UMA 2.0 session and client support for requests-oauthlib

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Daveography from gravatar.com Daveography

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Dave Sutherland
  • Tags requests , oauthlib , oauth2 , user-managed access , uma , uma2 , uma2.0
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description

UMA 2.0 Session Support for Requests-OAuthlib

Provides OAuth2 Sessions that support UMA 2.0 flows.

The UMA2Session class extends requests_oauthlib.OAuth2Session, and so supports any OAuth2 clients for initial authentication. Once authenticated, if a Resource Server requires UMA authorization, the session will automatically attempt to obtain the required Requesting Party Token (RPT) with the necessary permissions, then retry the request.

See User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization for more information.

NOTE: This project is not affiliated with Requests-OAuthlib or any of its dependent libraries.

Install

pip install requests-oauthlib-uma

Example

from oauthlib.oauth2 import LegacyApplicationClient
from requests_oauthlib_uma import UMA2Session

# This example uses Legacy flow for initial authentication, but any OAuth2 Client can be used.
client_id = "your_client_id"
client_secret = "your_client_secret"
username = "your_username"
password = "your_password"
session = UMA2Session(client=LegacyApplicationClient(client_id=client_id))
token = session.fetch_token(
    token_url="https://somesite.com/oauth2/token",
    username=username,
    password=password,
    client_id=client_id,
    client_secret=client_secret,
)
print(token)

# Attempt to access a UMA-protected resource:
response = session.get("https://somesite.com/secure/resource")

# The session now uses the newly issued RPT as the auth token going forward
print(session.token)

If the resource raises a 401 Unauthorized response with a WWW-Authenticate challenge header for a UMA scheme, the Session will automatically:

  1. Determine the Authorization Server from the challenge header
  2. Obtain the RPT endpoint URL from the Authorization Server's UMA 2.0 Well-Known Configuration endpoint
  3. Request a token with the requested permission claims from the Authorization Server's RPT endpoint
  4. Attempt the request again with the RPT

Subsequent requests will continue to use the issued RPT as the Session token.

If a subsequent request requires additional UMA authorization permissions not yet available in the RPT claims, the Session will repeat the above flow and attempt to upgrade the last-issued RPT with the added permission claims. This allows clients to incrementally obtain permission claims as needed.

Refreshing Tokens

The UMA2Session supports refreshing expired tokens via the same mechanism as OAuth2Session; see Refreshing tokens for more details. Automatic token refresh always uses the refresh_token from the last-issued RPT if provided.

Extra RPT Endpoint Parameters

If the Authorization Server is known to accept additional parameters (e.g., Keycloak), they can be configured when initializing the UMA2Session:

session = UMA2Session(
    client=LegacyApplicationClient(client_id=client_id),
    fetch_rpt_kwargs={"audience": "other-client"},
)

Handling Sequential Flows

By default, UMA2Session will only attempt a UMA flow once per request. If a Resource requires multiple UMA flows in order to grant authorization, you can increase the maximum number of attempts permitted per request: If the Resource is still requesting UMA authorization after reaching this limit, requests_oauthlib_uma.exceptions.MaxUMAFlowsReachedError is raised.

from requests_oauthlib_uma.exceptions import MaxUMAFlowsReachedError

session = UMA2Session(
    client=LegacyApplicationClient(client_id=client_id),
    max_flows_per_request=2,
)

try:
    response = session.get("https://somesite.com/secure/resource")
except MaxUMAFlowsReachedError as err:
    print(f"Giving up after {err.last_attempt.attempt_number} UMA authorization attempts.")

    # Get the last response before the session gave up
    last_response = err.last_attempt.result()
    print(f"Last response was {last_response.status_code} - {last_response.text}")

Default Headers

You can also configure the Session to always provide a set of default headers that will be provided with all requests:

session = UMA2Session(
    client=LegacyApplicationClient(client_id=client_id),
    headers={"Content-Type": "application/json"},
)

Contributing

This package utilizes Poetry for dependency management and pre-commit for ensuring code formatting is automatically done and code style checks are performed.

git clone https://github.com/alpha-layer/requests-oauthlib-uma.git requests-oauthlib-uma
cd requests-oauthlib-uma
pip install poetry
poetry install
poetry run pre-commit install
poetry run pre-commit autoupdate

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Daveography from gravatar.com Daveography

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Dave Sutherland
  • Tags requests , oauthlib , oauth2 , user-managed access , uma , uma2 , uma2.0
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

0.1.3

This version

0.1.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

requests_oauthlib_uma-0.1.2.tar.gz (6.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

requests_oauthlib_uma-0.1.2-py3-none-any.whl (8.6 kB view details)

Uploaded Python 3

File details

Details for the file requests_oauthlib_uma-0.1.2.tar.gz.

File metadata

  • Download URL: requests_oauthlib_uma-0.1.2.tar.gz
  • Upload date:
  • Size: 6.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for requests_oauthlib_uma-0.1.2.tar.gz
Algorithm Hash digest
SHA256 28074aa25c7c8096d102c8e53403285c589bf401c1da122193ef56d431f8e560
MD5 ed48659e7edf497a76d9b8d1e39d3664
BLAKE2b-256 0755ae3346a4b7f0d193bcf6c2017d07b0ad31e49ac01982a4b1e994851cc92b

See more details on using hashes here.

Provenance

The following attestation bundles were made for requests_oauthlib_uma-0.1.2.tar.gz:

Publisher: publish.yaml on Daveography/requests-oauthlib-uma

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file requests_oauthlib_uma-0.1.2-py3-none-any.whl.

File metadata

File hashes

Hashes for requests_oauthlib_uma-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 747988ec9579387654fdd53144f152fbc0ac04d8a5b6ebb929b8dd16009ebcb6
MD5 7f3ea206286a841edc81cef52c5499ae
BLAKE2b-256 bea1a08fd2131c95d63b828c8d0eceed97ee3ae85af4e95e2dcd287239ea2403

See more details on using hashes here.

Provenance

The following attestation bundles were made for requests_oauthlib_uma-0.1.2-py3-none-any.whl:

Publisher: publish.yaml on Daveography/requests-oauthlib-uma

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page