Globus SDK TokenStorage

A Globus SDK contrib module providing simple token storage.

Basic Usage

Install with pip install globus-sdk-tokenstorage

You can then import helpers from globus_sdk_tokenstorage. For example:

import os
import globus_sdk
from globus_sdk_tokenstorage import SimpleJSONFileAdapter

my_file_adapter = SimpleJSONFileAdapter(
    os.path.expanduser('~/mytokens.json'),
    resource_server='transfer.api.globus.org')

if not my_file_adapter.file_exists():
    # ... do a login low, getting back initial tokens
    # elided for simplicity here
    token_response = ...
    # now store the tokens, and pull out the tokens for the
    # resource server we want
    my_file_adapter.store(token_response)
    by_rs = token_response.by_resource_server
    tokens = by_rs['transfer.api.globus.org']
else:
    # otherwise, we already did this whole song-and-dance, so just
    # load the tokens from that file
    tokens = my_file_adapter.read_as_dict()


# RereshTokenAuthorizer and ClientCredentialsAuthorizer both use
# `on_refresh` callbacks
# this feature is therefore only relevant for those auth types
#
# auth_client is the internal auth client used for refreshes,
# and which was used in the login flow
# note that this is all normal SDK usage wherein my_file_adapter
# is providing the on_refresh callback
auth_client = ...
authorizer = globus_sdk.RefreshTokenAuthorizer(
    tokens['refresh_token'], auth_client,
    tokens['access_token'], tokens['access_token_expires'],
    on_refresh=my_file_adapter.on_refresh)

# or, for client credentials
authorizer = globus_sdk.ClientCredentialsAuthorizer(
    auth_client, ['urn:globus:auth:transfer.api.globus.org:all'],
    on_refresh=m_file_adapter.on_refresh)

# and then use as normal, tada!
tc = globus_sdk.TransferClient(authorizer=authorizer)

Full Library Contents

class globus_sdk_tokenstorage.base.StorageAdapter

Bases: abc.ABC

on_refresh(token_response)

By default, the on_refresh handler for a token storage adapter simply stores the token response.

class globus_sdk_tokenstorage.base.FileAdapter

Bases: globus_sdk_tokenstorage.base.StorageAdapter

File adapters are for single-user cases, where we can assume that there’s a simple file-per-user and users are only ever attempting to read their own files.

file_exists()

Check if the file used by this file storage adapter exists.

user_only_umask()

a context manager to deny rwx to Group and World, x to User this does not create a file, but ensures that if a file is created while in the context manager, its permissions will be correct on unix systems

class globus_sdk_tokenstorage.SimpleJSONFileAdapter(filename, resource_server=None, scopes=None)

Bases: globus_sdk_tokenstorage.base.FileAdapter

Parameters:
  • filename – the name of the file to write to and read from
  • resource_server – the resource server name for tokens to look up in a token response object
  • scopes – a list of scope names for tokens to look up in a token response object

A storage adapter for storing tokens in JSON files. Callers must provide exactly one of resource_server and scopes

store(token_response)

By default, self.on_refresh is just an alias for this function.

Given a token response, extract the token data for the configured scopes or resource servers of this file adapter and write it to self.filename as JSON data. Additionally will write the version of globus_sdk_tokenstorage which was in use.

Under the assumption that this may be running on a system with multiple local users, this sets the umask such that only the owner of the resulting file can read or write it.

read_as_dict()

Load the config file contents as JSON and return the resulting dict object.

Although the whole token response is passed in for self.store, this will only return the token data for the particular scopes or resource server for which this File Adapter is configured.

class globus_sdk_tokenstorage.SQLiteAdapter(dbname, namespace='DEFAULT')

Bases: globus_sdk_tokenstorage.base.FileAdapter

Parameters:
  • dbname – the name of the DB file to write to and read from
  • namespace – A “namespace” to use within the database. All operations will be performed indexed under this string, so that multiple distinct sets of tokens may be stored in the database. You might use usernames as the namespace to implement a multi-user system, or profile names to allow multiple Globus accounts to be used by a single user.

A storage adapter for storing tokens in sqlite databases.

SQLite adapters are for more complex cases, where there may be multiple users or “profiles” in play, and additionally a dynamic set of resource servers which need to be stored in an extensible way.

The namespace is a user-supplied way of partitioning data, and any token responses passed to the storage adapter are broken apart and stored indexed by resource_server. If you have a more complex use-case in which this scheme will be insufficient, you should encode that in your choice of namespace values.

store_config(config_name, config_dict)
Parameters:
  • config_name – A string name for the configuration value
  • config_dict – A dict of config which will be stored serialized as JSON

Store a config dict under the current namespace in the config table. Allows arbitrary configuration data to be namespaced under the namespace, so that application config may be associated with the stored tokens.

Uses sqlite “REPLACE” to perform the operation.

read_config(config_name)
Parameters:config_name – A string name for the configuration value

Load a config dict under the current namespace in the config table. If no value is found, returns None

remove_config(config_name)
Parameters:config_name – A string name for the configuration value

Delete a previously stored configuration value.

Returns True if data was deleted, False if none was found to delete.

store(token_response)
Parameters:token_response – a globus_sdk.OAuthTokenResponse object containing token data to store

By default, self.on_refresh is just an alias for this function.

Given a token response, extract the token data for the resource servers and write it to self.dbname, stored under the adapter’s namespace

read_as_dict()

Load the token data JSON and return the resulting dict objects, indexed by resource server. This should look identical to an OAuthTokenResponse.by_resource_server in format and content. (But it is not attached to a token response object.)

remove_tokens_for_resource_server(resource_server)

Given a resource server to target, delete tokens for that resource server from the database (limited to the current namespace). You can use this as part of a logout command implementation, loading token data as a dict, and then deleting the data for each resource server.

Returns True if token data was deleted, False if none was found to delete.