swh.auth.keycloak module#

class swh.auth.keycloak.KeycloakOpenIDConnect(server_url: str, realm_name: str, client_id: str, realm_public_key: str = '')[source]#

Bases: object

Wrapper class around python-keycloak to ease the interaction with Keycloak for managing authentication and user permissions with OpenID Connect.

Parameters:

  • server_url – URL of the Keycloak server

  • realm_name – The realm name

  • client_id – The OpenID Connect client identifier

  • realm_public_key – The realm public key (will be dynamically retrieved if not provided)

property realm_name#
property client_id#
well_known() Dict[str, Any][source]#

Retrieve the OpenID Connect Well-Known URI registry from Keycloak.

Returns:

A dictionary filled with OpenID Connect URIS.

authorization_url(redirect_uri: str, **extra_params: str) str[source]#

Get OpenID Connect authorization URL to authenticate users.

Parameters:

  • redirect_uri – URI to redirect to once a user is authenticated

  • extra_params – Extra query parameters to add to the authorization URL

authorization_code(code: str, redirect_uri: str, **extra_params: str) Dict[str, Any][source]#

Get OpenID Connect authentication tokens using Authorization Code flow.

Raises:

KeycloakError in case of authentication failures

Parameters:

  • code – Authorization code provided by Keycloak

  • redirect_uri – URI to redirect to once a user is authenticated (must be the same as the one provided to authorization_url):

  • extra_params – Extra parameters to add in the authorization request payload.

login(username: str, password: str, scope: str = 'openid', **extra_params: str) Dict[str, Any][source]#

Get OpenID Connect authentication tokens using Direct Access Grant flow.

Raises:

KeycloakError in case of authentication failures

Parameters:

  • username – an existing username in the realm

  • password – password associated to username

  • extra_params – Extra parameters to add in the authorization request payload.

refresh_token(refresh_token: str) Dict[str, Any][source]#

Request a new access token from Keycloak using a refresh token.

Parameters:

refresh_token – A refresh token provided by Keycloak

Returns:

A dictionary filled with tokens info

decode_token(token: str, options: Dict[str, Any] | None = None) Dict[str, Any][source]#

Try to decode a JWT token.

Parameters:

  • token – A JWT token to decode

  • options – Options for jose.jwt.decode

Returns:

A dictionary filled with decoded token content

logout(refresh_token: str) None[source]#

Logout a user by closing its authenticated session.

Parameters:

refresh_token – A refresh token provided by Keycloak

userinfo(access_token: str) Dict[str, Any][source]#

Return user information from its access token.

Parameters:

access_token – An access token provided by Keycloak

Returns:

A dictionary fillled with user information

classmethod from_config(**kwargs: Any) KeycloakOpenIDConnect[source]#

Instantiate a KeycloakOpenIDConnect class from a configuration dict.

Parameters:

kwargs – configuration dict for the instance, with one keycloak key, whose value is a Dict with the following keys: - server_url: URL of the Keycloak server - realm_name: The realm name - client_id: The OpenID Connect client identifier

Returns:

the KeycloakOpenIDConnect instance

classmethod from_configfile(**kwargs: Any) KeycloakOpenIDConnect[source]#

Instantiate a KeycloakOpenIDConnect class from the configuration loaded from the SWH_CONFIG_FILENAME envvar, with potential extra keyword arguments if their value is not None.

Parameters:

kwargs – kwargs passed to instantiation call

Returns:

the KeycloakOpenIDConnect instance

swh.auth.keycloak.keycloak_error_message(keycloak_error: KeycloakError) str[source]#

Transform a keycloak exception into an error message.