swh.auth.keycloak module#

class swh.auth.keycloak.KeycloakOpenIDConnect(server_url: str, realm_name: str, client_id: str, realm_public_key: str = '')[source]#

Bases: object

Wrapper class around python-keycloak to ease the interaction with Keycloak for managing authentication and user permissions with OpenID Connect.

Parameters:

server_url – URL of the Keycloak server
realm_name – The realm name
client_id – The OpenID Connect client identifier
realm_public_key – The realm public key (will be dynamically retrieved if not provided)

property realm_name#

property client_id#

well_known() → Dict[str, Any][source]#

Retrieve the OpenID Connect Well-Known URI registry from Keycloak.

Returns:: A dictionary filled with OpenID Connect URIS.

authorization_url(redirect_uri: str, **extra_params: str) → str[source]#

Get OpenID Connect authorization URL to authenticate users.

Parameters:

redirect_uri – URI to redirect to once a user is authenticated
extra_params – Extra query parameters to add to the authorization URL

authorization_code(code: str, redirect_uri: str, **extra_params: str) → Dict[str, Any][source]#

Get OpenID Connect authentication tokens using Authorization Code flow.

Raises:

KeycloakError in case of authentication failures –

Parameters:

code – Authorization code provided by Keycloak
redirect_uri – URI to redirect to once a user is authenticated (must be the same as the one provided to authorization_url):
extra_params – Extra parameters to add in the authorization request payload.

login(username: str, password: str, scope: str = 'openid', **extra_params: str) → Dict[str, Any][source]#

Get OpenID Connect authentication tokens using Direct Access Grant flow.

Raises:

KeycloakError in case of authentication failures –

Parameters:

username – an existing username in the realm
password – password associated to username
extra_params – Extra parameters to add in the authorization request payload.

refresh_token(refresh_token: str) → Dict[str, Any][source]#

Request a new access token from Keycloak using a refresh token.

Parameters:: refresh_token – A refresh token provided by Keycloak
Returns:: A dictionary filled with tokens info

decode_token(token: str, options: Dict[str, Any] | None = None) → Dict[str, Any][source]#

Try to decode a JWT token.

Parameters:

token – A JWT token to decode
options – Options for jose.jwt.decode

Returns:

A dictionary filled with decoded token content

logout(refresh_token: str) → None[source]#

Logout a user by closing its authenticated session.

Parameters:: refresh_token – A refresh token provided by Keycloak

userinfo(access_token: str) → Dict[str, Any][source]#

Return user information from its access token.

Parameters:: access_token – An access token provided by Keycloak
Returns:: A dictionary fillled with user information

classmethod from_config(**kwargs: Any) → KeycloakOpenIDConnect[source]#

Instantiate a KeycloakOpenIDConnect class from a configuration dict.

Parameters:: kwargs – configuration dict for the instance, with one keycloak key, whose value is a Dict with the following keys: - server_url: URL of the Keycloak server - realm_name: The realm name - client_id: The OpenID Connect client identifier
Returns:: the KeycloakOpenIDConnect instance

classmethod from_configfile(**kwargs: Any) → KeycloakOpenIDConnect[source]#

Instantiate a KeycloakOpenIDConnect class from the configuration loaded from the SWH_CONFIG_FILENAME envvar, with potential extra keyword arguments if their value is not None.

Parameters:: kwargs – kwargs passed to instantiation call
Returns:: the KeycloakOpenIDConnect instance

swh.auth.keycloak.keycloak_error_message(keycloak_error: KeycloakError) → str[source]#: Transform a keycloak exception into an error message.