Project description

tsgauth

A collection of CERN SSO based authentication and authorisation tools used by the CMS TSG Group

modules

flaskoidc

This adds OpenIDC Connect based authorisation for flask servers. It currently has the single function "accept_token" which decorates any routes you wish to require authorisation for

The function expects the following variables to be added to the flask application

OIDC_ISSUER : the issuer of the claims, for cern this is https://auth.cern.ch/auth/realms/cern
OIDC_JWKS_URI : the uri to obtain the JSON web key set used to obtain the public keys to verify the signature of the received token, for cern this is https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/certs
OIDC_CLIENT_ID : the client id of the application. This will be used to check that the aud claim contains this client id.

It will add the decoded claims of the token to flask.g.oidc_token_info if the token can be validiated. If require_token is true, it will only allow access to the endpoint if there is a validiated token, otherwise it will return a 401 and a little britain reference.

oidcauth

These are a collection of clients which request and manage a sso token for a given application. Each client is for a different authentication mechansism. We currrently have the following ways of authenticating

ClientAuth : pass in a client id and secret and request a token for a given audience. This is used by applications to access other applications. Basically any script where you dont easily have a user to login with.\

KerbAuth: uses kerberos to login in as user (or service account) and request a token for a given audience

AuthGetSSOTokenAuth: uses the auth-get-sso-token command line tool to request a token for a given audience. Basically wraps the cern authz cli tool in a libary. Note you must install this tool yourself, see cern authsvc tools for mode details.

DeviceAuth: used to log in as a user who uses 2FA or can not get a kerberos ticket for some reason. Will print a url that needs to be copied into the users browser who will then authenticate the request. By default it caches the token in a file in the users home directory (~/.sso_token) which is used for subsequent requests for the next 10 hrs.

The interface of the classes is:

token() : returns the access token for a given application, requesting/renewing it first if necessary
headers() : returns the headers necessar to pass the token to target api. eg requests.get(url,headers=auth.headers())

Project details

These details have not been verified by PyPI

Project links

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Release history Release notifications | RSS feed

0.10.2

Oct 30, 2023

0.10.1

Oct 27, 2023

0.10.0

Oct 12, 2023

This version

0.9.1

Oct 4, 2023

0.9.0

Sep 26, 2023

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tsgauth-0.9.1.tar.gz (12.5 kB view hashes)

Uploaded Oct 4, 2023 Source

Built Distribution

tsgauth-0.9.1-py3-none-any.whl (10.5 kB view hashes)

Uploaded Oct 4, 2023 Python 3

Hashes for tsgauth-0.9.1.tar.gz

Hashes for tsgauth-0.9.1.tar.gz
Algorithm	Hash digest
SHA256	`0f51f92be9aeaa2cfa5f1cdd5f30b6f61cfc91f33a8236d286966c5012edc7b5`
MD5	`ac79c01937bc0eb6250c65bd0aa04b3c`
BLAKE2b-256	`8a8f5da72bb6b0ac5c1062ccb14de4f87a44762471f77f52adcdee025ebc726f`

Hashes for tsgauth-0.9.1-py3-none-any.whl

Hashes for tsgauth-0.9.1-py3-none-any.whl
Algorithm	Hash digest
SHA256	`06e7618ef3d720d7779faf353caa7db9a64fe9b83015712f63a006365f7ade9a`
MD5	`4c564f5307833d57552f33bd99c682c4`
BLAKE2b-256	`15bb1cbdcda98dcd79dce7295c209d273e273790b159200f4311ceec10f6c448`