oauth2_service_token

OAuth2 service token framework for authenticating internal API clients.

This module defines a generic OAuth2ServiceToken base class for retrieving and caching OAuth2 access tokens using client credentials. It also includes a OAuth2ServiceTokenFactory to construct and manage tokens for specific services, such as the Site Capabilities API.

Caching, scope extension, and audience targeting are supported, allowing reuse and fine-grained access control of service tokens.

Module Contents

Classes

OAuth2ServiceToken

A base class for retrieving service tokens. This allows for different clients to be used & parameters to be
class oauth2_service_token.OAuth2ServiceToken(shortname, default_scopes, audience, client, iam_token_endpoint, try_use_cache=True, cache=None, cache_key_prefix='X', additional_scopes=None, logger=logging.getLogger('uvicorn'))

Bases: abc.ABC

digraph inheritancebede1a9c7f { bgcolor=transparent; rankdir=LR; size="8.0, 12.0"; "ABC" [fillcolor=white,fontname="Vera Sans, DejaVu Sans, Liberation Sans, Arial, Helvetica, sans",fontsize=10,height=0.25,shape=box,style="setlinewidth(0.5),filled",tooltip="Helper class that provides a standard way to create an ABC using"]; "OAuth2ServiceToken" [URL="#oauth2_service_token.OAuth2ServiceToken",fillcolor=white,fontname="Vera Sans, DejaVu Sans, Liberation Sans, Arial, Helvetica, sans",fontsize=10,height=0.25,shape=box,style="setlinewidth(0.5),filled",target="_top",tooltip="A base class for retrieving service tokens. This allows for different clients to be used & parameters to be"]; "ABC" -> "OAuth2ServiceToken" [arrowsize=0.5,style="setlinewidth(0.5)"]; }

A base class for retrieving service tokens. This allows for different clients to be used & parameters to be easily modified and restricted, e.g. scope locked storage.[read|write|modify]:/* tokens for download and upload.

async get(force_renew=False)

Retrieve an access token for the configured OAuth2 client.

If caching is enabled and a valid token exists in the cache, it will be returned. Otherwise, a new token will be requested from the IAM token endpoint using client credentials.