- class eodag.plugins.authentication.openid_connect.OIDCAuthorizationCodeFlowAuth(provider, config)[source]#
Implement the authorization code flow of the OpenIDConnect authorization specification.
The OpenID Connect specification adds an authentication layer on top of oauth 2.0. This plugin implements the authorization code flow option of this specification. The particularity of this plugin is that it proceeds to a headless (not involving the user) interaction with the OpenID provider (if necessary) to authenticate a registered user with its username and password on the server and then granting to eodag the necessary rights. It does that using the client ID of the eodag provider that use it. If the client secret of the eodag provider using this plugin is known, it is used in conjunction with the client ID to do a BASIC Auth during the token exchange request. The headless interaction is fully configurable, and rely on XPATH to retrieve all the necessary information.
The configuration keys of this plugin are as follows (they have no defaults):
# (mandatory) The authorization url of the server (where to query for grants) authorization_uri: # (mandatory) The callback url that will handle the code given by the OIDC provider redirect_uri: # (mandatory) The url to query to exchange the authorization code obtained from the OIDC provider # for an authorized token token_uri: # (mandatory) The OIDC provider's client ID of the eodag provider client_id: # (mandatory) Wether a user consent is needed during the authentication user_consent_needed: # (mandatory) One of: json, data or params. This is the way to pass the data to the POST request # that is made to the token server. They correspond to the recognised keywords arguments # of the Python `requests <http://docs.python-requests.org/>`_ library token_exchange_post_data_method: # (mandatory) The key pointing to the token in the json response to the POST request to the token server token_key: # (mandatory) One of qs or header. This is how the token obtained will be used to authenticate the user # on protected requests. If 'qs' is chosen, then 'token_qs_key' is mandatory token_provision: # (mandatory) The xpath to the HTML form element representing the user login form login_form_xpath: # (mandatory) Where to look for the authentication_uri. One of 'config' (in the configuration) or 'login-form' # (use the 'action' URL found in the login form retrieved with login_form_xpath). If the value is 'config', # authentication_uri config param is mandatory authentication_uri_source: # (optional) The URL of the authentication backend of the OIDC provider authentication_uri: # (optional) The xpath to the user consent form. The form is searched in the content of the response # to the authorization request user_consent_form_xpath: # (optional) The data that will be passed with the POST request on the form 'action' URL. The data are # given as a key value pairs, the keys representing the data key and the value being either # a 'constant' string value, or a string of the form 'xpath(<path-to-a-value-to-be-retrieved>)' # and representing a value to be retrieved in the user consent form. The xpath must resolve # directly to a string value, not to an HTML element. Example: # 'xpath(//input[@name="sessionDataKeyConsent"]/@value)' user_consent_form_data: # (optional) A mapping giving additional data to be passed to the login POST request. The value follows the # same rules as with user_consent_form_data additional_login_form_data: # (optional) The OIDC provider's client secret of the eodag provider client_secret: # (optional) A mapping between OIDC url query string and token handler query string # params (only necessary if they are not the same as for OIDC). This is eodag provider # dependant token_exchange_params: redirect_uri: client_id: # (optional) Only necessary when 'token_provision' is 'qs'. Refers to the name of the query param to be # used in the query request token_qs_key:
Get exchange code for token
Grant user consent
Validate configured credentials