keystoneauth1.identity.v3.oidc module¶
- class keystoneauth1.identity.v3.oidc.OidcAccessToken(auth_url: str, identity_provider: str, protocol: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, access_token: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
Bases:
_OidcBaseImplementation for OpenID Connect access token reuse.
- __abstractmethods__ = frozenset({})
- __annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'dict[str, discover.Discover]', '_discovery_document': 'dict[str, object]', 'auth_ref': 'access.AccessInfo | None', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
- __doc__ = 'Implementation for OpenID Connect access token reuse.'
- __init__(auth_url: str, identity_provider: str, protocol: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, access_token: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
The OpenID Connect plugin based on the Access Token.
It expects the following
- 参数:
auth_url (string) – 身份服务 URL
identity_provider (string) – Name of the Identity Provider the client will authenticate against
protocol (string) – Protocol name as configured in keystone
access_token (string) – OpenID Connect Access token
- __module__ = 'keystoneauth1.identity.v3.oidc'
- _abc_impl = <_abc._abc_data object>
- auth_ref: access.AccessInfo | None
- auth_url: str
- get_unscoped_auth_ref(session: Session) AccessInfoV3
使用 OpenID Connect 进行身份验证并获取声明。
We exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.
- 参数:
session (keystoneauth1.session.Session) – 用于发送 HTTP 请求的会话对象。
- 返回值:
令牌数据表示形式
- 返回类型:
keystoneauth1.access.AccessInfoV3
- grant_type: ty.ClassVar[str]
- reauthenticate: bool
- class keystoneauth1.identity.v3.oidc.OidcAuthorizationCode(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, code: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, redirect_uri: str | None = None)
Bases:
_OidcBaseImplementation for OpenID Connect Authorization Code.
- __abstractmethods__ = frozenset({})
- __annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'dict[str, discover.Discover]', '_discovery_document': 'dict[str, object]', 'auth_ref': 'access.AccessInfo | None', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
- __doc__ = 'Implementation for OpenID Connect Authorization Code.'
- __init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, code: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True, redirect_uri: str | None = None)
The OpenID Authorization Code plugin expects the following.
- 参数:
redirect_uri (string) – OpenID Connect Client Redirect URL
code (string) – OAuth 2.0 Authorization Code
- __module__ = 'keystoneauth1.identity.v3.oidc'
- _abc_impl = <_abc._abc_data object>
- auth_ref: access.AccessInfo | None
- auth_url: str
- get_payload(session: Session) dict[str, str | None]
Get an authorization grant for the “authorization_code” grant type.
- 参数:
session (keystoneauth1.session.Session) – 用于发送 HTTP 请求的会话对象。
- 返回值:
a python dictionary containing the payload to be exchanged
- 返回类型:
- grant_type: ty.ClassVar[str] = 'authorization_code'
- reauthenticate: bool
- class keystoneauth1.identity.v3.oidc.OidcClientCredentials(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
Bases:
_OidcBaseImplementation for OpenID Connect Client Credentials.
- __abstractmethods__ = frozenset({})
- __annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'dict[str, discover.Discover]', '_discovery_document': 'dict[str, object]', 'auth_ref': 'access.AccessInfo | None', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
- __doc__ = 'Implementation for OpenID Connect Client Credentials.'
- __init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
The OpenID Client Credentials expects the following.
- 参数:
client_id – Client ID used to authenticate
client_secret – Client Secret used to authenticate
- __module__ = 'keystoneauth1.identity.v3.oidc'
- _abc_impl = <_abc._abc_data object>
- auth_ref: access.AccessInfo | None
- auth_url: str
- get_payload(session: Session) dict[str, str | None]
Get an authorization grant for the client credentials grant type.
- 参数:
session (keystoneauth1.session.Session) – 用于发送 HTTP 请求的会话对象。
- 返回值:
a python dictionary containing the payload to be exchanged
- 返回类型:
- grant_type: ty.ClassVar[str] = 'client_credentials'
- reauthenticate: bool
- class keystoneauth1.identity.v3.oidc.OidcDeviceAuthorization(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str | None = None, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, device_authorization_endpoint: str | None = None, code_challenge: str | None = None, code_challenge_method: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
Bases:
_OidcBaseOAuth 2.0 设备授权许可的实现。
- HEADER_X_FORM = {'Content-Type': 'application/x-www-form-urlencoded'}
- __abstractmethods__ = frozenset({})
- __annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'dict[str, discover.Discover]', '_discovery_document': 'dict[str, object]', 'auth_ref': 'access.AccessInfo | None', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
- __doc__ = 'Implementation for OAuth 2.0 Device Authorization Grant.'
- __init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str | None = None, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, device_authorization_endpoint: str | None = None, code_challenge: str | None = None, code_challenge_method: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
OAuth 2.0 设备授权插件需要以下参数。
- 参数:
device_authorization_endpoint (string) – OAuth 2.0 设备授权端点,例如:https://:8020/oidc/authorize/device 请注意,如果提供了发现文档,此值将覆盖发现文档中的值。
code_challenge_method (string) – PKCE 挑战方法 (RFC 7636)。
- __module__ = 'keystoneauth1.identity.v3.oidc'
- _abc_impl = <_abc._abc_data object>
- _generate_pkce_verifier() str
生成 RFC 7636 中定义的 PKCE 验证器字符串。
- _get_access_token(session: Session, payload: dict[str, str | None]) str
轮询令牌端点以获取访问令牌。
- 参数:
session (keystoneauth1.session.Session) – 用于发送 HTTP 请求的会话对象。
payload (dict) –
包含各种 OpenID Connect 值的一个字典,例如
{ 'grant_type': 'urn:ietf:params:oauth:grant-type:device_code', 'device_code': self.device_code, }
- _get_device_authorization_endpoint(session: Session) str | None
获取 OAuth 2.0 设备授权流的端点。
此方法将返回要使用的正确设备授权端点。如果用户已向构造函数显式传递了 device_authorization_endpoint,则将返回该值。如果没有显式端点且提供了发现 URL,它将尝试从发现文档中获取。如果找不到任何内容,将引发异常。
- 参数:
session (keystoneauth1.session.Session) – 用于发送 HTTP 请求的会话对象。
- 返回值:
要使用的端点
- 返回类型:
string 或 None(如果未找到端点)
- get_payload(session: Session) dict[str, str | None]
获取“device_code”授权类型的授权许可。
- 参数:
session (keystoneauth1.session.Session) – 用于发送 HTTP 请求的会话对象。
- 返回值:
a python dictionary containing the payload to be exchanged
- 返回类型:
- grant_type: ty.ClassVar[str] = 'urn:ietf:params:oauth:grant-type:device_code'
- class keystoneauth1.identity.v3.oidc.OidcPassword(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, username: str | None = None, password: str | None = None, idp_otp_key: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
Bases:
_OidcBaseOpenID Connect 资源所有者密码凭证的实现。
- __abstractmethods__ = frozenset({})
- __annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'dict[str, discover.Discover]', '_discovery_document': 'dict[str, object]', 'auth_ref': 'access.AccessInfo | None', 'auth_url': 'str', 'grant_type': 'ty.ClassVar[str]', 'reauthenticate': 'bool'}
- __doc__ = 'Implementation for OpenID Connect Resource Owner Password Credential.'
- __init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str, access_token_type: str = 'access_token', scope: str = 'openid profile', access_token_endpoint: str | None = None, discovery_endpoint: str | None = None, username: str | None = None, password: str | None = None, idp_otp_key: str | None = None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
OpenID 密码插件需要以下参数。
- 参数:
username (string) – 用于身份验证的用户名
password (string) – 用于身份验证的密码
- __module__ = 'keystoneauth1.identity.v3.oidc'
- _abc_impl = <_abc._abc_data object>
- auth_ref: access.AccessInfo | None
- auth_url: str
- get_payload(session: Session) dict[str, str | None]
获取“password”授权类型的授权许可。
- 参数:
session (keystoneauth1.session.Session) – 用于发送 HTTP 请求的会话对象。
- 返回值:
a python dictionary containing the payload to be exchanged
- 返回类型:
- grant_type: ty.ClassVar[str] = 'password'
- manage_otp_from_session_or_request_to_the_user(payload: dict[str, str | None], session: Session) None
从会话中获取 OTP 代码,否则向用户请求。
当设置了 OS_IDP_OTP_KEY 环境变量时,此方法将验证当前会话中是否存在 OTP 值。如果存在,我们使用会话中的 OTP 向身份提供者发送请求以检索访问令牌。如果当前会话中没有 OTP,我们会要求用户输入 OTP,并将其添加到会话中以执行身份验证流程。
OTP 被存储在会话中是因为在某些流程中,CLI 会执行两次身份验证过程,因此将 OTP 保存到会话中,使我们能够在短时间内使用相同的 OTP,避免连续两次向用户请求。
- 参数:
payload
session
- 返回值:
- reauthenticate: bool
- class keystoneauth1.identity.v3.oidc._OidcBase(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str | None, access_token_type: str, scope: str, access_token_endpoint: str | None, discovery_endpoint: str | None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool, include_catalog: bool)
基类:
FederationBaseAuth不同基于 OpenID Connect 流程的基类。
OpenID Connect 规范可在以下位置找到::
http://openid.net/specs/openid-connect-core-1_0.html- __abstractmethods__ = frozenset({'get_payload'})
- __annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'dict[str, discover.Discover]', '_discovery_document': 'dict[str, object]', 'auth_ref': 'access.AccessInfo | None', 'auth_url': 'str', 'grant_type': typing.ClassVar[str], 'reauthenticate': 'bool'}
- __doc__ = 'Base class for different OpenID Connect based flows.\n\n The OpenID Connect specification can be found at::\n ``http://openid.net/specs/openid-connect-core-1_0.html``\n '
- __init__(auth_url: str, identity_provider: str, protocol: str, client_id: str, client_secret: str | None, access_token_type: str, scope: str, access_token_endpoint: str | None, discovery_endpoint: str | None, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool, include_catalog: bool)
OpenID Connect 插件需要以下参数。
- 参数:
auth_url (string) – 身份服务 URL
identity_provider (string) – Name of the Identity Provider the client will authenticate against
protocol (string) – Protocol name as configured in keystone
client_id (string) – OAuth 2.0 客户端 ID
client_secret (string) – OAuth 2.0 客户端密钥
access_token_type (string) – OAuth 2.0 授权服务器自省令牌类型,用于决定处理令牌自省时使用哪种类型的令牌。有效值为:“access_token”或“id_token”
access_token_endpoint (string) – OpenID Connect 提供者令牌端点,例如:https://:8020/oidc/OP/token 请注意,如果提供了发现文档,此值将覆盖发现文档中的值。
discovery_endpoint – OpenID Connect 发现文档 URL,例如:https://:8020/oidc/.well-known/openid-configuration
scope (string) – 从 OP 请求的 OpenID Connect 范围,例如:“openid profile email”,默认为“openid profile”。请注意,OpenID Connect 规范规定必须始终指定“openid”。
- __module__ = 'keystoneauth1.identity.v3.oidc'
- _abc_impl = <_abc._abc_data object>
- _get_access_token(session: Session, payload: dict[str, str | None]) str
将各种用户提供的值换取访问令牌。
- 参数:
session (keystoneauth1.session.Session) – 用于发送 HTTP 请求的会话对象。
payload (dict) –
包含各种 OpenID Connect 值的一个字典,例如
{ 'grant_type': 'password', 'username': self.username, 'password': self.password, 'scope': self.scope, }
- _get_access_token_endpoint(session: Session) str
获取 OpenID Connect 流程的“token_endpoint”。
此方法将返回要使用的正确访问令牌端点。如果用户已向构造函数显式传递了 access_token_endpoint,则将返回该值。如果没有显式端点且提供了发现 URL,它将尝试从发现文档中获取。如果找不到任何内容,将引发异常。
- 参数:
session (keystoneauth1.session.Session) – 用于发送 HTTP 请求的会话对象。
- 返回值:
要使用的端点
- 返回类型:
字符串
- _get_discovery_document(session: Session) dict[str, object]
获取 OpenID Connect 发现文档的内容。
如果 discovery_endpoint 在构造函数中被传入,此方法将获取 OpenID Connect 发现文档的内容并将其作为字典返回,否则返回一个空字典。请注意,它只会获取发现文档一次,因此后续对此方法的调用将返回缓存的结果(如果有)。
- 参数:
session (keystoneauth1.session.Session) – 用于发送 HTTP 请求的会话对象。
- 返回值:
包含发现文档的 Python 字典(如果有),否则返回一个空字典。
- 返回类型:
- _get_keystone_token(session: Session, access_token: str) Response
将访问令牌换取 Keystone 令牌。
通过向 OpenID Connect 保护的端点(联邦令牌 URL)发送带有 Authorization: Bearer 头的访问令牌。OpenID Connect 服务器将使用访问令牌查找经过身份验证的用户信息(此技术称为自省)。自省的输出将是一个 OpenID Connect Claim,它将用于映射引擎。如果映射引擎成功,则会向用户提供一个 Keystone 令牌。
- 参数:
session (keystoneauth1.session.Session) – 用于发送 HTTP 请求的会话对象。
access_token (str) – OpenID Connect 访问令牌。
- abstract get_payload(session: Session) dict[str, str | None]
获取用于获取访问令牌的特定于插件的有效载荷。
OpenID Connect 支持不同的授权类型。此方法应准备好需要与服务器交换的有效载荷,以便为插件正在实现的特定授权类型获取访问令牌。
- 参数:
session (keystoneauth1.session.Session) – 用于发送 HTTP 请求的会话对象。
- 返回值:
a python dictionary containing the payload to be exchanged
- 返回类型:
- get_unscoped_auth_ref(session: Session) AccessInfoV3
使用 OpenID Connect 进行身份验证并获取声明。
这是一个多步骤过程
- 1.- 必须从服务器检索访问令牌。为了做到这一点,我们需要与令牌端点交换授权授予或刷新令牌,以获取访问令牌。授权授予因插件而异。
so, we need to exchange an authorization grant or refresh token with the token endpoint in order to obtain an access token. The authorization grant varies from plugin to plugin.
- 2.- 然后,我们在访问受保护的 Keystone 端点(联邦身份验证 URL)时交换访问令牌。这将触发 OpenID Connect Provider 执行用户自省,并以 OpenID Connect Claim 的形式检索有关用户的信息(在范围内指定)。这些声明将以环境变量的形式发送给 Keystone。
Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.
- 参数:
session (keystoneauth1.session.Session) – 用于发送 HTTP 请求的会话对象。
- 返回值:
令牌数据表示形式
- 返回类型:
keystoneauth1.access.AccessInfoV3
