Two Factor Authentication

If you have 2FA enabled, you will also be prompted to enter an OTP from your authenticator app.

You can enable/disable 2FA in your DestinE platform account settings.

Adding a new service

To integrate a new DestinE service, create a YAML configuration file in destinepyauth/configs/{service_name}.yaml:

# Example: myservice.yaml
scope: openid offline_access
iam_client: myservice-public
iam_redirect_uri: https://myservice.destine.eu/

# Optional: Token exchange configuration (only if needed)
exchange_config:
  token_url: https://identity.example.com/token
  audience: myservice-public
  subject_issuer: desp-oidc
  client_id: myservice-public

The service will be automatically discovered and available via get_token("myservice").

Service Configuration Fields

  • scope: OAuth2 scopes (e.g., "openid", "openid offline_access")
  • iam_client: Client ID registered with the IAM
  • iam_redirect_uri: OAuth redirect URI for the service
  • iam_url (optional): IAM server URL (defaults to https://auth.destine.eu)
  • iam_realm (optional): IAM realm (defaults to desp)

Token Exchange

Some services (like Highway and HDA) require token exchange because they validate tokens against a different issuer than the initial login. For these services, add an exchange_config section:

  • token_url: Token exchange endpoint
  • audience: Target audience for the exchanged token
  • subject_issuer: Subject issuer identifier
  • client_id: Client ID for the exchange request

The library automatically handles token exchange using RFC 8693 when exchange_config is present.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for purnelldj from gravatar.com purnelldj

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache 2.0)
  • Author: David Purnell
  • Tags DestinE , authentication
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

1.3.1

1.3.0

1.2.1

1.2.0

1.1.1

This version

1.1.0

1.0.0

0.2.3

0.2.2

0.2.1

0.2.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

destinepyauth-1.1.0.tar.gz (25.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

destinepyauth-1.1.0-py3-none-any.whl (19.7 kB view details)

Uploaded Python 3

File details

Details for the file destinepyauth-1.1.0.tar.gz.

File metadata

  • Download URL: destinepyauth-1.1.0.tar.gz
  • Upload date:
  • Size: 25.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for destinepyauth-1.1.0.tar.gz
Algorithm Hash digest
SHA256 5dbc49c4280d3f559e2d1f44cf605fce2bf7f30dc4f3fc7fcc3837fc13ed139b
MD5 fcac9e2e0ec9bdbd387fc8f9bd4473e7
BLAKE2b-256 311b1907ca5c3d1a80fd8405f5686b5202c10f71b668abe2b8e0c0b89e751021

See more details on using hashes here.

Provenance

The following attestation bundles were made for destinepyauth-1.1.0.tar.gz:

Publisher: cd.yml on SercoSPA/DestinE-Platform-AuthN

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file destinepyauth-1.1.0-py3-none-any.whl.

File metadata

  • Download URL: destinepyauth-1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 19.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for destinepyauth-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 cbc07514754151862c9d7818aa41dd26bc04933307227aae732101e8a40b24ee
MD5 264da4e17f7abfa407b307662bbbc75b
BLAKE2b-256 0e6b2d78ed21ff65e909049bb924a35d68d352cc2e4721c70dc2a93fc84142ae

See more details on using hashes here.

Provenance

The following attestation bundles were made for destinepyauth-1.1.0-py3-none-any.whl:

Publisher: cd.yml on SercoSPA/DestinE-Platform-AuthN

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page