Ligare.web.middleware.sso
Ligare.web’s IAM controls and integration with Ligare.identity.
Functions
|
|
|
This is used by Connexion to authorize requests. |
|
|
|
|
|
Require a valid Flask session before calling the decorated function. |
|
|
|
|
|
|
|
Classes
|
|
|
Used strictly for typecasting. |
|
- protocol Ligare.web.middleware.sso.AuthCheckOverrideCallable[source]
typing.Protocol.Classes that implement this protocol must have the following methods / attributes:
- protocol Ligare.web.middleware.sso.AuthCheckUser[source]
typing.Protocol.Classes that implement this protocol must have the following methods / attributes:
- class Ligare.web.middleware.sso.LoginManager(user_loader, app, log, add_context_processor=True)[source]
- class Ligare.web.middleware.sso.SAML2MiddlewareModule[source]
-
- static get_config_type()[source]
- Return type:
type[AbstractConfig]
- Ligare.web.middleware.sso.apikey_auth(token, required_scopes)[source]
This is used by Connexion to authorize requests. It is specified in API-v1.yaml. token is the value passed either through Connexion ingesting the session cookie, or through the manually set value in the Swagger UI. The session cookie is available after authenticating.
- Ligare.web.middleware.sso.idp_initiated(idp_name, saml2_client, user_loader, config, sso_config, log)[source]
- Ligare.web.middleware.sso.login_required(roles=None, auth_check_override=None, /)[source]
Require a valid Flask session before calling the decorated function.
This method uses the list of roles to determine whether the current session user has any of the roles listed. Alternatively, the use of auth_check_override is used to bypass the role check. If the auth_check_override method returns True, the user is considered to have access to the decorated API endpoint. If the auth_check_override method returns False, login_required falls back to checking roles.
If roles is a list, the user must have been assigned one of the roles specified. If roles is None, or if the decorator is not explicitly called, this will only require a valid Flask session regardless of the user’s roles.
If both auth_check_override and roles are None, this returns flask_login.login_required. Call this directly, rather than as a decorator. See https://flask-login.readthedocs.io/en/latest/#flask_login.login_required for more information.
If roles is a callable and auth_check_override is None, this executes flask_login.login_required in its usual way. This is the same as using flask_login.login_required as a decorator. See https://flask-login.readthedocs.io/en/latest/#flask_login.login_required for more information.
If roles is a list of User Roles and the current session user’s roles intersect with roles, this returns True. If the current session user’s roles do not intersect with roles, this returns False.
- Return type:
Union[Callable[[Callable[[ParamSpec(P)],TypeVar(R)]],Callable[[ParamSpec(P)],TypeVar(R)]],Callable[[ParamSpec(P)],TypeVar(R)],Callable[...,Any]]
- If auth_check_override is a callable, it will be called with the following parameters:
user is the current session user
*args will be any arguments passed without argument keywords. When using login_required as a decorator, this will be an empty tuple.
**kwargs will be any parameters specified with keywords. When using login_required as a decorator, this will be the parameters passed into the decorated method. In the case of a Flask API endpoint, for example, this will be all of the endpoint method parameters.