l.s.o.e.macaroon : module documentation

Part of lp.services.openid.extensions

Support for issuing discharge macaroons via the OpenID request.

RPs may need to use SSO authority to authorise macaroons issued by other services. The simplest way to do this securely as part of a browser workflow is to piggyback on the OpenID interaction: this makes it straightforward to request login information if necessary and gives us CSRF-safe data exchange.

As part of an OpenID authentication request, the RP includes the following fields:


An OpenID 2.0 namespace URI for the extension. It is not strictly required for 1.1 requests, but including it is good for forward compatibility.

It must be set to: http://ns.login.ubuntu.com/2016/openid-macaroon

The SSO third-party caveat ID from the root macaroon that the RP wants to discharge.

As part of the positive assertion OpenID response, the following fields will be provided:

(as above)
A serialised discharge macaroon for the provided root macaroon.
Function get_macaroon_ns Extract the macaroon namespace URI from the given OpenID message.
Class MacaroonNamespaceError The macaroon namespace was not found and could not be created using
Class MacaroonRequest An object to hold the state of a discharge macaroon request.
Class MacaroonResponse Represents the data returned in a discharge macaroon response inside
def get_macaroon_ns(message):
Extract the macaroon namespace URI from the given OpenID message.

@param message: The OpenID message from which to parse the macaroon.
    This may be a request or response message.
@type message: C{L{openid.message.Message}}

@returns: the macaroon namespace URI for the supplied message. The
    message may be modified to define a macaroon namespace.
@rtype: C{str}

@raise ValueError: when using OpenID 1 if the message defines the
    'macaroon' alias to be something other than a macaroon type.
API Documentation for Launchpad, generated by pydoctor at 2020-02-26 00:00:44.