KeycloakOIDCPasswordAuth

KeycloakOIDCPasswordAuth#

class eodag.plugins.authentication.keycloak.KeycloakOIDCPasswordAuth(provider, config)[source]#

Authentication plugin using Keycloak and OpenId Connect.

This plugin requests a token which is added to a query-string or a header for authentication.

Parameters:

  • provider (str) – provider name

  • config (PluginConfig) –

    Authentication plugin configuration:

    • type (str) (mandatory): KeycloakOIDCPasswordAuth

    • oidc_config_url (str) (mandatory): The url to get the OIDC Provider’s endpoints

    • client_id (str) (mandatory): keycloak client id

    • client_secret (str) (mandatory): keycloak client secret, set to null if no secret is used

    • token_provision (str) (mandatory): if the token should be added to the query string (qs) or to the header (header)

    • token_qs_key (str): (mandatory if token_provision=qs) key of the param added to the query string

    • allowed_audiences (list[str]) (mandatory): The allowed audiences that have to be present in the user token.

    • auth_error_code (int): which error code is returned in case of an authentication error

    • ssl_verify (bool): If the SSL certificates should be verified in the token request; default: True

    • token_expiration_margin (int): The margin of time (in seconds) before a token is considered expired. Default: 60 seconds

Using HTTPDownload a download link http://example.com?foo=bar will become http://example.com?foo=bar&my-token=obtained-token if associated to the following configuration:

provider:
    ...
    auth:
        plugin: KeycloakOIDCPasswordAuth
        oidc_config_url: 'https://somewhere/auth/realms/realm/.well-known/openid-configuration'
        client_id: 'SOME_ID'
        client_secret: '01234-56789'
        token_provision: qs
        token_qs_key: 'my-token'
        ...
    ...

If configured to send the token through the header, the download request header will be updated with Authorization: "Bearer obtained-token" if associated to the following configuration:

provider:
    ...
    auth:
        plugin: KeycloakOIDCPasswordAuth
        oidc_config_url: 'https://somewhere/auth/realms/realm/.well-known/openid-configuration'
        client_id: 'SOME_ID'
        client_secret: '01234-56789'
        token_provision: header
        ...
    ...
__init__(provider, config)[source]#
Parameters:

Methods

__init__(provider, config)

authenticate()

Makes authentication request

authenticate_objects(bucket_names_and_prefixes)

Authenticates with s3 and retrieves the available objects

decode_jwt_token(token)

Decode JWT token.

validate_config_credentials()

Validate configured credentials

Attributes

GRANT_TYPE

REQUIRED_PARAMS

plugins

jwks_client

access_token

access_token_expiration

refresh_token

refresh_token_expiration

token_endpoint

authorization_endpoint

Contents