OIDCAuthorizationCodeFlowAuth#

class eodag.plugins.authentication.openid_connect.OIDCAuthorizationCodeFlowAuth(provider, config)[source]#

Implement the authorization code flow of the OpenIDConnect authorization specification.

The OpenID Connect specification adds an authentication layer on top of oauth 2.0. This plugin implements the authorization code flow option of this specification.

The particularity of this plugin is that it proceeds to a headless (not involving the user) interaction with the OpenID provider (if necessary) to authenticate a registered user with its username and password on the server and then granting to eodag the necessary rights. It does that using the client ID of the eodag provider that use it. If the client secret of the eodag provider using this plugin is known, it is used in conjunction with the client ID to do a BASIC Auth during the token exchange request. The headless interaction is fully configurable, and rely on XPATH to retrieve all the necessary information.

Parameters:
  • provider (str) – provider name

  • config (PluginConfig) –

    Authentication plugin configuration:

    • type (str) (mandatory): OIDCAuthorizationCodeFlowAuth

    • redirect_uri (str) (mandatory): The callback url that will handle the code given by the OIDC provider

    • oidc_config_url (str) (mandatory): The url to get the OIDC Provider’s endpoints

    • client_id (str) (mandatory): The OIDC provider’s client ID of the eodag provider

    • user_consent_needed (bool) (mandatory): Whether a user consent is needed during the authentication

    • token_exchange_post_data_method (str) (mandatory): One of: json, data or params. This is the way to pass the data to the POST request that is made to the token server. They correspond to the recognised keywords arguments of the Python requests library

    • token_key (str): The key pointing to the token in the json response to the POST request to the token server

    • token_provision (str) (mandatory): One of qs or header. This is how the token obtained will be used to authenticate the user on protected requests. If qs is chosen, then token_qs_key is mandatory

    • login_form_xpath (str) (mandatory): The xpath to the HTML form element representing the user login form

    • authentication_uri_source (str) (mandatory): Where to look for the authentication_uri. One of config (in the configuration) or login-form (use the ‘action’ URL found in the login form retrieved with login_form_xpath). If the value is config, authentication_uri config param is mandatory

    • authentication_uri (str): (mandatory if authentication_uri_source=config) The URL of the authentication backend of the OIDC provider

    • user_consent_form_xpath (str): The xpath to the user consent form. The form is searched in the content of the response to the authorization request

    • user_consent_form_data (dict[str, str]): The data that will be passed with the POST request on the form ‘action’ URL. The data are given as key value pairs, the keys representing the data key and the value being either a ‘constant’ string value, or a string of the form ‘xpath(<path-to-a-value-to-be-retrieved>)’ and representing a value to be retrieved in the user consent form. The xpath must resolve directly to a string value, not to an HTML element. Example: xpath(//input[@name="sessionDataKeyConsent"]/@value)

    • additional_login_form_data (dict[str, str]): A mapping giving additional data to be passed to the login POST request. The value follows the same rules as with user_consent_form_data

    • exchange_url_error_pattern (dict[str, str]): Key/value pairs of patterns/messages. If exchange_url contains the given pattern, the associated message will be sent in an AuthenticationError

    • client_secret (str): The OIDC provider’s client secret of the eodag provider

    • token_exchange_params (dict[str, str]): mandatory keys for the dict: redirect_uri, client_id; A mapping between OIDC url query string and token handler query string params (only necessary if they are not the same as for OIDC). This is eodag provider dependant

    • token_qs_key (str): (mandatory when token_provision=qs) Refers to the name of the query param to be used in the query request

    • refresh_token_key (str): The key pointing to the refresh_token in the json response to the POST request to the token server

    • token_expiration_margin (int): The margin of time (in seconds) before a token is considered expired. Default: 60 seconds.

__init__(provider, config)[source]#
Parameters:

Methods

__init__(provider, config)

authenticate()

Authenticate

authenticate_objects(bucket_names_and_prefixes)

Authenticates with s3 and retrieves the available objects

authenticate_user(state)

Authenticate user

compute_state()

Compute state

decode_jwt_token(token)

Decode JWT token.

exchange_code_for_token(authorized_url, state)

Get exchange code for token

grant_user_consent(authentication_response)

Grant user consent

validate_config_credentials()

Validate configured credentials

Attributes

CONFIG_XPATH_REGEX

RESPONSE_TYPE

SCOPE

plugins

jwks_client

access_token

access_token_expiration

refresh_token

refresh_token_expiration

token_endpoint

authorization_endpoint