Authentication and authorization¶
Helpers are provided for OAuth and Open ID Connect flows:
Other flows are left for the application to implement. Sample code is
included for reference. These can be used with or without deriving from
OAuthClient
Authentication and Authorization.
Includes helpers for authenticating with Open ID Connect and OAuth and authorization providers for 10Duke API calls.
BearerTokenAuth
¶
Bases: AuthBase
Bearer Token Auth hook - used with OAuth client to connect applications.
Source code in tenduke_core/auth/auth_provider.py
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | |
__call__(r)
¶
Mutate outgoing request (adding authorization header).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
r
|
PreparedRequest
|
Outgoing request. |
required |
Source code in tenduke_core/auth/auth_provider.py
28 29 30 31 32 33 34 35 | |
__eq__(other)
¶
Return True if instances are equal; otherwise False.
Equality is tested by retrieving the bearer token for each instance and comparing them.
Source code in tenduke_core/auth/auth_provider.py
37 38 39 40 41 42 | |
__init__(token_callable)
¶
Construct an IdTokenAuth provider (hook).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
token_callable
|
Callable[[], str]
|
A callable that returns the latest id_token. |
required |
Source code in tenduke_core/auth/auth_provider.py
18 19 20 21 22 23 24 25 26 | |
__ne__(other)
¶
Return True if instances are not equal; otherwise False.
Equality is tested by retrieving the id_token for each instance and comparing them.
Source code in tenduke_core/auth/auth_provider.py
44 45 46 47 48 49 | |
DeviceAuthorizationResponse
dataclass
¶
Data from Device Authorization Response.
Callers should use this data to initiate the user interaction phase of the Device Authorization Grant flow, before or simultaneously with starting polling for the token.
See https://www.rfc-editor.org/rfc/rfc8628#section-3.2.
Attributes:
| Name | Type | Description |
|---|---|---|
user_code |
str
|
The end-user verification code. |
uri |
str
|
The end-user verification URI on the authorization server. The URI should be short and easy to remember as end users will be asked to manually type it into their user agent. |
uri_complete |
str | None
|
A verification URI that includes the "user_code" (or other information with the same function as the "user_code"), which is designed for non-textual transmission. |
Source code in tenduke_core/auth/device_auth_response.py
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | |
DeviceFlowClient
¶
Bases: OAuthClient
Helper class to perform OAuth device flow.
Source code in tenduke_core/auth/device_flow_client.py
42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 | |
VerificationUri
¶
Verification URI/URL handling.
As some implementations of device flow use URI and some use URL in the parameter name, we need to check for both. The logic in making the requests is that we should use the '_complete' variant of the URI if it is present/populated and use the incomplete version if it is not.
Source code in tenduke_core/auth/device_flow_client.py
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 | |
__init__()
¶
Construct a VerificationUri instance.
Source code in tenduke_core/auth/device_flow_client.py
54 55 56 57 58 59 | |
read_from_dict(data)
¶
Read the verification uri details from a dictionary.
RFC8628 specifies verification_uri. At least one identity provider in the wild sends verification_url. Outside of this class, we don't need to worry about verification_url, this class will read whichever is present.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
data
|
dict[str, str]
|
The contents of the Device Authorization Response. |
required |
Source code in tenduke_core/auth/device_flow_client.py
61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 | |
uri()
¶
Return the token poll uri.
Source code in tenduke_core/auth/device_flow_client.py
77 78 79 | |
uri_complete()
¶
Return the token poll complete uri.
Source code in tenduke_core/auth/device_flow_client.py
81 82 83 84 85 86 87 88 | |
__init__(config, session_factory)
¶
Construct an instance of the DeviceFlowClient.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
config
|
TendukeConfig
|
Configuration parameters for interacting with the OAuth / Open ID Authorization Server. |
required |
session_factory
|
SessionFactory
|
Used to create requests Session configured with the settings from config and with the configured User-Agent header value. |
required |
Source code in tenduke_core/auth/device_flow_client.py
90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 | |
authorize()
¶
Make the authorization request and return the details to display to the user.
Returns:
| Type | Description |
|---|---|
DeviceAuthorizationResponse
|
A DeviceAuthorizationResponse object containing the code and uri needed to fetch a |
DeviceAuthorizationResponse
|
token. |
Raises:
| Type | Description |
|---|---|
ValueError
|
Required configuration item idp_oauth_device_code_url was missing. |
OAuth2Error
|
Device Authorization Request was unsuccessful. |
Source code in tenduke_core/auth/device_flow_client.py
108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 | |
poll_for_token()
¶
Poll for an OAuth device flow token.
The method waits for the specified interval between attempts. This method is synchronous (blocking).
Raises:
| Type | Description |
|---|---|
OAuth2Error
|
Device Access Token Request was unsuccessful. |
Source code in tenduke_core/auth/device_flow_client.py
168 169 170 171 172 173 174 175 176 177 | |
poll_for_token_async()
async
¶
Poll for an OAuth device flow token.
The method waits for the specified interval between attempts. This method is asynchronous (non-blocking).
Raises:
| Type | Description |
|---|---|
OAuth2Error
|
Device Access Token Request was unsuccessful. |
Source code in tenduke_core/auth/device_flow_client.py
148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 | |
IdTokenAuth
¶
Bases: AuthBase
ID Token Auth hook - used with Open ID Connect in public applications.
Source code in tenduke_core/auth/auth_provider.py
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | |
__call__(r)
¶
Mutate outgoing request (adding authorization header).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
r
|
PreparedRequest
|
Outgoing request. |
required |
Source code in tenduke_core/auth/auth_provider.py
65 66 67 68 69 70 71 72 | |
__eq__(other)
¶
Return True if instances are equal; otherwise False.
Equality is tested by retrieving the id_token for each instance and comparing them.
Source code in tenduke_core/auth/auth_provider.py
74 75 76 77 78 79 | |
__init__(id_token_callable)
¶
Construct an IdTokenAuth provider (hook).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
id_token_callable
|
Callable[[], str]
|
A callable that returns the latest id_token. |
required |
Source code in tenduke_core/auth/auth_provider.py
55 56 57 58 59 60 61 62 63 | |
__ne__(other)
¶
Return True if instances are not equal; otherwise False.
Equality is tested by retrieving the id_token for each instance and comparing them.
Source code in tenduke_core/auth/auth_provider.py
81 82 83 84 85 86 | |
OAuthClient
¶
OAuth / Open ID Connect client.
Source code in tenduke_core/auth/oauth_client.py
83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 | |
id_token
property
¶
The current identity token (if any).
token
property
writable
¶
The current token response.
__init__(config, session_factory)
¶
Construct an instance of the OAuth Client.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
config
|
TendukeConfig
|
Configuration parameters for interacting with the OAuth / Open ID Authorization Server. |
required |
session_factory
|
SessionFactory
|
Used to create requests Session configured with the settings from config and with the configured User-Agent header value. |
required |
Source code in tenduke_core/auth/oauth_client.py
86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 | |
auth()
¶
Get an authorization implementation based on the current identity.
Returns:
| Type | Description |
|---|---|
IdTokenAuth
|
An authorization provider hook that sets the authorization header of HTTP requests |
IdTokenAuth
|
using the current id_token. |
Source code in tenduke_core/auth/oauth_client.py
152 153 154 155 156 157 158 159 160 161 162 | |
get_user_info()
¶
Retrieve the details of the user from the userinfo endpoint.
Returns:
| Type | Description |
|---|---|
UserInfo
|
The information for the authenticated user. |
Raises:
| Type | Description |
|---|---|
ValueError
|
User info URL missing from configuration. |
OAuth2Error
|
The user info request was unsuccessful. |
Source code in tenduke_core/auth/oauth_client.py
131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 | |
PkceFlowClient
¶
Bases: OAuthClient
Client for Proof Key for Code Exchange (PKCE) flow.
Source code in tenduke_core/auth/pkce_flow_client.py
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 | |
RedirectHandler
¶
Bases: BaseHTTPRequestHandler
Handler class for redirect with code.
Source code in tenduke_core/auth/pkce_flow_client.py
66 67 68 69 70 71 72 73 | |
do_GET()
¶
Handle OAuth redirect.
Source code in tenduke_core/auth/pkce_flow_client.py
69 70 71 72 73 | |
RedirectHttpServer
¶
Bases: HTTPServer
HTTP Server to handle redirect with code.
Source code in tenduke_core/auth/pkce_flow_client.py
48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | |
__init__(*args, success_http=AUTH_SUCCESS_MESSAGE, **kwargs)
¶
Construct an instance of the HTTP Server.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
success_http
|
str | None
|
HTTP message to send once redirect request is received. |
AUTH_SUCCESS_MESSAGE
|
Source code in tenduke_core/auth/pkce_flow_client.py
51 52 53 54 55 56 57 58 59 60 61 62 63 64 | |
__init__(config, session_factory, *args, **kwargs)
¶
Construct an instance of the PkceFlowClient.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
config
|
TendukeConfig
|
Configuration parameters for interacting with the OAuth / Open ID Authorization Server. |
required |
session_factory
|
SessionFactory
|
Used to create requests Session configured with the settings from config and with the configured User-Agent header value. |
required |
Source code in tenduke_core/auth/pkce_flow_client.py
75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 | |
create_authorization_url(port=None)
¶
Generate and return authorization url.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
port
|
int | None
|
The port number to use in the redirect URI |
None
|
Returns:
| Type | Description |
|---|---|
str
|
URL for authorization request. |
Source code in tenduke_core/auth/pkce_flow_client.py
118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 | |
fetch_token(authorization_response, port=None)
¶
Fetch token based on authorization response.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
authorization_response
|
str | None
|
Redirect URL request with authorization code to exchange for token. |
required |
Returns:
| Type | Description |
|---|---|
TokenResponse
|
TokenResponse object for the authorization code in the authorization_reponse parameter. |
Source code in tenduke_core/auth/pkce_flow_client.py
143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 | |
login_with_default_browser()
¶
Launch system default browser for user to log in.
Returns:
| Type | Description |
|---|---|
TokenResponse
|
TokenResponse object with token for the authenticated user. |
Raises:
| Type | Description |
|---|---|
OAuth2Error
|
Authentication failed. |
Source code in tenduke_core/auth/pkce_flow_client.py
174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 | |
TokenResponse
dataclass
¶
Bases: Model
Token response data model.
https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2
Attributes:
| Name | Type | Description |
|---|---|---|
access_token |
str
|
The access token issued by the authorization server. |
token_type |
str
|
The type of the token issued. |
expires_in |
int
|
The lifetime in seconds of the access token. |
expires_at |
datetime
|
The datetime when the token will expire Derived from expires_in and the current system time when the token was received. |
refresh_token |
str | None
|
The refresh token, which can be used to obtain new access tokens. |
id_token |
str | None
|
ID Token value associated with the authenticated session. |
Source code in tenduke_core/auth/token_response.py
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | |
__post_init__()
¶
Initialize expires_at based on expires_in and current time.
Source code in tenduke_core/auth/token_response.py
39 40 41 | |
UserInfo
dataclass
¶
Bases: Model
User info response data model.
Attributes:
| Name | Type | Description |
|---|---|---|
sub |
str
|
Subject identitfier. A locally unique and never reassigned identifier within the issuer for the End-User. |
name |
str | None
|
End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences. |
given_name |
str | None
|
Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters. |
family_name |
str | None
|
Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters. |
email |
str | None
|
End-User's preferred e-mail address. |
formatted_name |
str | None
|
Combination of names for display purposes. Shall contain a value if any identifier is populated. |
Source code in tenduke_core/auth/user_info.py
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | |
__post_init__()
¶
Initialize formatted name based on other values.
Source code in tenduke_core/auth/user_info.py
40 41 42 43 44 45 | |