UMA 2.0 session and client support for requests-oauthlib

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Daveography from gravatar.com Daveography

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Dave Sutherland
  • Tags requests , oauthlib , oauth2 , user-managed access , uma , uma2 , uma2.0
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description

UMA 2.0 Session Support for Requests-OAuthlib

Provides OAuth2 Sessions that support UMA 2.0 flows.

The UMA2Session class extends requests_oauthlib.OAuth2Session, and so supports any OAuth2 clients for initial authentication. Once authenticated, if a Resource Server requires UMA authorization, the session will automatically attempt to obtain the required Requesting Party Token (RPT) with the necessary permissions, then retry the request.

See User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization for more information.

NOTE: This project is not affiliated with Requests-OAuthlib or any of its dependent libraries.

Install

pip install requests-oauthlib-uma

Example

from oauthlib.oauth2 import LegacyApplicationClient
from requests_oauthlib_uma import UMA2Session

# This example uses Legacy flow for initial authentication, but any OAuth2 Client can be used.
client_id = "your_client_id"
client_secret = "your_client_secret"
username = "your_username"
password = "your_password"
session = UMA2Session(client=LegacyApplicationClient(client_id=client_id))
token = session.fetch_token(
    token_url="https://somesite.com/oauth2/token",
    username=username,
    password=password,
    client_id=client_id,
    client_secret=client_secret,
)
print(token)

# Attempt to access a UMA-protected resource:
response = session.get("https://somesite.com/secure/resource")

# The session now uses the newly issued RPT as the auth token going forward
print(session.token)

If the resource raises a 401 Unauthorized response with a WWW-Authenticate challenge header for a UMA scheme, the Session will automatically:

  1. Determine the Authorization Server from the challenge header
  2. Obtain the RPT endpoint URL from the Authorization Server's UMA 2.0 Well-Known Configuration endpoint
  3. Request a token with the requested permission claims from the Authorization Server's RPT endpoint
  4. Attempt the request again with the RPT

Subsequent requests will continue to use the issued RPT as the Session token.

If a subsequent request requires additional UMA authorization permissions not yet available in the RPT claims, the Session will repeat the above flow and attempt to upgrade the last-issued RPT with the added permission claims. This allows clients to incrementally obtain permission claims as needed.

Refreshing Tokens

The UMA2Session supports refreshing expired tokens via the same mechanism as OAuth2Session; see Refreshing tokens for more details. Automatic token refresh always uses the refresh_token from the last-issued RPT if provided.

Extra RPT Endpoint Parameters

If the Authorization Server is known to accept additional parameters (e.g., Keycloak), they can be configured when initializing the UMA2Session:

session = UMA2Session(
    client=LegacyApplicationClient(client_id=client_id),
    fetch_rpt_kwargs={"audience": "other-client"},
)

Handling Sequential Flows

By default, UMA2Session will only attempt a UMA flow once per request. If a Resource requires multiple UMA flows in order to grant authorization, you can increase the maximum number of attempts permitted per request: If the Resource is still requesting UMA authorization after reaching this limit, requests_oauthlib_uma.exceptions.MaxUMAFlowsReachedError is raised.

from requests_oauthlib_uma.exceptions import MaxUMAFlowsReachedError

session = UMA2Session(
    client=LegacyApplicationClient(client_id=client_id),
    max_flows_per_request=2,
)

try:
    response = session.get("https://somesite.com/secure/resource")
except MaxUMAFlowsReachedError as err:
    print(f"Giving up after {err.last_attempt.attempt_number} UMA authorization attempts.")

    # Get the last response before the session gave up
    last_response = err.last_attempt.result()
    print(f"Last response was {last_response.status_code} - {last_response.text}")

Default Headers

You can also configure the Session to always provide a set of default headers that will be provided with all requests:

session = UMA2Session(
    client=LegacyApplicationClient(client_id=client_id),
    headers={"Content-Type": "application/json"},
)

Contributing

This package utilizes Poetry for dependency management and pre-commit for ensuring code formatting is automatically done and code style checks are performed.

git clone https://github.com/Daveography/requests-oauthlib-uma.git requests-oauthlib-uma
cd requests-oauthlib-uma
pip install poetry
poetry install
poetry run pre-commit install
poetry run pre-commit autoupdate

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Daveography from gravatar.com Daveography

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Dave Sutherland
  • Tags requests , oauthlib , oauth2 , user-managed access , uma , uma2 , uma2.0
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

This version

0.1.3

0.1.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

requests_oauthlib_uma-0.1.3.tar.gz (6.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

requests_oauthlib_uma-0.1.3-py3-none-any.whl (8.6 kB view details)

Uploaded Python 3

File details

Details for the file requests_oauthlib_uma-0.1.3.tar.gz.

File metadata

  • Download URL: requests_oauthlib_uma-0.1.3.tar.gz
  • Upload date:
  • Size: 6.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for requests_oauthlib_uma-0.1.3.tar.gz
Algorithm Hash digest
SHA256 91d2e62f3622aceef817d1085fbf260954fb712e493e8634ff69d1531c11bcb7
MD5 8fa7eeaae9a2bbe029e14fb3efe381fa
BLAKE2b-256 f8abd89c1c233290b94056e1df1059c982187ab166a77a928b1790d742f5f747

See more details on using hashes here.

Provenance

The following attestation bundles were made for requests_oauthlib_uma-0.1.3.tar.gz:

Publisher: publish.yaml on Daveography/requests-oauthlib-uma

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file requests_oauthlib_uma-0.1.3-py3-none-any.whl.

File metadata

File hashes

Hashes for requests_oauthlib_uma-0.1.3-py3-none-any.whl
Algorithm Hash digest
SHA256 bbe281a181c014a1480b5d24dce0bf4d56d58d9e0afdcfecf704f3fd44947063
MD5 a92fff57d452bc56c460a292ba1d1be9
BLAKE2b-256 662e1cc97c75827bd6a213ffa1bd6c4fe6e636e4208b8b91c703ccc1cf58281c

See more details on using hashes here.

Provenance

The following attestation bundles were made for requests_oauthlib_uma-0.1.3-py3-none-any.whl:

Publisher: publish.yaml on Daveography/requests-oauthlib-uma

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page