IAMIdProvider

IdProvider based on OAuth2 protocol

class DIRAC.Resources.IdProvider.IAMIdProvider.IAMIdProvider(**kwargs)

Bases: OAuth2IdProvider

DEFAULT_METADATA = {}
EXTRA_AUTHORIZE_PARAMS = ('response_mode', 'nonce', 'prompt', 'login_hint')
JWKS_REFRESH_RATE = 86400
METADATA_REFRESH_RATE = 86400
SESSION_REQUEST_PARAMS = ('allow_redirects', 'timeout', 'cookies', 'files', 'proxies', 'hooks', 'stream', 'verify', 'cert', 'json')
__init__(**kwargs)

Initialization

auth

Default Authentication tuple or object to attach to Request.

cert

SSL client certificate default, if String, path to ssl client cert file (.pem). If Tuple, (‘cert’, ‘key’) pair.

client_auth(auth_method)
client_auth_class

alias of OAuth2ClientAuth

close()

Closes all adapters and as such the session

cookies

A CookieJar containing all currently outstanding cookies set on this session. By default it is a RequestsCookieJar, but may be any other cookielib.CookieJar compatible object.

create_authorization_url(url, state=None, code_verifier=None, **kwargs)

Generate an authorization URL and state.

Parameters:
  • url – Authorization endpoint url, must be HTTPS.

  • state – An optional state string for CSRF protection. If not given it will be generated for you.

  • code_verifier – An optional code_verifier for code challenge.

  • kwargs – Extra parameters to include.

Returns:

authorization_url, state

delete(url, **kwargs)

Sends a DELETE request. Returns Response object.

Parameters:
  • url – URL for the new Request object.

  • **kwargs – Optional arguments that request takes.

Return type:

requests.Response

deviceAuthorization(group=None)

Authorization through DeviceCode flow

ensure_active_token(token)
exchangeToken(accessToken, group=None, scope=None)

Get new tokens for group scope

Parameters:
  • accessToken (str) – access token

  • group (str) – requested group

  • scope (list) – requested scope

Returns:

dict – token

exchange_token(url, subject_token=None, subject_token_type=None, body='', auth=None, headers=None, **kwargs)

Exchange a new access token

Parameters:
  • url – Exchange Token endpoint, must be HTTPS.

  • subject_token (str) – subject_token

  • subject_token_type (str) – token type https://tools.ietf.org/html/rfc8693#section-3

  • body – Optional application/x-www-form-urlencoded body to add the include in the token request. Prefer kwargs over body.

  • refresh_token (str) – refresh token

  • access_token (str) – access token

  • auth – An auth tuple or method as accepted by requests.

  • headers – Dict to default request headers with.

Returns:

A OAuth2Token object (a dict too).

fetchJWKs(**kwargs)

Fetch JWKs

fetchToken(**kwargs)

Fetch token

Returns:

dict

fetch_access_token(url=None, **kwargs)

Alias for fetch_token.

fetch_metadata(**kwargs)

Fetch metadata

fetch_token(url=None, body='', method='POST', headers=None, auth=None, grant_type=None, state=None, **kwargs)

Generic method for fetching an access token from the token endpoint.

Parameters:
  • url – Access Token endpoint URL, if not configured, authorization_response is used to extract token from its fragment (implicit way).

  • body – Optional application/x-www-form-urlencoded body to add the include in the token request. Prefer kwargs over body.

  • method – The HTTP method used to make the request. Defaults to POST, but may also be GET. Other methods should be added as needed.

  • headers – Dict to default request headers with.

  • auth – An auth tuple or method as accepted by requests.

  • grant_type – Use specified grant_type to fetch token

Returns:

A OAuth2Token object (a dict too).

get(url, **kwargs)

Sends a GET request. Returns Response object.

Parameters:
  • url – URL for the new Request object.

  • **kwargs – Optional arguments that request takes.

Return type:

requests.Response

getGroupScopes(group)

Get group scopes

Parameters:

group (str) – DIRAC group

Returns:

list

getJWKs()

Get JWKs

getScopeGroups(scope: str) list[str]

Get DIRAC groups related to scope

getUserGroups(accessToken)

Get user groups

Parameters:
  • payload (str) – token payload

  • token (str) – access token

Returns:

S_OK(dict)/S_ERROR()

getUserProfile(accessToken)

Get user profile

Parameters:

accessToken (str) –

Returns:

S_OK()/S_ERROR()

get_adapter(url)

Returns the appropriate connection adapter for the given URL.

Return type:

requests.adapters.BaseAdapter

get_metadata(option=None)

Get metadata

Parameters:

option (str) – option

Returns:

option value

get_redirect_target(resp)

Receives a Response. Returns a redirect URI or None

head(url, **kwargs)

Sends a HEAD request. Returns Response object.

Parameters:
  • url – URL for the new Request object.

  • **kwargs – Optional arguments that request takes.

Return type:

requests.Response

headers

A case-insensitive dictionary of headers to be sent on each Request sent from this Session.

hooks

Event-handling hooks.

introspect_token(url, token=None, token_type_hint=None, body=None, auth=None, headers=None, **kwargs)

Implementation of OAuth 2.0 Token Introspection defined via RFC7662.

Parameters:
  • url – Introspection Endpoint, must be HTTPS.

  • token – The token to be introspected.

  • token_type_hint – The type of the token that to be revoked. It can be “access_token” or “refresh_token”.

  • body – Optional application/x-www-form-urlencoded body to add the include in the token request. Prefer kwargs over body.

  • auth – An auth tuple or method as accepted by requests.

  • headers – Dict to default request headers with.

Returns:

Introspection Response

max_redirects

Maximum number of redirects allowed. If the request exceeds this limit, a TooManyRedirects exception is raised. This defaults to requests.models.DEFAULT_REDIRECT_LIMIT, which is 30.

merge_environment_settings(url, proxies, stream, verify, cert)

Check the environment and merge it with some settings.

Return type:

dict

mount(prefix, adapter)

Registers a connection adapter to a prefix.

Adapters are sorted in descending order by prefix length.

oauth_error_class

alias of OAuthError

options(url, **kwargs)

Sends a OPTIONS request. Returns Response object.

Parameters:
  • url – URL for the new Request object.

  • **kwargs – Optional arguments that request takes.

Return type:

requests.Response

params

Dictionary of querystring data to attach to each Request. The dictionary values may be lists for representing multivalued query parameters.

parseAuthResponse(response, session=None)

Make user info dict:

Parameters:
  • response (dict) – response on request to get user profile

  • session (object) – session

Returns:

S_OK((dict, dict))/S_ERROR()

parse_response_token(resp)
patch(url, data=None, **kwargs)

Sends a PATCH request. Returns Response object.

Parameters:
  • url – URL for the new Request object.

  • data – (optional) Dictionary, list of tuples, bytes, or file-like object to send in the body of the Request.

  • **kwargs – Optional arguments that request takes.

Return type:

requests.Response

post(url, data=None, json=None, **kwargs)

Sends a POST request. Returns Response object.

Parameters:
  • url – URL for the new Request object.

  • data – (optional) Dictionary, list of tuples, bytes, or file-like object to send in the body of the Request.

  • json – (optional) json to send in the body of the Request.

  • **kwargs – Optional arguments that request takes.

Return type:

requests.Response

prepare_request(request)

Constructs a PreparedRequest for transmission and returns it. The PreparedRequest has settings merged from the Request instance and those of the Session.

Parameters:

requestRequest instance to prepare with this session’s settings.

Return type:

requests.PreparedRequest

proxies

Dictionary mapping protocol or protocol and host to the URL of the proxy (e.g. {‘http’: ‘foo.bar:3128’, ‘http://host.name’: ‘foo.bar:4012’}) to be used on each Request.

put(url, data=None, **kwargs)

Sends a PUT request. Returns Response object.

Parameters:
  • url – URL for the new Request object.

  • data – (optional) Dictionary, list of tuples, bytes, or file-like object to send in the body of the Request.

  • **kwargs – Optional arguments that request takes.

Return type:

requests.Response

rebuild_auth(prepared_request, response)

When being redirected we may want to strip authentication from the request to avoid leaking credentials. This method intelligently removes and reapplies authentication where possible to avoid credential loss.

rebuild_method(prepared_request, response)

When being redirected we may want to change the method of the request based on certain specs or browser behavior.

rebuild_proxies(prepared_request, proxies)

This method re-evaluates the proxy configuration by considering the environment variables. If we are redirected to a URL covered by NO_PROXY, we strip the proxy configuration. Otherwise, we set missing proxy keys for this URL (in case they were stripped by a previous redirect).

This method also replaces the Proxy-Authorization header where necessary.

Return type:

dict

refreshToken(**kwargs)

Refresh token

Parameters:
  • token (str) – refresh_token

  • group (str) – DIRAC group

Returns:

dict

refresh_token(url, refresh_token=None, body='', auth=None, headers=None, **kwargs)

Fetch a new access token using a refresh token.

Parameters:
  • url – Refresh Token endpoint, must be HTTPS.

  • refresh_token – The refresh_token to use.

  • body – Optional application/x-www-form-urlencoded body to add the include in the token request. Prefer kwargs over body.

  • auth – An auth tuple or method as accepted by requests.

  • headers – Dict to default request headers with.

Returns:

A OAuth2Token object (a dict too).

register_client_auth_method(auth)

Extend client authenticate for token endpoint.

Parameters:

auth – an instance to sign the request

register_compliance_hook(hook_type, hook)

Register a hook for request/response tweaking.

Available hooks are:

  • access_token_response: invoked before token parsing.

  • refresh_token_request: invoked before refreshing token.

  • refresh_token_response: invoked before refresh token parsing.

  • protected_request: invoked before making a request.

  • revoke_token_request: invoked before revoking a token.

  • introspect_token_request: invoked before introspecting a token.

request(method, url, withhold_token=False, auth=None, **kwargs)

Send request with auto refresh token feature (if available).

researchGroup(payload=None, token=None)

Deprecated: Use getUserProfile instead

resolve_redirects(resp, req, stream=False, timeout=None, verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs)

Receives a Response. Returns a generator of Responses or Requests.

revokeToken(token=None, tokenTypeHint='refresh_token')

Revoke token

Parameters:
  • token (str) – access or refresh token

  • tokenTypeHint (str) – token type

Returns:

S_OK()/S_ERROR()

revoke_token(url, token=None, token_type_hint=None, body=None, auth=None, headers=None, **kwargs)

Revoke token method defined via RFC7009.

Parameters:
  • url – Revoke Token endpoint, must be HTTPS.

  • token – The token to be revoked.

  • token_type_hint – The type of the token that to be revoked. It can be “access_token” or “refresh_token”.

  • body – Optional application/x-www-form-urlencoded body to add the include in the token request. Prefer kwargs over body.

  • auth – An auth tuple or method as accepted by requests.

  • headers – Dict to default request headers with.

Returns:

Revocation Response

send(request, **kwargs)

Send a given PreparedRequest.

Return type:

requests.Response

setParameters(parameters: dict)

Set parameters

Parameters:

parameters (dict) – parameters of the identity Provider

should_strip_auth(old_url, new_url)

Decide whether Authorization header should be removed when redirecting

stream

Stream response content default.

submitDeviceCodeAuthorizationFlow(group=None)

Submit authorization flow

Returns:

S_OK(dict)/S_ERROR() – dictionary with device code flow response

submitNewSession(pkce=True)

Submit new authorization session

Parameters:

pkce (bool) – use PKCE

Returns:

S_OK(str)/S_ERROR()

property token
token_auth_class

alias of OAuth2Auth

token_from_fragment(authorization_response, state=None)
trust_env

Trust environment settings for proxy configuration, default authentication and similar.

verify

SSL Verification default. Defaults to True, requiring requests to verify the TLS certificate at the remote end. If verify is set to False, requests will accept any TLS certificate presented by the server, and will ignore hostname mismatches and/or expired certificates, which will make your application vulnerable to man-in-the-middle (MitM) attacks. Only set this to False for testing.

verifyToken(accessToken)

Verify access token

Parameters:
  • accessToken (str) – access token

  • jwks (dict) – JWKs

Returns:

dict

waitFinalStatusOfDeviceCodeAuthorizationFlow(deviceCode, interval=5, timeout=300)

Submit waiting loop process, that will monitor current authorization session status

Parameters:
  • deviceCode (str) – received device code

  • interval (int) – waiting interval

  • timeout (int) – max time of waiting

Returns:

S_OK(dict)/S_ERROR() - dictionary contain access/refresh token and some metadata