swh.web.auth.keycloak module

class swh.web.auth.keycloak.KeycloakOpenIDConnect(server_url: str, realm_name: str, client_id: str, realm_public_key: str = '')[source]

Bases: object

Wrapper class around python-keycloak to ease the interaction with Keycloak for managing authentication and user permissions with OpenID Connect.

well_known() → Dict[str, Any][source]

Retrieve the OpenID Connect Well-Known URI registry from Keycloak.

Returns

A dictionary filled with OpenID Connect URIS.

authorization_url(redirect_uri: str, **extra_params: str) → str[source]

Get OpenID Connect authorization URL to authenticate users.

Parameters
  • redirect_uri – URI to redirect to once a user is authenticated

  • extra_params – Extra query parameters to add to the authorization URL

authorization_code(code: str, redirect_uri: str, **extra_params: str) → Dict[str, Any][source]

Get OpenID Connect authentication tokens using Authorization Code flow.

Parameters
  • code – Authorization code provided by Keycloak

  • redirect_uri – URI to redirect to once a user is authenticated (must be the same as the one provided to authorization_url):

  • extra_params – Extra parameters to add in the authorization request payload.

offline_token(username: str, password: str) → str[source]

Generate an OpenID Connect offline refresh token.

Offline tokens are a special type of refresh tokens with long-lived period. It enables to open a new authenticated session without having to login again.

Parameters
  • username – username in the Keycloak realm

  • password – password associated to the username

Returns

An offline refresh token

refresh_token(refresh_token: str) → Dict[str, Any][source]

Request a new access token from Keycloak using a refresh token.

Parameters

refresh_token – A refresh token provided by Keycloak

Returns

A dictionary filled with tokens info

decode_token(token: str, options: Optional[Dict[str, Any]] = None) → Dict[str, Any][source]

Try to decode a JWT token.

Parameters
  • token – A JWT token to decode

  • options – Options for jose.jwt.decode

Returns

A dictionary filled with decoded token content

logout(refresh_token: str) → None[source]

Logout a user by closing its authenticated session.

Parameters

refresh_token – A refresh token provided by Keycloak

userinfo(access_token: str) → Dict[str, Any][source]

Return user information from its access token.

Parameters

access_token – An access token provided by Keycloak

Returns

A dictionary fillled with user information

swh.web.auth.keycloak.get_keycloak_oidc_client(server_url: str, realm_name: str, client_id: str)swh.web.auth.keycloak.KeycloakOpenIDConnect[source]

Instantiate a KeycloakOpenIDConnect class for a given client in a given realm.

Parameters
  • server_url – Base URL of a Keycloak server

  • realm_name – Name of the realm in Keycloak

  • client_id – Client identifier in the realm

Returns

An object to ease the interaction with the Keycloak server