get_auth¶

gafaelfawr.handlers.auth.get_auth(request: aiohttp.web_request.Request) → aiohttp.web_response.Response¶

Authenticate and authorize a token.

Parameters:	request (`aiohttp.web.Request`) – The incoming request, normally from NGINX’s `auth_request` directive.
Returns:	response – The response.
Return type:	`aiohttp.web.Response`
Raises:	`aiohttp.web.HTTPException` – Raised on authorization failures or malformed requests.

Notes

Expects the following query parameters to be set:

scope: One or more scopes to check (required, may be given multiple times).
satisfy (optional): Require that all (the default) or any of the scopes requested via the scope parameter be satisfied.
auth_type (optional): The authentication type to use in challenges. If given, must be either bearer or basic. Defaults to bearer.
audience (optional): May be set to the internal audience to request token reissuance.

Expects the following headers to be set in the request:

Authorization: The JWT token. This must always be the full JWT token. The token should be in this header as type Bearer, but it may be type Basic if x-oauth-basic is the username or password. This may be omitted if the user has a valid session cookie instead.

The following headers may be set in the response:

X-Auth-Request-Client-Ip: The IP address of the client, as determined after parsing X-Forwarded-For headers.
X-Auth-Request-Email: If enabled and email is available, this will be set based on the email claim.
X-Auth-Request-User: If enabled and the field is available, this will be set from token based on the JWT_USERNAME_KEY field.
X-Auth-Request-Uid: If enabled and the field is available, this will be set from token based on the JWT_UID_KEY field.
X-Auth-Request-Groups: When a token has groups available in the isMemberOf claim, the names of the groups will be returned, comma-separated, in this header.
X-Auth-Request-Token: If enabled, the encoded token will be set.
X-Auth-Request-Token-Scopes: If the token has scopes in the scope claim or derived from groups in the isMemberOf claim, they will be returned in this header.
X-Auth-Request-Token-Scopes-Accepted: A space-separated list of token scopes the reliant resource accepts.
X-Auth-Request-Token-Scopes-Satisfy: Whether all requested scopes must be present, or just any one of them. Will be set to either any or all.
WWW-Authenticate: If the request is unauthenticated, this header will be set.