"""
Contains implementations for authentication and authorization against an
OpenID Connect (OIDC) Identity Provider (IdP).
This package follows "authorization code flow" authentication protocol to authenticate
Galaxy users against third-party identity providers.
Additionally, this package implements functionalist's to request temporary access
credentials for cloud-based resource providers (e.g., Amazon AWS, Microsoft Azure).
"""
[docs]class IdentityProvider:
"""
OpenID Connect Identity Provider abstract interface.
"""
[docs] def __init__(self, provider, config, backend_config):
"""
Initialize the identity provider using the provided configuration,
and raise a ParseError (or any more related specific exception) in
case the configuration is malformed.
:type provider: string
:param provider: is the name of the identity provider (e.g., Google).
:type config: lxml.etree.ElementTree._Element
:param config: Is the configuration element of the provider
from the configuration file (e.g., oidc_config.xml).
This element contains the all the provider-specific
configuration elements.
:type backend_config: lxml.etree.ElementTree._Element
:param backend_config:
Is the configuration element of the backend of
the provider from the configuration file (e.g.,
oidc_backends_config.xml). This element contains all the
backend-specific configuration elements.
"""
raise NotImplementedError()
[docs] def refresh(self, trans, token):
raise NotImplementedError()
[docs] def authenticate(self, provider, trans):
"""Runs for authentication process. Checks the database if a
valid identity exists in the database; if yes, then the user
is authenticated, if not, it generates a provider-specific
authentication flow and returns redirect URI to the controller.
:type trans: GalaxyWebTransaction
:param trans: Galaxy web transaction.
:returns: a redirect URI to the provider's authentication endpoint
"""
raise NotImplementedError()
[docs] def callback(self, state_token: str, authz_code: str, trans, login_redirect_url):
"""Handles authentication call-backs from identity providers.
This process maps `state-token` to a user.
:param state_token: is an anti-forgery token which identifies
a Galaxy user to whom the given authorization code belongs to.
:param authz_code: a very short-lived, single-use token to
request a refresh token.
:type trans: GalaxyWebTransaction
:param trans: Galaxy web transaction.
:rtype: tuple
:returns: a tuple of redirect_url and user.
"""
raise NotImplementedError()
[docs] def disconnect(self, provider, trans, disconnect_redirect_url=None):
raise NotImplementedError()
[docs] def logout(self, trans, post_user_logout_href=None):
"""
Return a URL that will log the user out of the IDP. In OIDC this is
called the 'end_session_endpoint'.
:type trans: GalaxyWebTransaction
:param trans: Galaxy web transaction.
:type post_user_logout_href: string
:param post_user_logout_href: Optional URL to redirect to after logging out of IDP.
"""
raise NotImplementedError()
[docs] def decode_user_access_token(self, sa_session, access_token):
"""
Verifies and decodes an access token against this provider, returning the user and
a dict containing the decoded token data.
:type sa_session: sqlalchemy.orm.scoping.scoped_session
:param sa_session: SQLAlchemy database handle.
:type access_token: string
:param access_token: An OIDC access token
:return: A tuple containing the user and decoded jwt data
:rtype: Tuple[User, dict]
"""
raise NotImplementedError()