ats.auth client¶
With the provided client you can create authentication tokens, display their claims and optionally verify the signature.
$ ats-auth help
usage: ats-auth [--version] [-v | -q] [--log-file LOG_FILE] [-h] [--debug]
[--config CONFIG] [--debug-requests]
ats-auth
optional arguments:
--version show program's version number and exit
-v, --verbose Increase verbosity of output. Can be repeated.
-q, --quiet Suppress output except warnings and errors.
--log-file LOG_FILE Specify a file to log output. Disabled by default.
-h, --help Show help message and exit.
--debug Show tracebacks on errors.
--config CONFIG Configuration file (default: auth-client.ini)
--debug-requests Print request details
Commands:
complete print bash completion command
help print detailed help for another command
token create Create a JWT (RFC 7519) cryptographic token
token revoke Revoke a token
token revoke-all Revoke all tokens created by a user
Token generation¶
$ ats-auth help token create
usage: ats-auth token create [-h] [--username USERNAME] [--password PASSWORD]
Create a JWT (RFC 7519) cryptographic token
optional arguments:
-h, --help show this help message and exit
--username USERNAME username (will use OS_USERNAME if missing)
--password PASSWORD password (will use OS_PASSWORD if missing, will prompt
if OS_PASSWORD is also missing)
You have to provide at least a username, either as a parameter or in the OS_USERNAME environment variable (see Set environment variables using the OpenStack RC file). Likewise, you can provide a password as a parameter, at the prompt or via the OS_PASSWORD variable.
$ ats-auth token create --username marco
Password for user marco:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0NDY1NjQ0OTMuNDE0ODE4LCJzdWIiOiJtYXJjbyIsImlzcyI6ImF0cy5hdXRoIiwiZXhwIjoxNDQ2NTY4MDkzLjQxNDgxOH0.rmmO0NpE9k8Z-Sox7WoBq7LncIwYa9MGUvsjzCQQ1XA
If you want to decode the content of the token, you can do that with the --verbose option:
$ ats-auth token create --username marco --verbose
Configuration file: ats-auth-client.ini
Password for user marco:
Requesting new token...
username: marco
header: {'alg': 'HS256', 'typ': 'JWT'}
UNVERIFIED claims: {'exp': 1446568241.016732, 'iat': 1446564641.016732, 'iss': 'ats.auth', 'sub': 'marco'}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0NDY1NjQ2NDEuMDE2NzMyLCJzdWIiOiJtYXJjbyIsImlzcyI6ImF0cy5hdXRoIiwiZXhwIjoxNDQ2NTY4MjQxLjAxNjczMn0.3DWqx1J-DhaFbHurmALqAGkJbFGyKxTn_YTGUwk6KYo
As with all cliff-based commands, the verbose logs are written to stderr, so you can still redirect the relevant stdout content within scripts.
If you also have the jwt_secret value, you can specify it in auth-client.ini:
[client]
jwt_secret = ASDFFGGHJGLKJWELROISUFLDKJFLS
Now the claims will be verified:
$ ats-auth token create --username marco --verbose
Configuration file: ats-auth-client.ini
Password for user marco:
Requesting new token...
username: marco
header: {'typ': 'JWT', 'alg': 'HS256'}
claims: {'exp': 1446568595.9806926, 'iat': 1446564995.9806926, 'sub': 'marco', 'iss': 'ats.auth'}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0NDY1NjQ5OTUuOTgwNjkyNiwic3ViIjoibWFyY28iLCJpc3MiOiJhdHMuYXV0aCIsImV4cCI6MTQ0NjU2ODU5NS45ODA2OTI2fQ.NO4Xq14r8QxEoNjxytgjEI_on9plMza_kkgXoJ9XRZY
If the secret key is wrong or the token was tampered with, you’ll read Signature verification failed.
Token revocation¶
Revoking a token puts it in a blacklist, therefore denying subsequent requests:
$ ats-auth token revoke eyJhbGciOiJIU[...]jiK7StJgRm5jw7pzopfDCxDa0loc
Logging out user marco
Token revoked.
When a password is changed, it’s a good idea to void all current tokens for a given user:
$ ats-auth token revoke-all --as-user marco
All tokens revoked.