galaxy.authnz package

Contains implementations for authentication and authorization against an OpenID Connect (OIDC) Identity Provider (IdP).

This package follows “authorization code flow” authentication protocol to authenticate Galaxy users against third-party identity providers.

Additionally, this package implements functionalist’s to request temporary access credentials for cloud-based resource providers (e.g., Amazon AWS, Microsoft Azure).

class galaxy.authnz.IdentityProvider(provider, config, backend_config)[source]

Bases: object

OpenID Connect Identity Provider abstract interface.

__init__(provider, config, backend_config)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:

  • provider (string) – is the name of the identity provider (e.g., Google).

  • config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.

  • backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

refresh(trans, token)[source]
authenticate(provider, trans)[source]

Runs for authentication process. Checks the database if a valid identity exists in the database; if yes, then the user is authenticated, if not, it generates a provider-specific authentication flow and returns redirect URI to the controller.

Parameters:

trans (GalaxyWebTransaction) – Galaxy web transaction.

Returns:

a redirect URI to the provider’s authentication endpoint

callback(state_token: str, authz_code: str, trans, login_redirect_url)[source]

Handles authentication call-backs from identity providers.

This process maps state-token to a user.

Parameters:

  • state_token – is an anti-forgery token which identifies a Galaxy user to whom the given authorization code belongs to.

  • authz_code – a very short-lived, single-use token to request a refresh token.

  • trans (GalaxyWebTransaction) – Galaxy web transaction.

Return type:

tuple

Returns:

a tuple of redirect_url and user.

disconnect(provider, trans, disconnect_redirect_url=None)[source]
logout(trans, post_user_logout_href=None)[source]

Return a URL that will log the user out of the IDP. In OIDC this is called the ‘end_session_endpoint’.

Parameters:

  • trans (GalaxyWebTransaction) – Galaxy web transaction.

  • post_user_logout_href (string) – Optional URL to redirect to after logging out of IDP.

Submodules

galaxy.authnz.custos_authnz module

galaxy.authnz.managers module

galaxy.authnz.psa_authnz module