Skip to content

Latest commit

 

History

History
105 lines (69 loc) · 3.35 KB

authentication.md

File metadata and controls

105 lines (69 loc) · 3.35 KB
Raw

Authentication

BearerTokenAuthenticator

This authenticator works by taking a token and passing it an Authorization: bearer header with the execute request.

import cwt
from cwt import auth

bearer = auth.BearerTokenAuthenticator(token="abcd")

client = cwt.WPSClient("https://wps.io/wps", auth=auth)

client.execute(...)

LLNLKeyCloakAuthenticator

To use the LLNLKeyCloakAuthenticator you will need the following information:

  • Base url for the WPS compute node.
  • Url to the keycloak instance.
  • Realm name being used.

Authorization Code with PKCE

This authentication flow requires a KeyCloak public client to be configured for OAuth2 Authorization Code flow with PKCE. Once execute is called the user will be presented with a link. Upon opening the link in a browser they'll be redirect to authenticate with keycloak, once successfully authenticated they'll be redirect to a local URL and the job will execute.

WARNING This authentication method will only work if performed on a host system where port 8888 by default is open, this port can be changed.

Note The client id is required.

from cwt import llnl_client

auth = llnl_client.LLNLKeyCloakAuthenticator(
    base_url="https://compute.node",
    keycloak_url="https://compute.node/auth",
    realm="compute-cluster",
    client_id="wps",
    pkce=True
)

client = llnl_client.LLNLClient("https://aims2.llnl.gov/wps", auth=auth)

client.execute(...)

Alternative port

auth = llnl_client.LLNLKeyCloakAuthenticator(..., pkce=True, redirect_port=8000)

Client Credentials

This authentication flow requires a KeyCloak confidential client to be configured for OAuth2 Client Credentials flow. Once execute is called the user will be presented with a link. Upon opening this link in a browser they'll be redirect to authenticate with keycloak, once successfully authenticated they'll be issued a Client ID and Client Secret, these are to be kept secret. The user will be prompted for both items and once entered the job will execute.

from cwt import llnl_client

auth = llnl_client.LLNLKeyCloakAuthenticator(
    base_url="https://compute.node",
    keycloak_url="https://compute.node/auth",
    realm="compute-cluster",
)

client = llnl_client.LLNLClient("https://aims2.llnl.gov/wps", auth=auth)

client.execute(...)

CustomAuthenticator

A custom authenticator can be implemented by subclassing Authenticator and implementing the _pre_prepare(self, headers, query, store) method. In this method you can mutate headers and query with which will be amended to the HTTP request headers and query parameters. The authenticator can choose to store information for later calls using the store variable.

from cwt import auth

class CustomAuthenticator(auth.Authenticator):
  def __init__(self, secret):
    self.secret = secret

    super(CustomAuthenticator).__init__()

  def use_secret(self):
    ...

  def _pre_prepare(self, headers, query, store):
    # Get previouse stored code or get the code
    code = store.get("code", self.use_secret())

    # Mutate the HTTP headers
    headers["TOKEN"] = code

    # Store the code for later
    store["code"] = code

    return store