Harmonized Python script for DestinE authentication.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for purnelldj from gravatar.com purnelldj

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache 2.0)
  • Author: David Purnell
  • Tags DestinE , authentication
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

destinepyauth

A Python library for authenticating against DESP (Destination Earth Service Platform) services.

Installation

pip install destinepyauth

Usage

The main entry point is the get_token() function:

from destinepyauth import get_token

# Authenticate (prompts for credentials if not in environment)
result = get_token("highway")

# Access the token
token = result.access_token

Using with requests

from destinepyauth import get_token
import requests

result = get_token("eden")
headers = {"Authorization": f"Bearer {result.access_token}"}
response = requests.get("https://api.example.com/data", headers=headers)

Using with zarr/xarray (netrc support)

For services like CacheB that work with zarr, you can write credentials to ~/.netrc:

from destinepyauth import get_token
import xarray as xr

# Authenticate and write to ~/.netrc
get_token("cacheb", write_netrc=True)

# Now zarr/xarray will use credentials automatically
ds = xr.open_dataset(
    "reference://",
    engine="zarr",
    backend_kwargs={
        "consolidated": False,
        "storage_options": {
            "fo": "https://cacheb.dcms.destine.eu/path/to/data.json",
            "remote_protocol": "https",
            "remote_options": {"client_kwargs": {"trust_env": True}},
        },
    },
)

Polytope compatibility (~/.polytopeapirc)

When authenticating with get_token("polytope"), the library automatically writes the refresh token to ~/.polytopeapirc as JSON ({"user_key": "..."}), matching the expected Polytope client format.

Available Services

  • cacheb - CacheB data service
  • dea - DEA service
  • eden - Eden broker
  • hda - Harmonized Data Access (includes token exchange)
  • highway - Highway service (includes token exchange)
  • insula - Insula service
  • polytope - Data access service
  • streamer - Streaming service

Configuration

Service configurations are stored in YAML files in the destinepyauth/configs/ directory. Each service has its own configuration file (e.g., highway.yaml, cacheb.yaml) that defines default values for authentication parameters.

Configuration Priority

The library uses Conflator to merge configurations from multiple sources, with the following priority (highest to lowest):

  1. Command-line arguments (e.g., --iam-client my-client)
  2. Environment variables (e.g., DESPAUTH_IAM_CLIENT=my-client)
  3. User config files (e.g., ~/.despauth.yaml)
  4. Service defaults (from destinepyauth/configs/{service}.yaml)

This allows you to override any service default without modifying the package.

Example: Override IAM Client

# Via environment variable
export DESPAUTH_IAM_CLIENT=my-custom-client
python -c "from destinepyauth import get_token; get_token('highway')"

# Via user config file
echo "iam_client: my-custom-client" > ~/.despauth.yaml
python -c "from destinepyauth import get_token; get_token('highway')"

Credential Handling

When you call get_token(), the library will prompt for your credentials. The password uses masked input - nothing you type will be visible on screen:

from destinepyauth import get_token
result = get_token("highway")
# Username: myuser
# Password:   (hidden input)

This ensures the password cannot be accidentally exposed in terminal logs, screen recordings, or shell history.

Two Factor Authentication

If you have 2FA enabled, you will also be prompted to enter an OTP from your authenticator app.

You can enable/disable 2FA in your DestinE platform account settings.

Adding a new service

To integrate a new DestinE service, create a YAML configuration file in destinepyauth/configs/{service_name}.yaml:

# Example: myservice.yaml
scope: openid offline_access
iam_client: myservice-public
iam_redirect_uri: https://myservice.destine.eu/

# Optional: Token exchange configuration (only if needed)
exchange_config:
  token_url: https://identity.example.com/token
  audience: myservice-public
  subject_issuer: desp-oidc
  client_id: myservice-public

The service will be automatically discovered and available via get_token("myservice").

Service Configuration Fields

  • scope: OAuth2 scopes (e.g., "openid", "openid offline_access")
  • iam_client: Client ID registered with the IAM
  • iam_redirect_uri: OAuth redirect URI for the service
  • iam_url (optional): IAM server URL (defaults to https://auth.destine.eu)
  • iam_realm (optional): IAM realm (defaults to desp)

Token Exchange

Some services (like Highway and HDA) require token exchange because they validate tokens against a different issuer than the initial login. For these services, add an exchange_config section:

  • token_url: Token exchange endpoint
  • audience: Target audience for the exchanged token
  • subject_issuer: Subject issuer identifier
  • client_id: Client ID for the exchange request

The library automatically handles token exchange using RFC 8693 when exchange_config is present.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for purnelldj from gravatar.com purnelldj

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache 2.0)
  • Author: David Purnell
  • Tags DestinE , authentication
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

1.3.1

1.3.0

This version

1.2.1

1.2.0

1.1.1

1.1.0

1.0.0

0.2.3

0.2.2

0.2.1

0.2.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

destinepyauth-1.2.1.tar.gz (29.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

destinepyauth-1.2.1-py3-none-any.whl (20.1 kB view details)

Uploaded Python 3

File details

Details for the file destinepyauth-1.2.1.tar.gz.

File metadata

  • Download URL: destinepyauth-1.2.1.tar.gz
  • Upload date:
  • Size: 29.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for destinepyauth-1.2.1.tar.gz
Algorithm Hash digest
SHA256 13a55441c564991a848c79252cafa740e43897db6dc46e370ce74484dcf7a41b
MD5 3de5dbb212e3c0646719e9624b27a129
BLAKE2b-256 dc6b669a40b2dec90dfb72c66040d2bdd9ea0f3a3fd69e0a8dcd660cd34789d1

See more details on using hashes here.

Provenance

The following attestation bundles were made for destinepyauth-1.2.1.tar.gz:

Publisher: cd.yml on SercoSPA/DestinE-Platform-AuthN

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file destinepyauth-1.2.1-py3-none-any.whl.

File metadata

  • Download URL: destinepyauth-1.2.1-py3-none-any.whl
  • Upload date:
  • Size: 20.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for destinepyauth-1.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 5b4e491b2c117ccef6cffa6a5ca9fa1ee11f4fa8844bf6a42dce4fbd8ecf739f
MD5 ca0a41799043955435daaf8617280f1d
BLAKE2b-256 794b08f5e74b6d5174ec4e4a7c10c8dc5eb089042dbc6a8478663f999cb79fba

See more details on using hashes here.

Provenance

The following attestation bundles were made for destinepyauth-1.2.1-py3-none-any.whl:

Publisher: cd.yml on SercoSPA/DestinE-Platform-AuthN

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page