Skip to content

Authenticator class

User Authentication.

Available in Taipy Enterprise only

This class exists only in the Enterprise edition of Taipy.

An Authenticator uses a protocol to validate a user's credentials.

The supported protocols are:

  • "LDAP": The authenticator can connect to an LDAP server and requests the authentication of a given username and password pair.
    User roles are retrieved from the LDAP groups assigned to the user.
  • "Entra ID": The authenticator uses the Entra ID protocol supported by Entra ID to authenticate a user.
    The user is authenticated using the logged-in Entra ID account in your browser. The user roles are retrieved from the Entra ID account's groups.
  • "Taipy": An internal protocol designed for testing purposes. Configuration allows to specify a password and a set of roles for every username.
  • "None": Provides no authentication. Authentication is assumed to succeed no matter what username and password are provided. User roles are set to an empty set.

Authenticator

When the login() is called, all configured authenticators are created to be used alongside other Authenticators created explicitly.

Attributes

protocols property

protocols: List[str]

The list of supported protocols of the authenticator.

Methods

__init__()

__init__(
    protocol: Optional[str],
    secret_key: Optional[str] = None,
    auth_session_duration: int = 3600,
    **kwargs
) -> None

Initialize a new Authenticator.

Parameters:

Name Type Description Default
protocol Optional[str]

The name of the protocol to use ("ldap", "entra_id", "taipy", or "none").

required
secret_key Optional[str]

A secret string used to internally encrypt the credentials' information. The default value is set at run-time to a random text string.

None
auth_session_duration int

How long, in seconds, are credentials valid after their creation. The default value is 3600, corresponding to an hour.

3600
**kwargs dict[str, any]

Additional arguments that depend on the indicated protocol.
Depending on the protocol, these arguments are:

  • "LDAP" protocol: the following arguments are accepted:
    • server: the URL of the LDAP server this authenticator connects to. The default value is: "ldap://127.0.0.1:389".
    • base_dn: the LDAP distinguished name that is used. The default is "".
  • "Entra ID" protocol: the following arguments are required:
    • client_id: the client ID of the Entra ID application. The application must be registered in the Azure Entra ID portal and have the required permissions including the "User.Read" and "Team.ReadBasic.All" permissions.
    • tenant_id: the tenant ID of the Entra ID organization.
  • "Taipy" protocol: the following arguments are accepted:
    • roles: a dictionary that configures the association of usernames to roles.
    • passwords: if required, a dictionary that configures the association of usernames to hashed passwords. A user can be authenticated if it appears at least in one of the roles or the password dictionaries.
      If it only appears in roles, then the user is authenticated if provided a password exactly identical to its username.
      If it only appears in passwords, then the user is assigned no roles.
  • "None": No additional arguments are required.
{}

get_auth_url()

get_auth_url(
    redirect_url: str, request_data: Dict[str, Any] = None
) -> str

Get the SSO URL to authenticate a user.

This function is used to get the URL to redirect the user to the SSO service. The user will be authenticated by the SSO service and redirected back to the application with the necessary information.

Parameters:

Name Type Description Default
redirect_url str

The URL to redirect the user to after the authentication.

required
request_data Dict[str, Any]

Additional data to pass to the SSO service.

None

get_authenticators() staticmethod

get_authenticators() -> List[Authenticator]

Returns the list of Authenticators.

If there is no Authenticator, new Authenticators are created.

  • If a configuration is loaded, this function looks into it to find the configured authenticators.
    Specifically, if the AUTHENTICATION.protocol property is set, then it indicates what kind of authenticator ("none", "taipy", "entra_id", or "ldap") should be created. It corresponds to the protocol argument of the Authenticator constructor.
    Other configuration properties can be set to configure the authenticator further, as we can see in the documentation for the constructor for Authenticator.

  • If the main Python script sits next to a taipy_auth_<protocol>.json file, an Authenticator for this protocol is created.
    Supported protocols are "none", "ldap", "entra_id", and "taipy". The documentation for the Authenticator class provides more information.
    This file should contain the JSON representation of the config dictionary parameter of the Authenticator constructor.

  • If no such file exists, a None Authenticator is created.

handle_auth_response()

handle_auth_response(
    auth_code: str, payload: Dict[str, Any]
) -> Credentials

Handle the authentication response from the SSO service.

This function is used to handle the response from the SSO service after the user has been authenticated. The response contains the necessary information to create the Credentials object. Arguments: auth_code (str): The authentication code received from the SSO service. Returns: Credentials: A valid Credentials instance. payload: The payload received from the SSO service.

login()

login(
    username: Optional[str] = None,
    password: Optional[str] = None,
) -> Credentials

Log a user in.

This function uses this authenticator's protocol to try to authenticate the user with the provided password. If the username and password are not provided, the function will attempt to authenticate the user using the Entra ID protocol.

Parameters:

Name Type Description Default
username Optional[str]

The name of the user to authenticate.

None
password Optional[str]

The password to use to authenticate the user.

None

Returns:

Name Type Description
Credentials Credentials

On success, a valid Credentials instance is created and returned.

Raises:

Type Description
InvalidCredentials

If the user and password do not match.