eodag.plugins.authentication.openid_connect.OIDCAuthorizationCodeFlowAuth

eodag.plugins.authentication.openid_connect.OIDCAuthorizationCodeFlowAuth

class eodag.plugins.authentication.openid_connect.OIDCAuthorizationCodeFlowAuth(provider, config)[source]

Implement the authorization code flow of the OpenIDConnect authorization specification.

The OpenID Connect specification adds an authentication layer on top of oauth 2.0. This plugin implements the authorization code flow option of this specification. The particularity of this plugin is that it proceeds to a headless (not involving the user) interaction with the OpenID provider (if necessary) to authenticate a registered user with its username and password on the server and then granting to eodag the necessary rights. It does that using the client ID of the eodag provider that use it. If the client secret of the eodag provider using this plugin is known, it is used in conjunction with the client ID to do a BASIC Auth during the token exchange request. The headless interaction is fully configurable, and rely on XPATH to retrieve all the necessary information.

The configuration keys of this plugin are as follows (they have no defaults):

# (mandatory) The authorization url of the server (where to query for grants)
authorization_uri:

# (mandatory) The callback url that will handle the code given by the OIDC provider
redirect_uri:

# (mandatory) The url to query to exchange the authorization code obtained from the OIDC provider
# for an authorized token
token_uri:

# (mandatory) The OIDC provider's client ID of the eodag provider
client_id:

# (mandatory) Wether a user consent is needed during the authentication
user_consent_needed:

# (mandatory) One of: json, data or params. This is the way to pass the data to the POST request
# that is made to the token server. They correspond to the recognised keywords arguments
# of the Python `requests <http://docs.python-requests.org/>`_ library
token_exchange_post_data_method:

# (mandatory) The key pointing to the token in the json response to the POST request to the token server
token_key:

# (mandatory) One of qs or header. This is how the token obtained will be used to authenticate the user
# on protected requests. If 'qs' is chosen, then 'token_qs_key' is mandatory
token_provision:

# (mandatory) The xpath to the HTML form element representing the user login form
login_form_xpath:

# (mandatory) Where to look for the authentication_uri. One of 'config' (in the configuration) or 'login-form'
# (use the 'action' URL found in the login form retrieved with login_form_xpath). If the value is 'config',
# authentication_uri config param is mandatory
authentication_uri_source:

# (optional) The URL of the authentication backend of the OIDC provider
authentication_uri:

# (optional) The xpath to the user consent form. The form is searched in the content of the response
# to the authorization request
user_consent_form_xpath:

# (optional) The data that will be passed with the POST request on the form 'action' URL. The data are
# given as a key value pairs, the keys representing the data key and the value being either
# a 'constant' string value, or a string of the form 'xpath(<path-to-a-value-to-be-retrieved>)'
# and representing a value to be retrieved in the user consent form. The xpath must resolve
# directly to a string value, not to an HTML element. Example:
# 'xpath(//input[@name="sessionDataKeyConsent"]/@value)'
user_consent_form_data:

# (optional) A mapping giving additional data to be passed to the login POST request. The value follows the
# same rules as with user_consent_form_data
additional_login_form_data:

# (optional) The OIDC provider's client secret of the eodag provider
client_secret:

# (optional) A mapping between OIDC url query string and token handler query string
# params (only necessary if they are not the same as for OIDC). This is eodag provider
# dependant
token_exchange_params:
  redirect_uri:
  client_id:

# (optional) Only necessary when 'token_provision' is 'qs'. Refers to the name of the query param to be
# used in the query request
token_qs_key:
__init__(provider, config)[source]

Methods

__init__(provider, config)

authenticate()

Authenticate

authenticate_user(state)

Authenticate user

compute_state()

Compute state

exchange_code_for_token(authorized_url, state)

Get exchange code for token

grant_user_consent(authentication_response)

Grant user consent

validate_config_credentials()

Validate configured credentials

Attributes

CONFIG_XPATH_REGEX

RESPONSE_TYPE

SCOPE

plugins