Warning
This document is for an in-development version of Galaxy. You can alternatively view this page in the latest release if it exists or view the top of the latest release's documentation.
galaxy.authnz package
Contains implementations for authentication and authorization against an OpenID Connect (OIDC) Identity Provider (IdP).
This package follows “authorization code flow” authentication protocol to authenticate Galaxy users against third-party identity providers.
Additionally, this package implements functionalist’s to request temporary access credentials for cloud-based resource providers (e.g., Amazon AWS, Microsoft Azure).
- class galaxy.authnz.IdentityProvider(provider, config, backend_config)[source]
Bases:
object
OpenID Connect Identity Provider abstract interface.
- __init__(provider, config, backend_config)[source]
Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.
- Parameters:
provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.
- authenticate(trans, idphint=None)[source]
Runs for authentication process. Checks the database if a valid identity exists in the database; if yes, then the user is authenticated, if not, it generates a provider-specific authentication flow and returns redirect URI to the controller.
- Parameters:
trans (GalaxyWebTransaction) – Galaxy web transaction.
- Returns:
a redirect URI to the provider’s authentication endpoint
- callback(state_token: str, authz_code: str, trans, login_redirect_url)[source]
Handles authentication call-backs from identity providers.
This process maps state-token to a user.
- Parameters:
state_token – is an anti-forgery token which identifies a Galaxy user to whom the given authorization code belongs to.
authz_code – a very short-lived, single-use token to request a refresh token.
trans (GalaxyWebTransaction) – Galaxy web transaction.
- Return type:
- Returns:
a tuple of redirect_url and user.
- logout(trans, post_user_logout_href=None)[source]
Return a URL that will log the user out of the IDP. In OIDC this is called the ‘end_session_endpoint’.
- Parameters:
trans (GalaxyWebTransaction) – Galaxy web transaction.
post_user_logout_href (string) – Optional URL to redirect to after logging out of IDP.
Submodules
galaxy.authnz.custos_authnz module
- class galaxy.authnz.custos_authnz.CustosAuthnzConfiguration(provider: str, verify_ssl: bool | NoneType, url: str, label: str, client_id: str, client_secret: str, require_create_confirmation: bool, redirect_uri: str, ca_bundle: str | NoneType, pkce_support: bool, accepted_audiences: List[str], extra_params: dict | NoneType, extra_scopes: List[str], authorization_endpoint: str | NoneType, token_endpoint: str | NoneType, end_session_endpoint: str | NoneType, well_known_oidc_config_uri: str | NoneType, iam_client_secret: str | NoneType, userinfo_endpoint: str | NoneType, credential_url: str | NoneType, issuer: str | NoneType, jwks_uri: str | NoneType)[source]
Bases:
object
- __init__(provider: str, verify_ssl: bool | None, url: str, label: str, client_id: str, client_secret: str, require_create_confirmation: bool, redirect_uri: str, ca_bundle: str | None, pkce_support: bool, accepted_audiences: List[str], extra_params: dict | None, extra_scopes: List[str], authorization_endpoint: str | None, token_endpoint: str | None, end_session_endpoint: str | None, well_known_oidc_config_uri: str | None, iam_client_secret: str | None, userinfo_endpoint: str | None, credential_url: str | None, issuer: str | None, jwks_uri: str | None) None
- class galaxy.authnz.custos_authnz.OIDCAuthnzBase(provider, oidc_config, oidc_backend_config, idphint=None)[source]
Bases:
IdentityProvider
- __init__(provider, oidc_config, oidc_backend_config, idphint=None)[source]
Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.
- Parameters:
provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.
- authenticate(trans, idphint=None)[source]
Runs for authentication process. Checks the database if a valid identity exists in the database; if yes, then the user is authenticated, if not, it generates a provider-specific authentication flow and returns redirect URI to the controller.
- Parameters:
trans (GalaxyWebTransaction) – Galaxy web transaction.
- Returns:
a redirect URI to the provider’s authentication endpoint
- callback(state_token, authz_code, trans, login_redirect_url)[source]
Handles authentication call-backs from identity providers.
This process maps state-token to a user.
- Parameters:
state_token – is an anti-forgery token which identifies a Galaxy user to whom the given authorization code belongs to.
authz_code – a very short-lived, single-use token to request a refresh token.
trans (GalaxyWebTransaction) – Galaxy web transaction.
- Return type:
- Returns:
a tuple of redirect_url and user.
- logout(trans, post_user_logout_href=None)[source]
Return a URL that will log the user out of the IDP. In OIDC this is called the ‘end_session_endpoint’.
- Parameters:
trans (GalaxyWebTransaction) – Galaxy web transaction.
post_user_logout_href (string) – Optional URL to redirect to after logging out of IDP.
- class galaxy.authnz.custos_authnz.OIDCAuthnzBaseKeycloak(provider, oidc_config, oidc_backend_config, idphint=None)[source]
Bases:
OIDCAuthnzBase
- __init__(provider, oidc_config, oidc_backend_config, idphint=None)[source]
Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.
- Parameters:
provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.
- class galaxy.authnz.custos_authnz.OIDCAuthnzBaseCiLogon(provider, oidc_config, oidc_backend_config, idphint=None)[source]
Bases:
OIDCAuthnzBase
- __init__(provider, oidc_config, oidc_backend_config, idphint=None)[source]
Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.
- Parameters:
provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.
- class galaxy.authnz.custos_authnz.OIDCAuthnzBaseCustos(provider, oidc_config, oidc_backend_config, idphint=None)[source]
Bases:
OIDCAuthnzBase
- __init__(provider, oidc_config, oidc_backend_config, idphint=None)[source]
Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.
- Parameters:
provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.
galaxy.authnz.managers module
- class galaxy.authnz.managers.AuthnzManager(app, oidc_config_file, oidc_backends_config_file)[source]
Bases:
object
- __init__(app, oidc_config_file, oidc_backends_config_file)[source]
- Parameters:
app (galaxy.app.UniverseApplication) –
config (string) – sets the path for OIDC configuration file (e.g., oidc_backends_config.xml).
- authenticate(provider, trans, idphint=None)[source]
- Parameters:
provider (string) – set the name of the identity provider to be used for authentication flow.
trans (GalaxyWebTransaction) – Galaxy web transaction.
- Returns:
an identity provider specific authentication redirect URI.
- logout(provider, trans, post_user_logout_href=None)[source]
Log the user out of the identity provider.
- Parameters:
provider (string) – set the name of the identity provider.
trans (GalaxyWebTransaction) – Galaxy web transaction.
post_user_logout_href (string) – (Optional) URL for identity provider to redirect to after logging user out.
- Returns:
a tuple (success boolean, message, redirect URI)
galaxy.authnz.psa_authnz module
- class galaxy.authnz.psa_authnz.PSAAuthnz(provider, oidc_config, oidc_backend_config)[source]
Bases:
IdentityProvider
- __init__(provider, oidc_config, oidc_backend_config)[source]
Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.
- Parameters:
provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.
- authenticate(trans, idphint=None)[source]
Runs for authentication process. Checks the database if a valid identity exists in the database; if yes, then the user is authenticated, if not, it generates a provider-specific authentication flow and returns redirect URI to the controller.
- Parameters:
trans (GalaxyWebTransaction) – Galaxy web transaction.
- Returns:
a redirect URI to the provider’s authentication endpoint
- callback(state_token, authz_code, trans, login_redirect_url)[source]
Handles authentication call-backs from identity providers.
This process maps state-token to a user.
- Parameters:
state_token – is an anti-forgery token which identifies a Galaxy user to whom the given authorization code belongs to.
authz_code – a very short-lived, single-use token to request a refresh token.
trans (GalaxyWebTransaction) – Galaxy web transaction.
- Return type:
- Returns:
a tuple of redirect_url and user.
- class galaxy.authnz.psa_authnz.Strategy(request, session, storage, config, tpl=None)[source]
Bases:
BaseStrategy
- class galaxy.authnz.psa_authnz.Storage[source]
Bases:
object
- user
alias of
UserAuthnzToken
- association
alias of
PSAAssociation
- partial
alias of
PSAPartial
- galaxy.authnz.psa_authnz.contains_required_data(response=None, is_new=False, **kwargs)[source]
This function is called as part of authentication and authorization pipeline before user is authenticated or authorized (see AUTH_PIPELINE).
This function asserts if all the data required by Galaxy for a user is provided. It raises an exception if any of the required data is missing, and returns void if otherwise.
- Parameters:
response (dict) –
a dictionary containing decoded response from OIDC backend that contain the following keys among others:
id_token; see: http://openid.net/specs/openid-connect-core-1_0.html#IDToken
access_token; see: https://tools.ietf.org/html/rfc6749#section-1.4
refresh_token; see: https://tools.ietf.org/html/rfc6749#section-1.5
token_type; see: https://tools.ietf.org/html/rfc6750#section-6.1.1
scope; see: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
- expires_in; is the expiration time of the access and ID tokens in seconds since
the response was generated.
is_new (bool) – has the user been authenticated?
kwargs –
may contain the following keys among others:
uid: user ID
user: Galaxy user; if user is already authenticated
backend: the backend that is used for user authentication.
storage: an instance of Storage class.
strategy: an instance of the Strategy class.
state: the state code received from identity provider.
details: details about the user’s third-party identity as requested in scope.
- Return type:
void
- Returns:
Raises an exception if any of the required arguments is missing, and pass if all are given.
- galaxy.authnz.psa_authnz.allowed_to_disconnect(name=None, user=None, user_storage=None, strategy=None, backend=None, request=None, details=None, **kwargs)[source]
Disconnect is the process of disassociating a Galaxy user and a third-party authnz. In other words, it is the process of removing any access and/or ID tokens of a user. This function should raise an exception if disconnection is NOT permitted. Do NOT return any value (except an empty dictionary) if disconnect is allowed. Because, at least until PSA social_core v.1.5.0, any returned value (e.g., Boolean) will result in ignoring the rest of the disconnect pipeline. See the following condition in run_pipeline function: https://github.com/python-social-auth/social-core/blob/master/social_core/backends/base.py#L114 :param name: name of the backend (e.g., google-openidconnect) :type user: galaxy.model.User :type user_storage: galaxy.model.UserAuthnzToken :type strategy: galaxy.authnz.psa_authnz.Strategy :type backend: PSA backend object (e.g., social_core.backends.google_openidconnect.GoogleOpenIdConnect) :type request: webob.multidict.MultiDict :type details: dict :return: empty dict
- galaxy.authnz.psa_authnz.disconnect(name=None, user=None, user_storage=None, strategy=None, backend=None, request=None, details=None, **kwargs)[source]
Disconnect is the process of disassociating a Galaxy user and a third-party authnz. In other words, it is the process of removing any access and/or ID tokens of a user. :param name: name of the backend (e.g., google-openidconnect) :type user: galaxy.model.User :type user_storage: galaxy.model.UserAuthnzToken :type strategy: galaxy.authnz.psa_authnz.Strategy :type backend: PSA backend object (e.g., social_core.backends.google_openidconnect.GoogleOpenIdConnect) :type request: webob.multidict.MultiDict :type details: dict :return: void or empty dict. Any key-value pair inside the dictionary will be available inside PSA only, and will be passed to the next step in the disconnect pipeline. However, the key-value pair will not be returned as a result of calling the do_disconnect function. Additionally, returning any value except for a(n) (empty) dictionary, will break the disconnect pipeline, and that value will be returned as a result of calling the do_disconnect function.