swh.auth.keycloak module

class swh.auth.keycloak.KeycloakOpenIDConnect(server_url: str, realm_name: str, client_id: str, realm_public_key: str = '')[source]

Bases: object

Wrapper class around python-keycloak to ease the interaction with Keycloak for managing authentication and user permissions with OpenID Connect.

Parameters
  • server_url – URL of the Keycloak server

  • realm_name – The realm name

  • client_id – The OpenID Connect client identifier

  • realm_public_key – The realm public key (will be dynamically retrieved if not provided)

property realm_name
property client_id
well_known() Dict[str, Any][source]

Retrieve the OpenID Connect Well-Known URI registry from Keycloak.

Returns

A dictionary filled with OpenID Connect URIS.

authorization_url(redirect_uri: str, **extra_params: str) str[source]

Get OpenID Connect authorization URL to authenticate users.

Parameters
  • redirect_uri – URI to redirect to once a user is authenticated

  • extra_params – Extra query parameters to add to the authorization URL

authorization_code(code: str, redirect_uri: str, **extra_params: str) Dict[str, Any][source]

Get OpenID Connect authentication tokens using Authorization Code flow.

Raises

KeycloakError in case of authentication failures

Parameters
  • code – Authorization code provided by Keycloak

  • redirect_uri – URI to redirect to once a user is authenticated (must be the same as the one provided to authorization_url):

  • extra_params – Extra parameters to add in the authorization request payload.

login(username: str, password: str, scope: str = 'openid', **extra_params: str) Dict[str, Any][source]

Get OpenID Connect authentication tokens using Direct Access Grant flow.

Raises

KeycloakError in case of authentication failures

Parameters
  • username – an existing username in the realm

  • password – password associated to username

  • extra_params – Extra parameters to add in the authorization request payload.

refresh_token(refresh_token: str) Dict[str, Any][source]

Request a new access token from Keycloak using a refresh token.

Parameters

refresh_token – A refresh token provided by Keycloak

Returns

A dictionary filled with tokens info

decode_token(token: str, options: Optional[Dict[str, Any]] = None) Dict[str, Any][source]

Try to decode a JWT token.

Parameters
  • token – A JWT token to decode

  • options – Options for jose.jwt.decode

Returns

A dictionary filled with decoded token content

logout(refresh_token: str) None[source]

Logout a user by closing its authenticated session.

Parameters

refresh_token – A refresh token provided by Keycloak

userinfo(access_token: str) Dict[str, Any][source]

Return user information from its access token.

Parameters

access_token – An access token provided by Keycloak

Returns

A dictionary fillled with user information

classmethod from_config(**kwargs: Any) swh.auth.keycloak.KeycloakOpenIDConnect[source]

Instantiate a KeycloakOpenIDConnect class from a configuration dict.

Parameters

kwargs – configuration dict for the instance, with one keycloak key, whose value is a Dict with the following keys: - server_url: URL of the Keycloak server - realm_name: The realm name - client_id: The OpenID Connect client identifier

Returns

the KeycloakOpenIDConnect instance

classmethod from_configfile(**kwargs: Any) swh.auth.keycloak.KeycloakOpenIDConnect[source]

Instantiate a KeycloakOpenIDConnect class from the configuration loaded from the SWH_CONFIG_FILENAME envvar, with potential extra keyword arguments if their value is not None.

Parameters

kwargs – kwargs passed to instantiation call

Returns

the KeycloakOpenIDConnect instance

swh.auth.keycloak.keycloak_error_message(keycloak_error: keycloak.exceptions.KeycloakError) str[source]

Transform a keycloak exception into an error message.