keystone.oauth1 package

Subpackages

• keystone.oauth1.backends package
  • Submodules
  • keystone.oauth1.backends.sql module
  • Module contents

Submodules

keystone.oauth1.controllers module

Extensions supporting OAuth1.

class keystone.oauth1.controllers.AccessTokenCrudV3(*args, **kwargs)

Bases: keystone.common.controller.V3Controller

collection_name = 'access_tokens'

delete_access_token(context, *args, **kwargs)

get_access_token(context, *args, **kwargs)

list_access_tokens(context, *args, **kwargs)

member_name = 'access_token'

class keystone.oauth1.controllers.AccessTokenRolesV3(*args, **kwargs)

Bases: keystone.common.controller.V3Controller

collection_name = 'roles'

get_access_token_role(context, *args, **kwargs)

list_access_token_roles(context, *args, **kwargs)

member_name = 'role'

class keystone.oauth1.controllers.ConsumerCrudV3(*args, **kwargs)

Bases: keystone.common.controller.V3Controller

classmethod base_url(context, path=None)

Construct a path and pass it to V3Controller.base_url method.

collection_name = 'consumers'

create_consumer(context, *args, **kwargs)

delete_consumer(context, *args, **kwargs)

get_consumer(context, *args, **kwargs)

list_consumers(context, *args, **kwargs)

member_name = 'consumer'

update_consumer(context, *args, **kwargs)

class keystone.oauth1.controllers.OAuthControllerV3(*args, **kwargs)

Bases: keystone.common.controller.V3Controller

authorize_request_token(context, *args, **kwargs)

An authenticated user is going to authorize a request token.

As a security precaution, the requested roles must match those in the request token. Because this is in a CLI-only world at the moment, there is not another easy way to make sure the user knows which roles are being requested before authorizing.

collection_name = 'not_used'

create_access_token(context)

create_request_token(context)

member_name = 'not_used'

keystone.oauth1.core module

Main entry point into the OAuth1 service.

class keystone.oauth1.core.Manager(*args, **kwargs)

Bases: keystone.common.manager.Manager

Default pivot point for the OAuth1 backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

create_access_token(*args, **kwargs)

create_consumer(*args, **kwargs)

create_request_token(*args, **kwargs)

delete_access_token(*args, **kwargs)

delete_consumer(*args, **kwargs)

driver_namespace = 'keystone.oauth1'

update_consumer(*args, **kwargs)

class keystone.oauth1.core.Oauth1DriverV8

Bases: object

Interface description for an OAuth1 driver.

authorize_request_token(request_token_id, user_id, role_ids)

Authorize request token.

Parameters:

• request_token_id (string) – the id of the request token, to be authorized
• user_id (string) – the id of the authorizing user
• role_ids (list) – list of role ids to authorize

Returns:

verifier

create_access_token(request_id, access_token_duration)

Create access token.

Parameters:

• request_id (string) – the id of the request token, to be deleted
• access_token_duration (string) – duration of an access token

Returns:

access_token_ref

create_consumer(consumer_ref)

Create consumer.

Parameters:consumer_ref (dict) – consumer ref with consumer name Returns:consumer_ref

create_request_token(consumer_id, requested_project, request_token_duration)

Create request token.

Parameters:

• consumer_id (string) – the id of the consumer
• requested_project_id (string) – requested project id
• request_token_duration (string) – duration of request token

Returns:

request_token_ref

delete_access_token(user_id, access_token_id)

Delete access token.

Parameters:

• user_id (string) – authorizing user id
• access_token_id (string) – access token to delete

Returns:

None

delete_consumer(consumer_id)

Delete consumer.

Parameters:consumer_id (string) – id of consumer to get Returns:None.

get_access_token(access_token_id)

Get access token.

Parameters:access_token_id (string) – the id of the access token Returns:access_token_ref

get_consumer(consumer_id)

Get consumer, returns the consumer id (key) and description.

Parameters:consumer_id (string) – id of consumer to get Returns:consumer_ref

get_consumer_with_secret(consumer_id)

Like get_consumer(), but also returns consumer secret.

Returned dictionary consumer_ref includes consumer secret. Secrets should only be shared upon consumer creation; the consumer secret is required to verify incoming OAuth requests.

Parameters:consumer_id (string) – id of consumer to get Returns:consumer_ref containing consumer secret

get_request_token(request_token_id)

Get request token.

Parameters:request_token_id (string) – the id of the request token Returns:request_token_ref

list_access_tokens(user_id)

List access tokens.

Parameters:user_id (string) – search for access tokens authorized by given user id Returns:list of access tokens the user has authorized

list_consumers()

List consumers.

Returns:list of consumers

update_consumer(consumer_id, consumer_ref)

Update consumer.

Parameters:

• consumer_id (string) – id of consumer to update
• consumer_ref (dict) – new consumer ref with consumer name

Returns:

consumer_ref

class keystone.oauth1.core.Token(key, secret)

Bases: object

set_verifier(verifier)

keystone.oauth1.core.extract_non_oauth_params(query_string)

keystone.oauth1.core.filter_consumer(consumer_ref)

Filter out private items in a consumer dict.

‘secret’ is never returned.

Returns:consumer_ref

keystone.oauth1.core.filter_token(access_token_ref)

Filter out private items in an access token dict.

‘access_secret’ is never returned.

Returns:access_token_ref

keystone.oauth1.core.get_oauth_headers(headers)

keystone.oauth1.core.token_generator(*args, **kwargs)

keystone.oauth1.routers module

class keystone.oauth1.routers.Routers

Bases: keystone.common.wsgi.RoutersBase

API Endpoints for the OAuth1 extension.

The goal of this extension is to allow third-party service providers to acquire tokens with a limited subset of a user’s roles for acting on behalf of that user. This is done using an oauth-similar flow and api.

The API looks like:

# Basic admin-only consumer crud
POST /OS-OAUTH1/consumers
GET /OS-OAUTH1/consumers
PATCH /OS-OAUTH1/consumers/{consumer_id}
GET /OS-OAUTH1/consumers/{consumer_id}
DELETE /OS-OAUTH1/consumers/{consumer_id}

# User access token crud
GET /users/{user_id}/OS-OAUTH1/access_tokens
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
GET /users/{user_id}/OS-OAUTH1/access_tokens
    /{access_token_id}/roles/{role_id}
DELETE /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

# OAuth interfaces
POST /OS-OAUTH1/request_token  # create a request token
PUT /OS-OAUTH1/authorize  # authorize a request token
POST /OS-OAUTH1/access_token  # create an access token

append_v3_routers(mapper, routers)

keystone.oauth1.schema module

keystone.oauth1.validator module

oAuthlib request validator.

class keystone.oauth1.validator.OAuthValidator(*args, **kwargs)

Bases: oauthlib.oauth1.rfc5849.request_validator.RequestValidator

check_access_token(access_token)

check_client_key(client_key)

check_nonce(nonce)

check_request_token(request_token)

check_verifier(verifier)

enforce_ssl

get_access_token_secret(client_key, token, request)

get_client_secret(client_key, request)

get_default_realms(client_key, request)

get_realms(token, request)

get_redirect_uri(token, request)

get_request_token_secret(client_key, token, request)

get_rsa_key(client_key, request)

invalidate_request_token(client_key, request_token, request)

safe_characters

save_access_token(token, request)

save_request_token(token, request)

save_verifier(token, verifier, request)

validate_access_token(client_key, token, request)

validate_client_key(client_key, request)

validate_realms(client_key, token, request, uri=None, realms=None)

validate_redirect_uri(client_key, redirect_uri, request)

validate_request_token(client_key, token, request)

validate_requested_realms(client_key, realms, request)

validate_timestamp_and_nonce(client_key, timestamp, nonce, request, request_token=None, access_token=None)

validate_verifier(client_key, token, verifier, request)

verify_realms(token, realms, request)

verify_request_token(token, request)

Module contents