Authentication Plugins¶

V2 Identity Plugins¶

Standard V2 identity plugins are defined in the module: keystoneauth1.identity.v2

They include:

• Password: Authenticate against a V2 identity service using a username and password.

• Token: Authenticate against a V2 identity service using an existing token.

V2 identity plugins must use an auth_url that points to the root of a V2 identity server URL, i.e.: http://hostname:5000/v2.0.

V3 Identity Plugins¶

Standard V3 identity plugins are defined in the module keystoneauth1.identity.v3.

V3 Identity plugins are slightly different from their V2 counterparts as a V3 authentication request can contain multiple authentication methods. To handle this V3 defines a number of different AuthMethod classes:

• PasswordMethod: Authenticate against a V3 identity service using a username and password.

• TokenMethod: Authenticate against a V3 identity service using an existing token.

• ReceiptMethod: Authenticate against a V3 identity service using an existing auth-receipt. This method has to be used in conjunction with at least one other method.

• TOTPMethod: Authenticate against a V3 identity service using Time-Based One-Time Password (TOTP).

• TokenlessAuth: Authenticate against a V3 identity service using tokenless authentication.

• ApplicationCredentialMethod: Authenticate against a V3 identity service using an application credential.

• KerberosMethod: Authenticate against a V3 identity service using Kerberos.

• OAuth2ClientCredentialMethod: Authenticate against a V3 identity service using an OAuth2.0 client credential.

• OAuth2mTlsClientCredential: Authenticate against a V3 identity service using an OAuth2.0 Mutual-TLS client credentials.

The AuthMethod objects are then passed to the Auth plugin:

>>> from keystoneauth1 import session
>>> from keystoneauth1.identity import v3
>>> password = v3.PasswordMethod(username='user',
...                              password='password',
...                              user_domain_name='default')
>>> auth = v3.Auth(auth_url='http://my.keystone.com:5000/v3',
...                auth_methods=[password],
...                project_id='projectid')
>>> sess = session.Session(auth=auth)

You can even add additional methods to an existing auth instance after it has been created:

>>> totp = v3.TOTPMethod(username='user',
...                      passcode='123456',
...                      user_domain_name='default')
>>> auth.add_method(totp)

Or use the MultiFactor helper plugin to do it all simply in one go, an example of whichs exists in the section below.

For the common cases where you will only want to use one AuthMethod there are also helper authentication plugins for the various AuthMethod which can be used more like the V2 plugins:

• Password: Authenticate using only a PasswordMethod.

• Token: Authenticate using only a TokenMethod.

• TOTP: Authenticate using only a TOTPMethod.

• Kerberos: Authenticate using only a KerberosMethod.

>>> auth = v3.Password(auth_url='http://my.keystone.com:5000/v3',
...                    username='username',
...                    password='password',
...                    project_id='projectid',
...                    user_domain_name='default')
>>> sess = session.Session(auth=auth)

This will have exactly the same effect as using the single PasswordMethod above.

V3 identity plugins must use an auth_url that points to the root of a V3 identity server URL, i.e.: http://hostname:5000/v3.

Multi-Factor with V3 Identity Plugins¶

The basic example of multi-factor authentication is when you supply all the needed auth methods up front.

This can be done by building an Auth class with method instances:

from keystoneauth1 import session
from keystoneauth1.identity import v3

auth = v3.Auth(
    auth_url='http://my.keystone.com:5000/v3',
    auth_methods=[
        v3.PasswordMethod(
            username='user',
            password='password',
            user_domain_id="default",
        ),
        v3.TOTPMethod(
            username='user',
            passcode='123456',
            user_domain_id="default",
        )
    ],
    project_id='projectid',
)
sess = session.Session(auth=auth)

Or by letting the helper plugin do it for you:

from keystoneauth1 import session
from keystoneauth1.identity import v3

auth = v3.MultiFactor(
    auth_url='http://my.keystone.com:5000/v3',
    auth_methods=['v3password', 'v3totp'],
    username='user',
    password='password',
    passcode='123456',
    user_domain_id="default",
    project_id='projectid',
)
sess = session.Session(auth=auth)

Note: The MultiFactor helper does not support auth receipts as an option in auth_methods, but one can be added with auth.add_method.

When you supply just one method when multiple are needed, a MissingAuthMethods error will be raised. This can be caught, and you can infer based on the error what the missing methods were, and from it extract the receipt to continue authentication:

auth = v3.Password(auth_url='http://my.keystone.com:5000/v3',
                   username='username',
                   password='password',
                   project_id='projectid',
                   user_domain_id='default')
sess = session.Session(auth=auth)
try:
   sess.get_token()
except exceptions.MissingAuthMethods as e:
    receipt = e.receipt
    methods = e.methods
    required_methods = e.required_auth_methods

Once you know what auth methods are needed to continue, you can extend the existing auth plugin with additional methods:

auth.add_method(
    v3.TOTPMethod(
        username='user',
        passcode='123456',
        user_domain_id='default',
    )
)
sess.get_token()

Or if you do not have the existing auth method, but have the receipt you can continue as well:

auth = v3.TOTP(
    auth_url='http://my.keystone.com:5000/v3',
    username='user',
    passcode='123456',
    user_domain_id='default',
    project_id='projectid',
)
auth.add_method(v3.ReceiptMethod(receipt=receipt))
sess = session.Session(auth=auth)
sess.get_token()

Standalone Plugins¶

Services can be deployed in a standalone environment where there is no integration with an identity service. The following plugins are provided to support standalone services:

• HTTPBasicAuth: HTTP Basic authentication

• NoAuth: No authentication

Standalone plugins must be given an endpoint that points to the URL of the one service being used, since there is no service catalog to look up endpoints:

from keystoneauth1 import session
from keystoneauth1 import noauth
auth = noauth.NoAuth(endpoint='http://hostname:6385/')
sess = session.Session(auth=auth)

HTTPBasicAuth also requres a username and password:

from keystoneauth1 import session
from keystoneauth1 import http_basic
auth = http_basic.HTTPBasicAuth(endpoint='http://hostname:6385/',
                                username='myUser',
                                password='myPassword')
sess = session.Session(auth=auth)

Version Independent Identity Plugins¶

Standard version independent identity plugins are defined in the module keystoneauth1.identity.generic.

For the cases of plugins that exist under both the identity V2 and V3 APIs there is an abstraction to allow the plugin to determine which of the V2 and V3 APIs are supported by the server and use the most appropriate API.

These plugins are:

• Password: Authenticate using a user/password against either v2 or v3 API.

• Token: Authenticate using an existing token against either v2 or v3 API.

These plugins work by first querying the identity server to determine available versions and so the auth_url used with the plugins should point to the base URL of the identity server to use. If the auth_url points to either a V2 or V3 endpoint it will restrict the plugin to only working with that version of the API.

Simple Plugins¶

In addition to the Identity plugins a simple plugin that will always use the same provided token and endpoint is available. This is useful for situations where you have a token and want to bypass authentication to obtain a new token for subsequent requests. Testing, proxies, and service-to-service authentication on behalf of a user are good examples use cases for this authentication plugin.

It can be found at keystoneauth1.token_endpoint.Token.

For example:

>>> from keystoneauth1 import token_endpoint
>>> from keystoneauth1 import session
>>> a = token_endpoint.Token('http://my.keystone.com:5000/v3',
...                          token=token)
>>> s = session.Session(auth=a)

V3 OAuth 1.0a Plugins¶

There also exists a plugin for OAuth 1.0a authentication. We provide a helper authentication plugin at: V3OAuth1. The plugin requires the OAuth consumer’s key and secret, as well as the OAuth access token’s key and secret. For example:

>>> from keystoneauth1.extras import oauth1
>>> from keystoneauth1 import session
>>> a = oauth1.V3OAuth1('http://my.keystone.com:5000/v3',
...                     consumer_key=consumer_id,
...                     consumer_secret=consumer_secret,
...                     access_key=access_token_key,
...                     access_secret=access_token_secret)
>>> s = session.Session(auth=a)

Creating an Identity Plugin¶

If you have implemented a new authentication mechanism into the Identity service then you will be able to reuse a lot of the infrastructure available for the existing Identity mechanisms. As the V2 identity API is essentially frozen, it is expected that new plugins are for the V3 API.

To implement a new V3 plugin that can be combined with others you should implement the base keystoneauth1.identity.v3.AuthMethod class and implement the get_auth_data() function. If your Plugin cannot be used in conjunction with existing keystoneauth1.identity.v3.AuthMethod then you should just override keystoneauth1.identity.v3.Auth directly.

The new AuthMethod should take all the required parameters via __init__() and return from get_auth_data() a tuple with the unique identifier of this plugin (e.g. password) and a dictionary containing the payload of values to send to the authentication server. The session, calling auth object and request headers are also passed to this function so that the plugin may use or manipulate them.

You should also provide a class that inherits from keystoneauth1.identity.v3.Auth with an instance of your new AuthMethod as the auth_methods parameter to keystoneauth1.identity.v3.Auth.

By convention (and like above) these are named PluginType and PluginTypeMethod (for example Password and PasswordMethod).

Creating a Custom Plugin¶

To implement an entirely new plugin you should implement the base class keystoneauth1.plugin.BaseAuthPlugin and provide the get_endpoint(), get_token() and invalidate() methods.

get_token() is called to retrieve the string token from a plugin. It is intended that a plugin will cache a received token and so if the token is still valid then it should be re-used rather than fetching a new one. A session object is provided with which the plugin can contact it’s server. (Note: use authenticated=False when making those requests or it will end up being called recursively). The return value should be the token as a string.

get_endpoint() is called to determine a base URL for a particular service’s requests. The keyword arguments provided to the function are those that are given by the endpoint_filter variable in keystoneauth1.session.Session.request(). A session object is also provided so that the plugin may contact an external source to determine the endpoint. Again this will be generally be called once per request and so it is up to the plugin to cache these responses if appropriate. The return value should be the base URL to communicate with.

invalidate() should also be implemented to clear the current user credentials so that on the next get_token() call a new token can be retrieved.

The most simple example of a plugin is the keystoneauth1.token_endpoint.Token plugin.