keystone.oauth1 package¶

Subpackages¶

keystone.oauth1.backends package

Submodules¶

keystone.oauth1.controllers module¶

Extensions supporting OAuth1.

class keystone.oauth1.controllers.AccessTokenCrudV3(*args, **kwargs)[source]¶

Bases: keystone.common.controller.V3Controller

collection_name = 'access_tokens'¶

delete_access_token(context, *args, **kwargs)[source]¶

get_access_token(context, *args, **kwargs)[source]¶

list_access_tokens(context, *args, **kwargs)[source]¶

member_name = 'access_token'¶

class keystone.oauth1.controllers.AccessTokenRolesV3(*args, **kwargs)[source]¶

Bases: keystone.common.controller.V3Controller

collection_name = 'roles'¶

get_access_token_role(context, *args, **kwargs)[source]¶

list_access_token_roles(context, *args, **kwargs)[source]¶

member_name = 'role'¶

class keystone.oauth1.controllers.ConsumerCrudV3(*args, **kwargs)[source]¶

Bases: keystone.common.controller.V3Controller

classmethod base_url(context, path=None)[source]¶: Construct a path and pass it to V3Controller.base_url method.

collection_name = 'consumers'¶

create_consumer(context, *args, **kwargs)[source]¶

delete_consumer(context, *args, **kwargs)[source]¶

get_consumer(context, *args, **kwargs)[source]¶

list_consumers(context, *args, **kwargs)[source]¶

member_name = 'consumer'¶

update_consumer(context, *args, **kwargs)[source]¶

class keystone.oauth1.controllers.OAuthControllerV3(*args, **kwargs)[source]¶

Bases: keystone.common.controller.V3Controller

authorize_request_token(context, *args, **kwargs)[source]¶

An authenticated user is going to authorize a request token.

As a security precaution, the requested roles must match those in the request token. Because this is in a CLI-only world at the moment, there is not another easy way to make sure the user knows which roles are being requested before authorizing.

collection_name = 'not_used'¶

create_access_token(context)[source]¶

create_request_token(context)[source]¶

member_name = 'not_used'¶

keystone.oauth1.core module¶

Main entry point into the OAuth1 service.

class keystone.oauth1.core.Manager(*args, **kwargs)[source]¶

Bases: keystone.common.manager.Manager

Default pivot point for the OAuth1 backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

create_access_token(*args, **kwargs)[source]¶

create_consumer(*args, **kwargs)[source]¶

create_request_token(*args, **kwargs)[source]¶

delete_access_token(*args, **kwargs)[source]¶

delete_consumer(*args, **kwargs)[source]¶

driver_namespace = 'keystone.oauth1'¶

update_consumer(*args, **kwargs)[source]¶

class keystone.oauth1.core.Oauth1DriverV8[source]¶

Bases: object

Interface description for an OAuth1 driver.

authorize_request_token(request_token_id, user_id, role_ids)[source]¶

Authorize request token.

Parameters:	request_token_id (string) – the id of the request token, to be authorized user_id (string) – the id of the authorizing user role_ids (list) – list of role ids to authorize
Returns:	verifier

create_access_token(request_id, access_token_duration)[source]¶

Create access token.

Parameters:	request_id (string) – the id of the request token, to be deleted access_token_duration (string) – duration of an access token
Returns:	access_token_ref

create_consumer(consumer_ref)[source]¶

Create consumer.

Parameters:	consumer_ref (dict) – consumer ref with consumer name
Returns:	consumer_ref

create_request_token(consumer_id, requested_project, request_token_duration)[source]¶

Create request token.

Parameters:	consumer_id (string) – the id of the consumer requested_project_id (string) – requested project id request_token_duration (string) – duration of request token
Returns:	request_token_ref

delete_access_token(user_id, access_token_id)[source]¶

Delete access token.

Parameters:	user_id (string) – authorizing user id access_token_id (string) – access token to delete
Returns:	None

delete_consumer(consumer_id)[source]¶

Delete consumer.

Parameters:	consumer_id (string) – id of consumer to get
Returns:	None.

get_access_token(access_token_id)[source]¶

Get access token.

Parameters:	access_token_id (string) – the id of the access token
Returns:	access_token_ref

get_consumer(consumer_id)[source]¶

Get consumer, returns the consumer id (key) and description.

Parameters:	consumer_id (string) – id of consumer to get
Returns:	consumer_ref

get_consumer_with_secret(consumer_id)[source]¶

Like get_consumer(), but also returns consumer secret.

Returned dictionary consumer_ref includes consumer secret. Secrets should only be shared upon consumer creation; the consumer secret is required to verify incoming OAuth requests.

Parameters:	consumer_id (string) – id of consumer to get
Returns:	consumer_ref containing consumer secret

get_request_token(request_token_id)[source]¶

Get request token.

Parameters:	request_token_id (string) – the id of the request token
Returns:	request_token_ref

list_access_tokens(user_id)[source]¶

List access tokens.

Parameters:	user_id (string) – search for access tokens authorized by given user id
Returns:	list of access tokens the user has authorized

list_consumers()[source]¶

List consumers.

Returns:	list of consumers

update_consumer(consumer_id, consumer_ref)[source]¶

Update consumer.

Parameters:	consumer_id (string) – id of consumer to update consumer_ref (dict) – new consumer ref with consumer name
Returns:	consumer_ref

class keystone.oauth1.core.Token(key, secret)[source]¶

Bases: object

set_verifier(verifier)[source]¶

keystone.oauth1.core.extract_non_oauth_params(query_string)[source]¶

keystone.oauth1.core.filter_consumer(consumer_ref)[source]¶

Filter out private items in a consumer dict.

‘secret’ is never returned.

Returns:	consumer_ref

keystone.oauth1.core.filter_token(access_token_ref)[source]¶

Filter out private items in an access token dict.

‘access_secret’ is never returned.

Returns:	access_token_ref

keystone.oauth1.core.get_oauth_headers(headers)[source]¶

keystone.oauth1.core.token_generator(*args, **kwargs)[source]¶

keystone.oauth1.routers module¶

class keystone.oauth1.routers.Routers[source]¶

Bases: keystone.common.wsgi.RoutersBase

API Endpoints for the OAuth1 extension.

The goal of this extension is to allow third-party service providers to acquire tokens with a limited subset of a user’s roles for acting on behalf of that user. This is done using an oauth-similar flow and api.

The API looks like:

# Basic admin-only consumer crud
POST /OS-OAUTH1/consumers
GET /OS-OAUTH1/consumers
PATCH /OS-OAUTH1/consumers/{consumer_id}
GET /OS-OAUTH1/consumers/{consumer_id}
DELETE /OS-OAUTH1/consumers/{consumer_id}

# User access token crud
GET /users/{user_id}/OS-OAUTH1/access_tokens
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
GET /users/{user_id}/OS-OAUTH1/access_tokens
    /{access_token_id}/roles/{role_id}
DELETE /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

# OAuth interfaces
POST /OS-OAUTH1/request_token  # create a request token
PUT /OS-OAUTH1/authorize  # authorize a request token
POST /OS-OAUTH1/access_token  # create an access token

append_v3_routers(mapper, routers)[source]¶

keystone.oauth1.schema module¶

keystone.oauth1.validator module¶

oAuthlib request validator.

class keystone.oauth1.validator.OAuthValidator(*args, **kwargs)[source]¶

Bases: oauthlib.oauth1.rfc5849.request_validator.RequestValidator

check_access_token(access_token)[source]¶

check_client_key(client_key)[source]¶

check_nonce(nonce)[source]¶

check_request_token(request_token)[source]¶

check_verifier(verifier)[source]¶

enforce_ssl[source]¶

get_access_token_secret(client_key, token, request)[source]¶

get_client_secret(client_key, request)[source]¶

get_default_realms(client_key, request)[source]¶

get_realms(token, request)[source]¶

get_redirect_uri(token, request)[source]¶

get_request_token_secret(client_key, token, request)[source]¶

get_rsa_key(client_key, request)[source]¶

invalidate_request_token(client_key, request_token, request)[source]¶

safe_characters[source]¶

save_access_token(token, request)[source]¶

save_request_token(token, request)[source]¶

save_verifier(token, verifier, request)[source]¶

validate_access_token(client_key, token, request)[source]¶

validate_client_key(client_key, request)[source]¶

validate_realms(client_key, token, request, uri=None, realms=None)[source]¶

validate_redirect_uri(client_key, redirect_uri, request)[source]¶

validate_request_token(client_key, token, request)[source]¶

validate_requested_realms(client_key, realms, request)[source]¶

validate_timestamp_and_nonce(client_key, timestamp, nonce, request, request_token=None, access_token=None)[source]¶

validate_verifier(client_key, token, verifier, request)[source]¶

verify_realms(token, realms, request)[source]¶

verify_request_token(token, request)[source]¶

OpenStack

keystone.oauth1 package¶

Subpackages¶

Submodules¶

keystone.oauth1.controllers module¶

keystone.oauth1.core module¶

keystone.oauth1.routers module¶

keystone.oauth1.schema module¶

keystone.oauth1.validator module¶

Module contents¶

Table Of Contents

Previous topic

Next topic

Project Source

This Page

OpenStack

keystone.oauth1 package¶

Subpackages¶

Submodules¶

keystone.oauth1.controllers module¶

keystone.oauth1.core module¶

keystone.oauth1.routers module¶

keystone.oauth1.schema module¶

keystone.oauth1.validator module¶

Module contents¶

Table Of Contents

Previous topic

Next topic

Project Source

This Page

Quick search

Navigation