API reference

pydantic model AuthContext[source]

Show JSON schema

{
   "title": "AuthContext",
   "type": "object",
   "properties": {
      "user_id": {
         "description": "An opaque (UUID) account identifier associated with a request. This value is stable for one account and can be used as a database key.This may represent a human user or an automated app-user",
         "title": "User Id",
         "type": "string"
      },
      "principals": {
         "description": "A set of security principals associated with this request. This set includes one or more account IDs and zero or more group IDs. Use this field to help make authorization judgements. ",
         "items": {
            "type": "string"
         },
         "title": "Principals",
         "type": "array",
         "uniqueItems": true
      },
      "groups": {
         "description": "An opaque set of group UUIDs of which the user is a member. Typically you would use `principals` unless you are specifically interested in group membership.",
         "items": {
            "type": "string"
         },
         "title": "Groups",
         "type": "array",
         "uniqueItems": true
      },
      "scopes": {
         "description": "A set of OAuth2 scopes associated with the request, showing the user has granted these permissions to this client. Use this field to help make authorization judgements.",
         "items": {
            "type": "string"
         },
         "title": "Scopes",
         "type": "array",
         "uniqueItems": true
      },
      "roles": {
         "description": "A set of Roles granted to this user account by the system administrators. Use this field to help make authorization judgements.",
         "items": {
            "$ref": "#/$defs/Role"
         },
         "title": "Roles",
         "type": "array",
         "uniqueItems": true
      },
      "audience": {
         "description": "Identifier by which the authorization server knows this service. Consumers should check this to verify this request has been sent to the right place. This should always be 'us'.",
         "title": "Audience",
         "type": "string"
      },
      "token_claims": {
         "additionalProperties": {
            "$ref": "#/$defs/JsonValue"
         },
         "description": "All the claims provided in the access token by the Authorsation Provider.",
         "title": "Token Claims",
         "type": "object"
      },
      "access_token": {
         "description": "The original access token as sent by the client.May be used to revalidate for extra assurance.",
         "title": "Access Token",
         "type": "string"
      },
      "trace": {
         "description": "Used to reconcile together log entries spanning a single user action.",
         "title": "Trace",
         "type": "string"
      }
   },
   "$defs": {
      "JsonValue": {},
      "Role": {
         "description": "Enum containing the IDs of special role-granting Groups\ndefined in MS Entra ID.",
         "enum": [
            "ANY",
            "APP2APP",
            "2d650a1e-dc34-4452-ab3b-15175d59e5d0",
            "69d67c05-f536-481e-98b2-35c7f2254592",
            "47a4523e-6fbe-441d-914c-14c6ca01922e",
            "405e6fd0-a361-447f-bb5e-9f6d03b2b474",
            "bdc4b862-882c-461a-a2a4-6f0ac89910c4",
            "ce3627de-8ec2-4a35-ab1e-300eec6a0a50",
            "05883c37-b723-4b63-9216-0a789a61cb07",
            "4c45b2ea-1b56-4b2d-b209-8d970b4e39dc"
         ],
         "title": "Role",
         "type": "string"
      }
   },
   "additionalProperties": false,
   "required": [
      "user_id",
      "principals",
      "groups",
      "scopes",
      "roles",
      "audience",
      "token_claims",
      "access_token"
   ]
}

field user_id: str [Required]: An opaque (UUID) account identifier associated with a request. This value is stable for one account and can be used as a database key.This may represent a human user or an automated app-user

field principals: frozenset[str] [Required]: A set of security principals associated with this request. This set includes one or more account IDs and zero or more group IDs. Use this field to help make authorization judgements.

field groups: frozenset[str] [Required]: An opaque set of group UUIDs of which the user is a member. Typically you would use principals unless you are specifically interested in group membership.

field scopes: frozenset[str] [Required]: A set of OAuth2 scopes associated with the request, showing the user has granted these permissions to this client. Use this field to help make authorization judgements.

field roles: frozenset[Role] [Required]: A set of Roles granted to this user account by the system administrators. Use this field to help make authorization judgements.

field audience: str [Required]: Identifier by which the authorization server knows this service. Consumers should check this to verify this request has been sent to the right place. This should always be ‘us’.

field token_claims: dict[str, JsonValue] [Required]: All the claims provided in the access token by the Authorsation Provider.

field access_token: str [Required]: The original access token as sent by the client.May be used to revalidate for extra assurance.

field trace: str [Optional]: Used to reconcile together log entries spanning a single user action.

class TokenScheme(*, audience: str, roles: frozenset[Role], scopes: frozenset[str], app_ids: frozenset[str], issuers: Iterable[str], keys: OctKey | RSAKey | ECKey | OKPKey | KeySet | Callable[[GuestProtocol], OctKey | RSAKey | ECKey | OKPKey | KeySet] | KeysetFetcher)[source]: Security scheme that generates an AuthContext from bearer token and and enforces basic authorisation rules.

class Role(value)[source]

Enum containing the IDs of special role-granting Groups defined in MS Entra ID.

ANY = 'ANY': Generic role automatically granted to all requests in addition to any specific roles derived from the access token.

APP2APP = 'APP2APP': Role for apps using the OAuth2 client credentials grant to make automated requests, rather than acting on behalf of the user.

LOW_TELESCOPE_OPERATOR = '47a4523e-6fbe-441d-914c-14c6ca01922e': Schedules and executes an observing session on SKA-Low and ensure the correctness of science experiment data by controlling and monitoring telescope subsystems.

MID_TELESCOPE_OPERATOR = '405e6fd0-a361-447f-bb5e-9f6d03b2b474': Schedules and executes an observing session on SKA-Mid and ensure the correctness of science experiment data by controlling and monitoring telescope subsystems.

OPERATIONS_SCIENTIST = 'bdc4b862-882c-461a-a2a4-6f0ac89910c4': Oversees the creation of the Project and SBDefinitions to achieve the Science aim.

OPS_PROPOSAL_ADMIN = 'ce3627de-8ec2-4a35-ab1e-300eec6a0a50': Individual who is able to perform all activities associated with proposals

OPS_REVIEWER_SCIENCE = '05883c37-b723-4b63-9216-0a789a61cb07': Individual who is able to provide a review of the science behind a proposal

OPS_REVIEWER_TECHNICAL = '4c45b2ea-1b56-4b2d-b209-8d970b4e39dc': Individual who is able to validate the feasibility of the technical aspects required for a proposal

PROD_SW_ENGINEER = '69d67c05-f536-481e-98b2-35c7f2254592': Responsible for debugging issues live in a production environment

SW_ENGINEER = '2d650a1e-dc34-4452-ab3b-15175d59e5d0': Develops, maintains, and debugs software applications within SKAO. Member of any of the software development teams.

class SecurityRequires(dependency: Callable[[...], Any] | None, *, scopes: Iterable[str], roles: Iterable[Role], app_ids: Iterable[str], use_cache: bool = True)[source]

Factory function for a lifespan event manager that guarantees all of your app’s routes have defined authorisation requirements before starting the app.

Usage: app = FastAPI(lifespan=watchdog())

See https://fastapi.tiangolo.com/advanced/events/