user.auth.provider
Attributes
Classes
Base class for protocol classes. |
|
A final answer of |
|
Indicates a sucessful authentication. |
|
Indicates a corrupt JWT |
|
Indicates a failed authentication. |
|
Holds provider-specific metadata. |
|
Base class and registry for third party authentication providers. |
|
Base class for separate authentication providers. |
|
Base class for integrated authentication providers. |
|
Takes a role mapping and provides access to it. |
|
Holds the LDAP server-specific attributes. |
|
Generic LDAP Provider that includes authentication via LDAP. |
|
Combines LDAP with Kerberos. LDAP handles authorisation, Kerberos |
|
General Prototype class for an Oath Provider with typical OAuth flow. |
|
Authenticates and authorizes a user in AzureAD for a specific AzureAD |
|
Authenticates and authorizes a user on SAML2 IDP |
Functions
|
Takes an LDAP configuration as found in the YAML and spawns an LDAP |
|
Creates the given user if it doesn't already exist. Ensures the |
Module Contents
- class user.auth.provider.HasName[source]
Bases:
Protocol
Base class for protocol classes.
Protocol classes are defined as:
class Proto(Protocol): def meth(self) -> int: ...
Such classes are primarily used with static type checkers that recognize structural subtyping (static duck-typing).
For example:
class C: def meth(self) -> int: return 0 def func(x: Proto) -> int: return x.meth() func(C()) # Passes static type check
See PEP 544 for details. Protocol classes decorated with @typing.runtime_checkable act as simple-minded runtime protocols that check only the presence of given attributes, ignoring their type signatures. Protocol classes can be generic, they are defined as:
class GenProto(Protocol[T]): def meth(self) -> T: ...
- class user.auth.provider.Conclusion[source]
A final answer of
AuthenticationProvider()
.
- class user.auth.provider.Success[source]
Bases:
Conclusion
Indicates a sucessful authentication.
- class user.auth.provider.Failure[source]
Bases:
Conclusion
Indicates a corrupt JWT
- class user.auth.provider.AuthenticationProvider[source]
Base class and registry for third party authentication providers.
- classmethod configure(name: str, **kwargs: Any) Self | None [source]
- Abstractmethod:
This function gets called with the per-provider configuration defined in onegov.yml. Authentication providers may optionally access these values.
The return value is either a provider instance, or none if the provider is not available.
- class user.auth.provider.SeparateAuthenticationProvider[source]
Bases:
AuthenticationProvider
Base class for separate authentication providers.
Seperate providers render a button which the user can click to do a completely separate request/response handling that eventually should lead to an authenticated user.
- abstract authenticate_request(request: onegov.core.request.CoreRequest) Success | Failure | webob.Response | None [source]
Authenticates the given request in one or many steps.
Providers are expected to return one of the following values:
A conclusion (if the authentication was either successful or failed)
None (if the authentication failed)
A webob response (to perform handshakes)
This function is called whenever the authentication is initiated by the user. If the provider returns a webob response, it is returned as is by the calling view.
Therefore, authenticate_request must take care to return responses in a way that eventually end up fulfilling the authentication. At the very least, providers should ensure that all parameters of the original request are kept when asking external services to call back.
- abstract button_text(request: onegov.core.request.CoreRequest) str [source]
Returns the translatable button text for the given request.
It is okay to return a static text, if the button remains the same for all requests.
The translatable text is parsed as markdown, to add weight to the central element of the text. For example:
Login with **Windows**
- class user.auth.provider.IntegratedAuthenticationProvider[source]
Bases:
AuthenticationProvider
Base class for integrated authentication providers.
Integrated providers use the username/password entered in the normal login form and perform authentication that way (with fallback to the default login mechanism).
- user.auth.provider.spawn_ldap_client(ldap_url: str | None = None, ldap_username: str | None = None, ldap_password: str | None = None, **cfg: Any) onegov.user.auth.clients.LDAPClient [source]
Takes an LDAP configuration as found in the YAML and spawns an LDAP client that is connected. If the connection fails, an exception is raised.
- user.auth.provider.ensure_user(source: str | None, source_id: str | None, session: sqlalchemy.orm.Session, username: str, role: str, force_role: bool = True, realname: str | None = None, force_active: bool = False) onegov.user.User [source]
Creates the given user if it doesn’t already exist. Ensures the role is set to the given role in all cases.
- class user.auth.provider.RolesMapping[source]
Takes a role mapping and provides access to it.
A role mapping maps a onegov-cloud role to an LDAP role. For example:
admins -> ACC_OneGovCloud_User
The mapping comes in multiple levels. For example:
“__default__” Fallback for all applications
“onegov_org” Namespace specific config
“onegov_org/govikon” Application specific config
Each level contains a group name for admins, editors and members. See onegov.yml.example for an illustrated example.
- class user.auth.provider.LDAPProvider[source]
Bases:
IntegratedAuthenticationProvider
Generic LDAP Provider that includes authentication via LDAP.
- attributes: LDAPAttributes[source]
- roles: RolesMapping[source]
- classmethod configure(name: str, **cfg: Any) Self | None [source]
This function gets called with the per-provider configuration defined in onegov.yml. Authentication providers may optionally access these values.
The return value is either a provider instance, or none if the provider is not available.
- hint(request: onegov.core.request.CoreRequest) str [source]
Returns the translatable hint shown above the login mask for the integrated provider.
It is okay to return a static text, if the hint remains the same for all requests.
The translatable text is parsed as markdown.
- class user.auth.provider.LDAPKerberosProvider[source]
Bases:
SeparateAuthenticationProvider
Combines LDAP with Kerberos. LDAP handles authorisation, Kerberos handles authentication.
- attributes: LDAPAttributes[source]
- roles: RolesMapping[source]
- classmethod configure(name: str, **cfg: Any) Self | None [source]
This function gets called with the per-provider configuration defined in onegov.yml. Authentication providers may optionally access these values.
The return value is either a provider instance, or none if the provider is not available.
- button_text(request: onegov.core.request.CoreRequest) str [source]
Returns the request tailored to each OS (users won’t understand LDAP/Kerberos, but for them it’s basically their local OS login).
- authenticate_request(request: onegov.core.request.CoreRequest) webob.Response | Success | Failure [source]
Authenticates the given request in one or many steps.
Providers are expected to return one of the following values:
A conclusion (if the authentication was either successful or failed)
None (if the authentication failed)
A webob response (to perform handshakes)
This function is called whenever the authentication is initiated by the user. If the provider returns a webob response, it is returned as is by the calling view.
Therefore, authenticate_request must take care to return responses in a way that eventually end up fulfilling the authentication. At the very least, providers should ensure that all parameters of the original request are kept when asking external services to call back.
- class user.auth.provider.OauthProvider[source]
Bases:
SeparateAuthenticationProvider
General Prototype class for an Oath Provider with typical OAuth flow.
- abstract do_logout(request: onegov.core.request.CoreRequest, user: onegov.user.User, to: str) webob.Response | None [source]
May return a webob response that gets used instead of the default logout response, to perform e.g. a redirect to the external provider.
If no special response is necessary because the external logout is skipped/unecessary or performed through a back-channel, this will just return None and fall through to the default logout response which will terminate the local user session.
- abstract request_authorisation(request: onegov.core.request.CoreRequest) Success | Failure | webob.Response [source]
Takes the request from the redirect_uri view sent from the users browser. The redirect view expects either: * a Conclusion, either Success or Failure * a webob response, e.g. to redirect to the logout page
The redirect view, where this function is used, will eventually fulfill the login process whereas
self.authenticate_request()
is purely to redirect the user to the auth provider.
- class user.auth.provider.AzureADProvider[source]
Bases:
OauthProvider
Authenticates and authorizes a user in AzureAD for a specific AzureAD tenant_id and client_id in an OpenID Connect flow.
For this to work, we need
Client ID
Client Secret
Tenant ID
We have to give the AzureAD manager following Urls, that should not change:
Additionally, weh AzureAD Manager should set additional token claims for the authorisation to work:
email claim
groups claim for role mapping
optional: family_name and given_name for User.realname
The claims preferred_username or upn could also be used for User.realname.
- roles: RolesMapping[source]
- classmethod configure(name: str, **cfg: Any) Self | None [source]
This function gets called with the per-provider configuration defined in onegov.yml. Authentication providers may optionally access these values.
The return value is either a provider instance, or none if the provider is not available.
- button_text(request: onegov.core.request.CoreRequest) str [source]
Returns the translatable button text for the given request.
It is okay to return a static text, if the button remains the same for all requests.
The translatable text is parsed as markdown, to add weight to the central element of the text. For example:
Login with **Windows**
- do_logout(request: onegov.core.request.CoreRequest, user: onegov.user.User, to: str) None [source]
May return a webob response that gets used instead of the default logout response, to perform e.g. a redirect to the external provider.
If no special response is necessary because the external logout is skipped/unecessary or performed through a back-channel, this will just return None and fall through to the default logout response which will terminate the local user session.
- authenticate_request(request: onegov.core.request.CoreRequest) webob.Response | Failure [source]
Returns a redirect response or a Conclusion
Parameters of the original request are kept for when external services call back.
- validate_id_token(request: onegov.core.request.CoreRequest, token: dict[str, Any]) Failure | Literal[True] [source]
Makes sure the id token is validated correctly according to https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
- request_authorisation(request: onegov.core.request.CoreRequest) Success | Failure [source]
If “Stay Logged In” on the Microsoft Login page is chosen, AzureAD behaves like an auto-login provider, redirecting the user back immediately to the redirect view without prompting a password or even showing any Microsoft page. Microsoft set their own cookies to make this possible.
Return a webob Response or a Conclusion.
- class user.auth.provider.SAML2Provider[source]
Bases:
OauthProvider
Authenticates and authorizes a user on SAML2 IDP
- roles: RolesMapping[source]
- classmethod configure(name: str, **cfg: Any) Self | None [source]
This function gets called with the per-provider configuration defined in onegov.yml. Authentication providers may optionally access these values.
The return value is either a provider instance, or none if the provider is not available.
- button_text(request: onegov.core.request.CoreRequest) str [source]
Returns the translatable button text for the given request.
It is okay to return a static text, if the button remains the same for all requests.
The translatable text is parsed as markdown, to add weight to the central element of the text. For example:
Login with **Windows**
- do_logout(request: onegov.core.request.CoreRequest, user: onegov.user.User, to: str) webob.Response | None [source]
May return a webob response that gets used instead of the default logout response, to perform e.g. a redirect to the external provider.
If no special response is necessary because the external logout is skipped/unecessary or performed through a back-channel, this will just return None and fall through to the default logout response which will terminate the local user session.
- authenticate_request(request: onegov.core.request.CoreRequest) webob.Response | Failure [source]
Returns a redirect response or a Conclusion
Parameters of the original request are kept for when external services call back.
- request_authorisation(request: onegov.core.request.CoreRequest) Success | Failure [source]
Returns a webob Response or a Conclusion.