Globus SDK TokenStorage¶
A Globus SDK contrib module providing simple token storage.
Basic Usage¶
Install with pip install globus-sdk-tokenstorage
You can then import helpers from globus_sdk_tokenstorage
. For example:
import os
import globus_sdk
from globus_sdk_tokenstorage import SimpleJSONFileAdapter
my_file_adapter = SimpleJSONFileAdapter(
os.path.expanduser('~/mytokens.json'),
resource_server='transfer.api.globus.org')
if not my_file_adapter.file_exists():
# ... do a login low, getting back initial tokens
# elided for simplicity here
token_response = ...
# now store the tokens, and pull out the tokens for the
# resource server we want
my_file_adapter.store(token_response)
by_rs = token_response.by_resource_server
tokens = by_rs['transfer.api.globus.org']
else:
# otherwise, we already did this whole song-and-dance, so just
# load the tokens from that file
tokens = my_file_adapter.read_as_dict()
# RereshTokenAuthorizer and ClientCredentialsAuthorizer both use
# `on_refresh` callbacks
# this feature is therefore only relevant for those auth types
#
# auth_client is the internal auth client used for refreshes,
# and which was used in the login flow
# note that this is all normal SDK usage wherein my_file_adapter
# is providing the on_refresh callback
auth_client = ...
authorizer = globus_sdk.RefreshTokenAuthorizer(
tokens['refresh_token'], auth_client,
tokens['access_token'], tokens['access_token_expires'],
on_refresh=my_file_adapter.on_refresh)
# or, for client credentials
authorizer = globus_sdk.ClientCredentialsAuthorizer(
auth_client, ['urn:globus:auth:transfer.api.globus.org:all'],
on_refresh=m_file_adapter.on_refresh)
# and then use as normal, tada!
tc = globus_sdk.TransferClient(authorizer=authorizer)
Full Library Contents¶
-
class
globus_sdk_tokenstorage.base.
StorageAdapter
¶ Bases:
abc.ABC
-
on_refresh
(token_response)¶ By default, the on_refresh handler for a token storage adapter simply stores the token response.
-
-
class
globus_sdk_tokenstorage.base.
FileAdapter
¶ Bases:
globus_sdk_tokenstorage.base.StorageAdapter
File adapters are for single-user cases, where we can assume that there’s a simple file-per-user and users are only ever attempting to read their own files.
-
file_exists
()¶ Check if the file used by this file storage adapter exists.
-
user_only_umask
()¶ a context manager to deny rwx to Group and World, x to User this does not create a file, but ensures that if a file is created while in the context manager, its permissions will be correct on unix systems
-
-
class
globus_sdk_tokenstorage.
SimpleJSONFileAdapter
(filename, resource_server=None, scopes=None)¶ Bases:
globus_sdk_tokenstorage.base.FileAdapter
Parameters: - filename – the name of the file to write to and read from
- resource_server – the resource server name for tokens to look up in a token response object
- scopes – a list of scope names for tokens to look up in a token response object
A storage adapter for storing tokens in JSON files. Callers must provide exactly one of
resource_server
andscopes
-
store
(token_response)¶ By default,
self.on_refresh
is just an alias for this function.Given a token response, extract the token data for the configured scopes or resource servers of this file adapter and write it to
self.filename
as JSON data. Additionally will write the version ofglobus_sdk_tokenstorage
which was in use.Under the assumption that this may be running on a system with multiple local users, this sets the umask such that only the owner of the resulting file can read or write it.
-
read_as_dict
()¶ Load the config file contents as JSON and return the resulting dict object.
Although the whole token response is passed in for
self.store
, this will only return the token data for the particular scopes or resource server for which this File Adapter is configured.
-
class
globus_sdk_tokenstorage.
SQLiteAdapter
(dbname, namespace='DEFAULT')¶ Bases:
globus_sdk_tokenstorage.base.FileAdapter
Parameters: - dbname – the name of the DB file to write to and read from
- namespace – A “namespace” to use within the database. All operations will be performed indexed under this string, so that multiple distinct sets of tokens may be stored in the database. You might use usernames as the namespace to implement a multi-user system, or profile names to allow multiple Globus accounts to be used by a single user.
A storage adapter for storing tokens in sqlite databases.
SQLite adapters are for more complex cases, where there may be multiple users or “profiles” in play, and additionally a dynamic set of resource servers which need to be stored in an extensible way.
The
namespace
is a user-supplied way of partitioning data, and any token responses passed to the storage adapter are broken apart and stored indexed by resource_server. If you have a more complex use-case in which this scheme will be insufficient, you should encode that in your choice ofnamespace
values.-
store_config
(config_name, config_dict)¶ Parameters: - config_name – A string name for the configuration value
- config_dict – A dict of config which will be stored serialized as JSON
Store a config dict under the current namespace in the config table. Allows arbitrary configuration data to be namespaced under the namespace, so that application config may be associated with the stored tokens.
Uses sqlite “REPLACE” to perform the operation.
-
read_config
(config_name)¶ Parameters: config_name – A string name for the configuration value Load a config dict under the current namespace in the config table. If no value is found, returns None
-
remove_config
(config_name)¶ Parameters: config_name – A string name for the configuration value Delete a previously stored configuration value.
Returns True if data was deleted, False if none was found to delete.
-
store
(token_response)¶ Parameters: token_response – a globus_sdk.OAuthTokenResponse object containing token data to store By default,
self.on_refresh
is just an alias for this function.Given a token response, extract the token data for the resource servers and write it to
self.dbname
, stored under the adapter’s namespace
-
read_as_dict
()¶ Load the token data JSON and return the resulting dict objects, indexed by resource server. This should look identical to an OAuthTokenResponse.by_resource_server in format and content. (But it is not attached to a token response object.)
-
remove_tokens_for_resource_server
(resource_server)¶ Given a resource server to target, delete tokens for that resource server from the database (limited to the current namespace). You can use this as part of a logout command implementation, loading token data as a dict, and then deleting the data for each resource server.
Returns True if token data was deleted, False if none was found to delete.