keystone.auth.plugins.base module¶
- class keystone.auth.plugins.base.AuthHandlerResponse(status, response_body, response_data)¶
Bases:
tuple
- response_body¶
Alias for field number 1
- response_data¶
Alias for field number 2
- status¶
Alias for field number 0
- class keystone.auth.plugins.base.AuthMethodHandler[source]¶
Bases:
ProviderAPIMixin
Abstract base class for an authentication plugin.
- abstract authenticate(auth_payload)[source]¶
Authenticate user and return an authentication context.
- Parameters:
auth_payload (dict) – the payload content of the authentication request for a given method
If successful, plugin must set
user_id
inresponse_data
.method_name
is used to convey any additional authentication methods in case authentication is for re-scoping. For example, if the authentication is for re-scoping, plugin must append the previous method names intomethod_names
; NOTE: This behavior is exclusive to the re-scope type action. Here’s an example ofresponse_data
on successful authentication:{ "methods": [ "password", "token" ], "user_id": "abc123" }
Plugins are invoked in the order in which they are specified in the
methods
attribute of theidentity
object. For example,custom-plugin
is invoked beforepassword
, which is invoked beforetoken
in the following authentication request:{ "auth": { "identity": { "custom-plugin": { "custom-data": "sdfdfsfsfsdfsf" }, "methods": [ "custom-plugin", "password", "token" ], "password": { "user": { "id": "s23sfad1", "password": "secret" } }, "token": { "id": "sdfafasdfsfasfasdfds" } } } }
- Returns:
AuthHandlerResponse with status set to
True
if auth was successful. If status isFalse
and this is a multi-step auth, theresponse_body
can be in a form of a dict for the next step in authentication.- Raises:
keystone.exception.Unauthorized – for authentication failure