Harmonized Python script for DestinE authentication.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for purnelldj from gravatar.com purnelldj

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache 2.0)
  • Author: David Purnell
  • Tags DestinE , authentication
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

destinepyauth

A Python library for authenticating against DESP (Destination Earth Service Platform) services.

Installation

pip install destinepyauth

Usage

The main entry point is the get_token() function:

from destinepyauth import get_token

# Authenticate (prompts for credentials if not in environment)
result = get_token("highway")

# Access the token
token = result.access_token

Using with requests

from destinepyauth import get_token
import requests

result = get_token("eden")
headers = {"Authorization": f"Bearer {result.access_token}"}
response = requests.get("https://api.example.com/data", headers=headers)

Using with zarr/xarray (netrc support)

For services like CacheB that work with zarr, you can write credentials to ~/.netrc:

from destinepyauth import get_token
import xarray as xr

# Authenticate and write to ~/.netrc
get_token("cacheb", write_netrc=True)

# Now zarr/xarray will use credentials automatically
ds = xr.open_dataset(
    "reference://",
    engine="zarr",
    backend_kwargs={
        "consolidated": False,
        "storage_options": {
            "fo": "https://cacheb.dcms.destine.eu/path/to/data.json",
            "remote_protocol": "https",
            "remote_options": {"client_kwargs": {"trust_env": True}},
        },
    },
)

Available Services

  • cacheb - CacheB data service
  • dea - DEA service
  • eden - Eden broker
  • hda - Harmonized Data Access (includes token exchange)
  • highway - Highway service (includes token exchange)
  • insula - Insula service
  • polytope - Data access service
  • streamer - Streaming service

Configuration

Service configurations are stored in YAML files in the destinepyauth/configs/ directory. Each service has its own configuration file (e.g., highway.yaml, cacheb.yaml) that defines default values for authentication parameters.

Configuration Priority

The library uses Conflator to merge configurations from multiple sources, with the following priority (highest to lowest):

  1. Command-line arguments (e.g., --iam-client my-client)
  2. Environment variables (e.g., DESPAUTH_IAM_CLIENT=my-client)
  3. User config files (e.g., ~/.despauth.yaml)
  4. Service defaults (from destinepyauth/configs/{service}.yaml)

This allows you to override any service default without modifying the package.

Example: Override IAM Client

# Via environment variable
export DESPAUTH_IAM_CLIENT=my-custom-client
python -c "from destinepyauth import get_token; get_token('highway')"

# Via user config file
echo "iam_client: my-custom-client" > ~/.despauth.yaml
python -c "from destinepyauth import get_token; get_token('highway')"

Credential Handling

When you call get_token(), the library will prompt for your credentials. The password uses masked input - nothing you type will be visible on screen:

from destinepyauth import get_token
result = get_token("highway")
# Username: myuser
# Password:   (hidden input)

This ensures the password cannot be accidentally exposed in terminal logs, screen recordings, or shell history.

Two Factor Authentication

If you have 2FA enabled, you will also be prompted to enter an OTP from your authenticator app.

You can enable/disable 2FA in your DestinE platform account settings.

Adding a new service

To integrate a new DestinE service, create a YAML configuration file in destinepyauth/configs/{service_name}.yaml:

# Example: myservice.yaml
scope: openid offline_access
iam_client: myservice-public
iam_redirect_uri: https://myservice.destine.eu/

# Optional: Token exchange configuration (only if needed)
exchange_config:
  token_url: https://identity.example.com/token
  audience: myservice-public
  subject_issuer: desp-oidc
  client_id: myservice-public

The service will be automatically discovered and available via get_token("myservice").

Service Configuration Fields

  • scope: OAuth2 scopes (e.g., "openid", "openid offline_access")
  • iam_client: Client ID registered with the IAM
  • iam_redirect_uri: OAuth redirect URI for the service
  • iam_url (optional): IAM server URL (defaults to https://auth.destine.eu)
  • iam_realm (optional): IAM realm (defaults to desp)

Token Exchange

Some services (like Highway and HDA) require token exchange because they validate tokens against a different issuer than the initial login. For these services, add an exchange_config section:

  • token_url: Token exchange endpoint
  • audience: Target audience for the exchanged token
  • subject_issuer: Subject issuer identifier
  • client_id: Client ID for the exchange request

The library automatically handles token exchange using RFC 8693 when exchange_config is present.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for purnelldj from gravatar.com purnelldj

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache 2.0)
  • Author: David Purnell
  • Tags DestinE , authentication
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

1.3.1

1.3.0

1.2.1

1.2.0

This version

1.1.1

1.1.0

1.0.0

0.2.3

0.2.2

0.2.1

0.2.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

destinepyauth-1.1.1.tar.gz (28.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

destinepyauth-1.1.1-py3-none-any.whl (19.7 kB view details)

Uploaded Python 3

File details

Details for the file destinepyauth-1.1.1.tar.gz.

File metadata

  • Download URL: destinepyauth-1.1.1.tar.gz
  • Upload date:
  • Size: 28.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for destinepyauth-1.1.1.tar.gz
Algorithm Hash digest
SHA256 38d9430873014f5e5ec5eadc09e16ab0722e1f96c7f01a175eacf01f101c2bc1
MD5 4c3c7e10ac922a7a5870b6f6f335bd95
BLAKE2b-256 48f9f0c67fbb3cce0861d13c1aaeae36bb03659c1e5785f2527a91c7e02d9947

See more details on using hashes here.

Provenance

The following attestation bundles were made for destinepyauth-1.1.1.tar.gz:

Publisher: cd.yml on SercoSPA/DestinE-Platform-AuthN

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file destinepyauth-1.1.1-py3-none-any.whl.

File metadata

  • Download URL: destinepyauth-1.1.1-py3-none-any.whl
  • Upload date:
  • Size: 19.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for destinepyauth-1.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 b4d656e117180ae9f4c8bd956dc7f2ba2c83815b52ffc594e1ea0a6e6f8f1448
MD5 36c63470897347534a4ff888dd24f512
BLAKE2b-256 2a292e96a9d72130ea76d8b7356647df911e69e9c77201eeae868bfde7568773

See more details on using hashes here.

Provenance

The following attestation bundles were made for destinepyauth-1.1.1-py3-none-any.whl:

Publisher: cd.yml on SercoSPA/DestinE-Platform-AuthN

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page