Part of lp.services.openid.extensions
Support for issuing discharge macaroons via the OpenID request.
RPs may need to use SSO authority to authorise macaroons issued by other services. The simplest way to do this securely as part of a browser workflow is to piggyback on the OpenID interaction: this makes it straightforward to request login information if necessary and gives us CSRF-safe data exchange.
As part of an OpenID authentication request, the RP includes the following fields:
- openid.ns.macaroon:
An OpenID 2.0 namespace URI for the extension. It is not strictly required for 1.1 requests, but including it is good for forward compatibility.
It must be set to: http://ns.login.ubuntu.com/2016/openid-macaroon
- openid.macaroon.caveat_id
- The SSO third-party caveat ID from the root macaroon that the RP wants to discharge.
As part of the positive assertion OpenID response, the following fields will be provided:
- openid.ns.macaroon:
- (as above)
- openid.macaroon.discharge
- A serialised discharge macaroon for the provided root macaroon.
| Function | get_macaroon_ns | Extract the macaroon namespace URI from the given OpenID message. |
| Class | MacaroonNamespaceError | The macaroon namespace was not found and could not be created using |
| Class | MacaroonRequest | An object to hold the state of a discharge macaroon request. |
| Class | MacaroonResponse | Represents the data returned in a discharge macaroon response inside |
Extract the macaroon namespace URI from the given OpenID message.
@param message: The OpenID message from which to parse the macaroon.
This may be a request or response message.
@type message: C{L{openid.message.Message}}
@returns: the macaroon namespace URI for the supplied message. The
message may be modified to define a macaroon namespace.
@rtype: C{str}
@raise ValueError: when using OpenID 1 if the message defines the
'macaroon' alias to be something other than a macaroon type.