SciToken

class scitokens.SciToken(key=None, algorithm=None, key_id=None, claims=None)[source]

Bases: object

An object representing the contents of a SciToken.

Methods Summary

`claims`()	Return an iterator of (key, value) pairs of claims.
`deserialize`(serialized_token[, audience, ...])	Given a serialized SciToken, load it into a SciTokens object.
`discover`([audience, require_key, insecure, ...])	Create a SciToken by looking for a token with WLCG Bearer Token Discovery protocol
`get`(claim[, default, verified_only])	Return the value associated with a claim, returning the default if the claim is not present.
`serialize`([include_key, issuer, lifetime])	Serialize the existing SciToken.
`update_claims`(claims)	Add new claims to the token.
`verify`()	Verify the claims of the in-memory token.

Methods Documentation

claims()[source]: Return an iterator of (key, value) pairs of claims.

static deserialize(serialized_token, audience=None, require_key=False, insecure=False, public_key=None)[source]

Given a serialized SciToken, load it into a SciTokens object.

Verifies the claims pass the current set of validation scripts.

Parameters:

serialized_token (str) – The serialized token.
audience (str) – (Legacy, not checked) The audience URI that this principle is claiming. Default: None. Audience is not checked no matter the value.
require_key (bool) – When True, require the key
insecure (bool) – When True, allow insecure methods to verify the issuer, including allowing “localhost” issuer (useful in testing). Default=False
public_key (str) – A PEM formatted public key string to be used to validate the token

static discover(audience=None, require_key=False, insecure=False, public_key=None)[source]

Create a SciToken by looking for a token with WLCG Bearer Token Discovery protocol

https://github.com/WLCG-AuthZ-WG/bearer-token-discovery/blob/master/specification.md

The serialized token is read in and passed to the deserialize() method to load it into a SciTokens object. Raises IOError is a token cannot be found or the errors of SciTokens.deserialize() if there is an error reading the discovered token.

Parameters:

audience (str) – The audience URI that this principle is claiming. Default: None
require_key (bool) – When True, require the key
insecure (bool) – When True, allow insecure methods to verify the issuer, including allowing “localhost” issuer (useful in testing). Default=False
public_key (str) – A PEM formatted public key string to be used to validate the token

get(claim, default=None, verified_only=False)[source]: Return the value associated with a claim, returning the default if the claim is not present. If verified_only is True, then a claim is returned only if it is in the verified claims

serialize(include_key=False, issuer=None, lifetime=600)[source]

Serialize the existing SciToken.

Parameters:

include_key (bool) – When true, include the public key to the serialized token. Default=False
issuer (str) – A string indicating the issuer for the token. It should be an HTTPS address, as specified in https://tools.ietf.org/html/draft-ietf-oauth-discovery-07
lifetime (int) – Number of seconds that the token should be valid

Return bytes:

base64 encoded token

update_claims(claims)[source]

Add new claims to the token.

Parameters:: claims – Dictionary of claims to add to the token

verify()[source]

Verify the claims of the in-memory token.

Automatically called by deserialize.