-
Notifications
You must be signed in to change notification settings - Fork 10
Home
This function creates the Security Context by validating the received access token against credentials put into the application's environment via the UAA service binding.
Usually, the received token must be intended for the current application. More clearly, the OAuth client id in the access token needs to be equal to the OAuth client id of the application (from the application's environment).
However, there are some use cases, when a "foreign" token could be accepted although it was not intended for the current application. If you want to enable other applications calling your application backend directly, you can specify in your xs-security.json file an access control list (ACL) entry and declare which OAuth client from which Identity Zone may call your backend.
-
access_token
- String containing the access token as received from UAA in the "authorization Bearer" HTTP header. -
uaa_service
- Dictionary containing the uaa service instance. Mandatory elements - url, clientid, clientsecret and verificationkey.
Returns the logon name. Not available for tokens of grant_type client_credentials
.
Returns the given name. Not available for tokens of grant_type client_credentials
.
Returns the family name. Not available for tokens of grant_type client_credentials
.
Returns the email. Not available for tokens of grant_type client_credentials
.
Returns the user origin. The origin is an alias that refers to a user store in which the user is persisted. For example, users that are authenticated by the UAA itself with a username/password combination have their origin set to the value uaa.
Checks a scope that is published by the current application in the xs-security.json file.
Returns True
if the scope is contained in the user's scopes, False
otherwise.
-
scope
- The scope whose existence is checked against the available scopes of the current user. Here, no prefix is required.
Checks a scope that is published by an application.
Returns True
if the scope is contained in the user's scopes, False
otherwise
-
scope
- The scope whose existence is checked against the available scopes of the current user. Here, the prefix is required, thus the scope string is "globally unique".
Returns a token that can be used e.g. for contacting the HANA database. If the token, that the security context has been instantiated with, is a foreign token (meaning that the OAuth client contained in the token and the OAuth client of the current application do not match), None
is returned instead of a token.
-
namespace
- Tokens can eventually be used in different contexts, e.g. to access the HANA database, to access another XS2-based service such as the Job Scheduler, or even to access other applications/containers. To differentiate between these use cases, thenamespace
is used. Inxssec.constants
we define supported namespaces (e.g.SYSTEM
). -
name
- The name is used to differentiate between tokens in a given namespace, e.g.HDB
for HANA database orJOBSCHEDULER
for the job scheduler. These names are also defined inxssec.constants
.
Returns a token that can be used for contacting the HANA database. If the token, that the security context has been instantiated with, is a foreign token (meaning that the OAuth client contained in the token and the OAuth client of the current application do not match), None
is returned instead of a token.
Returns a token with grant_type=user_token
from another client. Prerequisite is that the requesting client has grant_type=user_token
and that the current user token includes the scope uaa.user
.
-
service_credentials
- The credentials of the UAA service as a dictionary. The attributesclientid
,clientsecret
andurl
are mandatory. -
scopes
- String containing comma-separated list of requested scopes for the token, e.g.app.scope1,app.scope2
. If None, all scopes are granted. Note that $XSAPPNAME is not supported as part of the scope names.
This method does the same as request_token_for_client
, but with added support for asynchronous frameworks like django and fastAPI.
Returns True
if the token contains any xs user attributes, False
otherwise.
Not available for tokens of grant_type client_credentials
.
Returns the attribute exactly as it is contained in the access token. If no attribute with the given name is contained in the access token, None
is returned. If the token, that the security context has been instantiated with, is a foreign token (meaning that the OAuth client contained in the token and the OAuth client of the current application do not match), None
is returned regardless of whether the requested attribute is contained in the token or not.
Not available for tokens of grant_type client_credentials
.
-
name
- The name of the attribute that is requested.
Returns the additional authentication attribute exactly as it is contained in the access token. If no attribute with the given name is contained in the access token, None
is returned. Note that additional authentication attributes are also returned in foreign mode (in contrast to getAttribute).
-
name
- The name of the additional authentication attribute that is requested.
Returns True
if the token, that the security context has been instantiated with, is a foreign token that was not originally issued for the current application, False
otherwise.
Returns the subdomain that the access token has been issued for.
Returns the client id that the access token has been issued for.
Returns the identity zone that the access token has been issued for.
Returns the subaccount id that the access token has been issued for.
Returns the expiration date of the access token as datetime.datetime
object.
Returns the service instance id of the clone if the XSUAA broker plan is used.
Returns the grant type of the JWT token, e.g. authorization_code
, password
, client_credentials
or urn:ietf:params:oauth:grant-type:saml2-bearer
.