user.auth.provider ================== .. py:module:: user.auth.provider Attributes ---------- .. autoapisummary:: user.auth.provider.AUTHENTICATION_PROVIDERS Classes ------- .. autoapisummary:: user.auth.provider.HasName user.auth.provider.Conclusion user.auth.provider.Success user.auth.provider.Failure user.auth.provider.InvalidJWT user.auth.provider.ProviderMetadata user.auth.provider.AuthenticationProvider user.auth.provider.SeparateAuthenticationProvider user.auth.provider.IntegratedAuthenticationProvider user.auth.provider.RolesMapping user.auth.provider.LDAPAttributes user.auth.provider.LDAPProvider user.auth.provider.LDAPKerberosProvider user.auth.provider.OauthProvider user.auth.provider.AzureADProvider user.auth.provider.SAML2Provider user.auth.provider.OIDCProvider Functions --------- .. autoapisummary:: user.auth.provider.spawn_ldap_client user.auth.provider.ensure_user Module Contents --------------- .. py:class:: HasName Bases: :py:obj:`Protocol` Base class for protocol classes. Protocol classes are defined as:: class Proto(Protocol): def meth(self) -> int: ... Such classes are primarily used with static type checkers that recognize structural subtyping (static duck-typing). For example:: class C: def meth(self) -> int: return 0 def func(x: Proto) -> int: return x.meth() func(C()) # Passes static type check See PEP 544 for details. Protocol classes decorated with @typing.runtime_checkable act as simple-minded runtime protocols that check only the presence of given attributes, ignoring their type signatures. Protocol classes can be generic, they are defined as:: class GenProto(Protocol[T]): def meth(self) -> T: ... .. py:property:: name :type: str .. py:data:: AUTHENTICATION_PROVIDERS .. py:class:: Conclusion A final answer of :meth:`AuthenticationProvider`. .. py:class:: Success Bases: :py:obj:`Conclusion` Indicates a sucessful authentication. .. py:attribute:: user :type: onegov.user.User .. py:attribute:: note :type: translationstring.TranslationString .. py:method:: __bool__() -> Literal[True] .. py:class:: Failure Bases: :py:obj:`Conclusion` Indicates a corrupt JWT .. py:attribute:: note :type: translationstring.TranslationString .. py:method:: __bool__() -> Literal[False] .. py:class:: InvalidJWT Bases: :py:obj:`Failure` Indicates a failed authentication. .. py:attribute:: note :type: translationstring.TranslationString .. py:method:: __bool__() -> Literal[False] .. py:class:: ProviderMetadata Holds provider-specific metadata. .. py:attribute:: name :type: str .. py:attribute:: title :type: str .. py:class:: AuthenticationProvider Base class and registry for third party authentication providers. .. py:attribute:: to :type: str | None .. py:attribute:: primary :type: bool .. py:attribute:: name :type: str .. py:attribute:: metadata :type: ClassVar[HasName] .. py:method:: __init_subclass__(metadata: HasName | None = None, **kwargs: Any) :classmethod: .. py:method:: configure(name: str, **kwargs: Any) -> Self | None :classmethod: :abstractmethod: This function gets called with the per-provider configuration defined in onegov.yml. Authentication providers may optionally access these values. The return value is either a provider instance, or none if the provider is not available. .. py:method:: is_primary(app: onegov.user.UserApp) -> bool Returns whether the authentication provider is intended to be the primary provider for this app. .. py:method:: available(app: onegov.user.UserApp) -> bool Returns whether the authentication provider is available for the current app. Since there are tenant specific connections, we want to tcheck, if for the tenant of the app, there is an available client. .. py:class:: SeparateAuthenticationProvider Bases: :py:obj:`AuthenticationProvider` Base class for separate authentication providers. Seperate providers render a button which the user can click to do a completely separate request/response handling that eventually should lead to an authenticated user. .. py:attribute:: kind :type: ClassVar[Literal['separate']] :value: 'separate' .. py:method:: authenticate_request(request: onegov.core.request.CoreRequest) -> Success | Failure | webob.Response | None :abstractmethod: Authenticates the given request in one or many steps. Providers are expected to return one of the following values: * A conclusion (if the authentication was either successful or failed) * None (if the authentication failed) * A webob response (to perform handshakes) This function is called whenever the authentication is initiated by the user. If the provider returns a webob response, it is returned as is by the calling view. Therefore, `authenticate_request` must take care to return responses in a way that eventually end up fulfilling the authentication. At the very least, providers should ensure that all parameters of the original request are kept when asking external services to call back. .. py:method:: button_text(request: onegov.core.request.CoreRequest) -> str :abstractmethod: Returns the translatable button text for the given request. It is okay to return a static text, if the button remains the same for all requests. The translatable text is parsed as markdown, to add weight to the central element of the text. For example:: Login with **Windows** .. py:class:: IntegratedAuthenticationProvider Bases: :py:obj:`AuthenticationProvider` Base class for integrated authentication providers. Integrated providers use the username/password entered in the normal login form and perform authentication that way (with fallback to the default login mechanism). .. py:attribute:: kind :type: ClassVar[Literal['integrated']] :value: 'integrated' .. py:method:: hint(request: onegov.core.request.CoreRequest) -> str :abstractmethod: Returns the translatable hint shown above the login mask for the integrated provider. It is okay to return a static text, if the hint remains the same for all requests. The translatable text is parsed as markdown. .. py:method:: authenticate_user(request: onegov.core.request.CoreRequest, username: str, password: str) -> onegov.user.User | None :abstractmethod: Authenticates the given username/password in a single step. The function is expected to return an existing user record or None. .. py:function:: spawn_ldap_client(ldap_url: str | None = None, ldap_username: str | None = None, ldap_password: str | None = None, **cfg: Any) -> onegov.user.auth.clients.LDAPClient Takes an LDAP configuration as found in the YAML and spawns an LDAP client that is connected. If the connection fails, an exception is raised. .. py:function:: ensure_user(source: str | None, source_id: str | None, session: sqlalchemy.orm.Session, username: str, role: str, force_role: bool = True, realname: str | None = None, force_active: bool = False) -> onegov.user.User Creates the given user if it doesn't already exist. Ensures the role is set to the given role in all cases. .. py:class:: RolesMapping Takes a role mapping and provides access to it. A role mapping maps a onegov-cloud role to an LDAP role. For example: admins -> ACC_OneGovCloud_User The mapping comes in multiple levels. For example: * "__default__" Fallback for all applications * "onegov_org" Namespace specific config * "onegov_org/govikon" Application specific config Each level contains a group name for admins, editors and members. See onegov.yml.example for an illustrated example. .. py:attribute:: roles :type: dict[str, dict[str, str]] .. py:method:: app_specific(app: HasApplicationIdAndNamespace) -> dict[str, str] | None .. py:method:: match(roles: collections.abc.Mapping[str, str], groups: collections.abc.Collection[str]) -> str | None Takes a role mapping (the fallback, namespace, or app specific one) and matches it against the given LDAP groups. Returns the matched group or None. .. py:class:: LDAPAttributes Holds the LDAP server-specific attributes. .. py:attribute:: name :type: str .. py:attribute:: mails :type: str .. py:attribute:: groups :type: str .. py:attribute:: password :type: str .. py:attribute:: uid :type: str .. py:method:: from_cfg(cfg: dict[str, Any]) -> Self :classmethod: .. py:class:: LDAPProvider Bases: :py:obj:`IntegratedAuthenticationProvider` Generic LDAP Provider that includes authentication via LDAP. .. py:attribute:: ldap :type: onegov.user.auth.clients.LDAPClient .. py:attribute:: auth_method :type: str .. py:attribute:: attributes :type: LDAPAttributes .. py:attribute:: roles :type: RolesMapping .. py:attribute:: custom_hint :type: str :value: '' .. py:method:: configure(name: str, **cfg: Any) -> Self | None :classmethod: This function gets called with the per-provider configuration defined in onegov.yml. Authentication providers may optionally access these values. The return value is either a provider instance, or none if the provider is not available. .. py:method:: hint(request: onegov.core.request.CoreRequest) -> str Returns the translatable hint shown above the login mask for the integrated provider. It is okay to return a static text, if the hint remains the same for all requests. The translatable text is parsed as markdown. .. py:method:: authenticate_user(request: onegov.core.request.CoreRequest, username: str, password: str) -> onegov.user.User | None Authenticates the given username/password in a single step. The function is expected to return an existing user record or None. .. py:method:: authenticate_using_compare(request: onegov.core.request.CoreRequest, username: str, password: str) -> onegov.user.User | None .. py:class:: LDAPKerberosProvider Bases: :py:obj:`SeparateAuthenticationProvider` Combines LDAP with Kerberos. LDAP handles authorisation, Kerberos handles authentication. .. py:attribute:: ldap :type: onegov.user.auth.clients.LDAPClient .. py:attribute:: kerberos :type: onegov.user.auth.clients.KerberosClient .. py:attribute:: attributes :type: LDAPAttributes .. py:attribute:: roles :type: RolesMapping .. py:attribute:: suffix :type: str | None :value: None .. py:method:: configure(name: str, **cfg: Any) -> Self | None :classmethod: This function gets called with the per-provider configuration defined in onegov.yml. Authentication providers may optionally access these values. The return value is either a provider instance, or none if the provider is not available. .. py:method:: button_text(request: onegov.core.request.CoreRequest) -> str Returns the request tailored to each OS (users won't understand LDAP/Kerberos, but for them it's basically their local OS login). .. py:method:: authenticate_request(request: onegov.core.request.CoreRequest) -> webob.Response | Success | Failure Authenticates the given request in one or many steps. Providers are expected to return one of the following values: * A conclusion (if the authentication was either successful or failed) * None (if the authentication failed) * A webob response (to perform handshakes) This function is called whenever the authentication is initiated by the user. If the provider returns a webob response, it is returned as is by the calling view. Therefore, `authenticate_request` must take care to return responses in a way that eventually end up fulfilling the authentication. At the very least, providers should ensure that all parameters of the original request are kept when asking external services to call back. .. py:method:: request_authorization(request: onegov.core.request.CoreRequest, username: str) -> onegov.user.User | None .. py:class:: OauthProvider Bases: :py:obj:`SeparateAuthenticationProvider` General Prototype class for an Oath Provider with typical OAuth flow. .. py:method:: do_logout(request: onegov.core.request.CoreRequest, user: onegov.user.User, to: str) -> webob.Response | None :abstractmethod: May return a webob response that gets used instead of the default logout response, to perform e.g. a redirect to the external provider. If no special response is necessary because the external logout is skipped/unecessary or performed through a back-channel, this will just return None and fall through to the default logout response which will terminate the local user session. .. py:method:: request_authorisation(request: onegov.core.request.CoreRequest) -> Success | Failure | webob.Response :abstractmethod: Takes the request from the redirect_uri view sent from the users browser. The redirect view expects either: * a Conclusion, either Success or Failure * a webob response, e.g. to redirect to the logout page The redirect view, where this function is used, will eventually fulfill the login process whereas :func:`self.authenticate_request` is purely to redirect the user to the auth provider. .. py:method:: logout_redirect_uri(request: onegov.core.request.CoreRequest) -> str This url usually has to be registered with the OAuth Provider. Should not contain any query parameters. .. py:method:: redirect_uri(request: onegov.core.request.CoreRequest) -> str Returns the redirect uri in a consistent manner without query parameters. .. py:class:: AzureADProvider Bases: :py:obj:`OauthProvider` Authenticates and authorizes a user in AzureAD for a specific AzureAD tenant_id and client_id in an OpenID Connect flow. For this to work, we need - Client ID - Client Secret - Tenant ID We have to give the AzureAD manager following Urls, that should not change: - Redirect uri (https:///auth_providers/msal/redirect) - Logout Redirect uri (https:///auth/logout) Additionally, weh AzureAD Manager should set additional token claims for the authorisation to work: - `email` claim - `groups` claim for role mapping - optional: `family_name` and `given_name` for User.realname The claims `preferred_username` or `upn` could also be used for User.realname. .. py:attribute:: tenants :type: onegov.user.auth.clients.msal.MSALConnections .. py:attribute:: roles :type: RolesMapping .. py:attribute:: custom_hint :type: str :value: '' .. py:method:: configure(name: str, **cfg: Any) -> Self | None :classmethod: This function gets called with the per-provider configuration defined in onegov.yml. Authentication providers may optionally access these values. The return value is either a provider instance, or none if the provider is not available. .. py:method:: button_text(request: onegov.core.request.CoreRequest) -> str Returns the translatable button text for the given request. It is okay to return a static text, if the button remains the same for all requests. The translatable text is parsed as markdown, to add weight to the central element of the text. For example:: Login with **Windows** .. py:method:: do_logout(request: onegov.core.request.CoreRequest, user: onegov.user.User, to: str) -> None May return a webob response that gets used instead of the default logout response, to perform e.g. a redirect to the external provider. If no special response is necessary because the external logout is skipped/unecessary or performed through a back-channel, this will just return None and fall through to the default logout response which will terminate the local user session. .. py:method:: logout_url(request: onegov.core.request.CoreRequest) -> str .. py:method:: authenticate_request(request: onegov.core.request.CoreRequest) -> webob.Response | Failure Returns a redirect response or a Conclusion Parameters of the original request are kept for when external services call back. .. py:method:: validate_id_token(request: onegov.core.request.CoreRequest, token: dict[str, Any]) -> Failure | Literal[True] Makes sure the id token is validated correctly according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation .. py:method:: request_authorisation(request: onegov.core.request.CoreRequest) -> Success | Failure If "Stay Logged In" on the Microsoft Login page is chosen, AzureAD behaves like an auto-login provider, redirecting the user back immediately to the redirect view without prompting a password or even showing any Microsoft page. Microsoft set their own cookies to make this possible. Return a webob Response or a Conclusion. .. py:method:: is_primary(app: onegov.user.UserApp) -> bool Returns whether the authentication provider is intended to be the primary provider for this app. .. py:method:: available(app: onegov.user.UserApp) -> bool Returns whether the authentication provider is available for the current app. Since there are tenant specific connections, we want to tcheck, if for the tenant of the app, there is an available client. .. py:class:: SAML2Provider Bases: :py:obj:`OauthProvider` Authenticates and authorizes a user on SAML2 IDP .. py:attribute:: tenants :type: onegov.user.auth.clients.saml2.SAML2Connections .. py:attribute:: roles :type: RolesMapping .. py:attribute:: custom_hint :type: str :value: '' .. py:method:: configure(name: str, **cfg: Any) -> Self | None :classmethod: This function gets called with the per-provider configuration defined in onegov.yml. Authentication providers may optionally access these values. The return value is either a provider instance, or none if the provider is not available. .. py:method:: button_text(request: onegov.core.request.CoreRequest) -> str Returns the translatable button text for the given request. It is okay to return a static text, if the button remains the same for all requests. The translatable text is parsed as markdown, to add weight to the central element of the text. For example:: Login with **Windows** .. py:method:: do_logout(request: onegov.core.request.CoreRequest, user: onegov.user.User, to: str) -> webob.Response | None May return a webob response that gets used instead of the default logout response, to perform e.g. a redirect to the external provider. If no special response is necessary because the external logout is skipped/unecessary or performed through a back-channel, this will just return None and fall through to the default logout response which will terminate the local user session. .. py:method:: authenticate_request(request: onegov.core.request.CoreRequest) -> webob.Response | Failure Returns a redirect response or a Conclusion Parameters of the original request are kept for when external services call back. .. py:method:: request_authorisation(request: onegov.core.request.CoreRequest) -> Success | Failure Returns a webob Response or a Conclusion. .. py:method:: is_primary(app: onegov.user.UserApp) -> bool Returns whether the authentication provider is intended to be the primary provider for this app. .. py:method:: available(app: onegov.user.UserApp) -> bool Returns whether the authentication provider is available for the current app. Since there are tenant specific connections, we want to tcheck, if for the tenant of the app, there is an available client. .. py:class:: OIDCProvider Bases: :py:obj:`OauthProvider` Authenticates and authorizes a user on SAML2 IDP .. py:attribute:: tenants :type: onegov.user.auth.clients.oidc.OIDCConnections .. py:attribute:: roles :type: RolesMapping .. py:attribute:: custom_hint :type: str :value: '' .. py:method:: configure(name: str, **cfg: Any) -> Self | None :classmethod: This function gets called with the per-provider configuration defined in onegov.yml. Authentication providers may optionally access these values. The return value is either a provider instance, or none if the provider is not available. .. py:method:: button_text(request: onegov.core.request.CoreRequest) -> str Returns the translatable button text for the given request. It is okay to return a static text, if the button remains the same for all requests. The translatable text is parsed as markdown, to add weight to the central element of the text. For example:: Login with **Windows** .. py:method:: do_logout(request: onegov.core.request.CoreRequest, user: onegov.user.User, to: str) -> webob.Response | None May return a webob response that gets used instead of the default logout response, to perform e.g. a redirect to the external provider. If no special response is necessary because the external logout is skipped/unecessary or performed through a back-channel, this will just return None and fall through to the default logout response which will terminate the local user session. .. py:method:: authenticate_request(request: onegov.core.request.CoreRequest) -> webob.Response | Failure Returns a redirect response or a Conclusion Parameters of the original request are kept for when external services call back. .. py:method:: request_authorisation(request: onegov.core.request.CoreRequest) -> Success | Failure Returns a webob Response or a Conclusion. .. py:method:: is_primary(app: onegov.user.UserApp) -> bool Returns whether the authentication provider is intended to be the primary provider for this app. .. py:method:: available(app: onegov.user.UserApp) -> bool Returns whether the authentication provider is available for the current app. Since there are tenant specific connections, we want to tcheck, if for the tenant of the app, there is an available client.