planet_auth_utils

The Planet Authentication Utilities Package: planet_auth_utils

This utility package provides higher leven and convenience functions for using the planet_auth package.

The core functionality provided by this package includes:

• planet_auth_utils.PlanetAuthFactory - Factory methods making it easier for application developers to initialize a coherent working set of [planet_auth] objects.
• plauth - The plauth command line utility is implemented in this package. It may be used as a stand-alone utility, or it may be embedded into other click applications.
• planet_auth_utils.Builtins - Built-in profile interface. Applications built on top of the Planet Auth Library may use configuration injection provide built-in configurations suitable for the operating environment of the application.

planet_auth_utils.Builtins

planet_auth_utils.Builtins.builtin_profile_names() staticmethod

Return a list of all the built-in profile names.

planet_auth_utils.EnvironmentVariables

Environment Variables used in the planet_auth_utils packages

planet_auth_utils.EnvironmentVariables.AUTH_API_KEY()

A literal Planet API key.

planet_auth_utils.EnvironmentVariables.AUTH_AUDIENCE()

Audience to use when requesting or validating OAuth tokens.

planet_auth_utils.EnvironmentVariables.AUTH_CLIENT_ID()

Client ID for an OAuth service account

planet_auth_utils.EnvironmentVariables.AUTH_CLIENT_SECRET()

Client Secret for an OAuth service account

planet_auth_utils.EnvironmentVariables.AUTH_EXTRA()

List of extra options. Values should be formatted as =. Multiple options should be whitespace delimited.

planet_auth_utils.EnvironmentVariables.AUTH_ISSUER()

Issuer to use when requesting or validating OAuth tokens.

planet_auth_utils.EnvironmentVariables.AUTH_LOGLEVEL()

Specify the log level.

planet_auth_utils.EnvironmentVariables.AUTH_ORGANIZATION()

Organization to use when performing client authentication. Only used for some authentication mechanisms.

planet_auth_utils.EnvironmentVariables.AUTH_PASSWORD()

Password to use when performing client authentication. Only used for some authentication mechanisms.

planet_auth_utils.EnvironmentVariables.AUTH_PROFILE()

Name of a profile to use for auth client configuration.

planet_auth_utils.EnvironmentVariables.AUTH_PROJECT()

Project ID to use when performing authentication. Not all implementations understand this option.

planet_auth_utils.EnvironmentVariables.AUTH_SCOPE()

List of scopes to request when requesting OAuth tokens. Multiple scopes should be whitespace delimited.

planet_auth_utils.EnvironmentVariables.AUTH_TOKEN()

Literal token string.

planet_auth_utils.EnvironmentVariables.AUTH_TOKEN_FILE()

File path to use for storing tokens.

planet_auth_utils.EnvironmentVariables.AUTH_USERNAME()

Username to use when performing client authentication. Only used for some authentication mechanisms.

planet_auth_utils.PlanetAuthFactory

planet_auth_utils.PlanetAuthFactory.initialize_auth_client_context(auth_profile_opt=None, auth_client_id_opt=None, auth_client_secret_opt=None, auth_api_key_opt=None, token_file_opt=None, save_token_file=True, save_profile_config=False, use_env=True, use_configfile=True) staticmethod

Helper function to initialize the Auth context in applications.

Between built-in profiles to interactively login users, customer or third party registered OAuth clients and corresponding custom profiles that may be saved on disk, OAuth service account profiles, and static API keys, there are a number of ways to configure how an application built with this library should authenticate requests made to the service. Add to this configration may come from explict parameters set by the user, environment variables, configuration files, or values hard-coded by the application developer, and the number of possibilities rises.

This helper function is provided to help build applications with a consistent user experience when sharing auth context with the CLI. This function does not support using custom storage providers at this time.

Arguments to this function are taken to be explicitly set by the user or application developer, and are given the highest priority. Internally, the priority used for the source of any particular configuration values is, from highest to lowest priority, as follows:

• Arguments to this function.
• Environment variables.
• Values from configuration file.
• Built-in defaults.

In constructing the returned Auth context, the following priority is applied, from highest to lowest:

• A user selected auth profile, as specified by auth_profile_opt. This may either specify a built-in profile name, or a fully custom profile defined by files in a ~/.planet/<profile name> directory.
• A user selected OAuth service account, as specified by auth_client_id_opt and auth_client_secret_opt.
• A user specified API key, as specified by auth_api_key_opt
• A user selected auth profile, as determined from either environment variables or config files.
• A user selected OAuth service account, as determined from either environment variables or config files.
• A user selected API key, as determined from either environment variables or config files.
• A built-in default auth profile, which may require interactive user authentication.

Example

@click.group(help="my cli main help message")
@opt_auth_profile()
@opt_auth_client_id()
@opt_auth_client_secret()
@click.pass_context
def my_cli_main(ctx, auth_profile, auth_client_id, auth_client_secret):
    ctx.ensure_object(dict)
    ctx.obj["AUTH"] = PlanetAuthFactory.initialize_auth_client_context(
        auth_profile_opt=auth_profile, auth_client_id_opt=auth_client_id, auth_client_secret_opt=auth_client_secret
    )
    # Click program may now use the auth context in all commands...

Parameters:

Name	Type	Description	Default
auth_profile_opt	Optional[str]	The name of a built-in or custom profile to use for authentication. This option should reflect the explict choice of the user or application developer.	None
auth_client_id_opt	Optional[str]	The client ID of a registered OAuth client to use for authentication. This option should reflect the explict choice of the user or application developer.	None
auth_client_secret_opt	Optional[str]	The client secret of a registered OAuth client to use for authentication. This option should reflect the explict choice of the user or application developer.	None
auth_api_key_opt	Optional[str]	The API key to use for authentication. Deprecated. This option should reflect the explict choice of the user or application developer.	None
token_file_opt	Optional[str]	The path to a file to store the access token. This options should not generally be used, and may be removed in the future.	None
save_token_file	bool	Whether to save the access token to disk. If False, in-memory operation will be used, and login sessions will not be persisted locally.	True
save_profile_config	bool	Whether to save the profile configuration to disk.	False
use_env	bool	Whether to use environment variables to determine configuration values.	True
use_configfile	bool	Whether to use configuration files to determine configuration values.	True

planet_auth_utils.PlanetAuthFactory.initialize_auth_client_context_from_custom_config(client_config, profile_name, initial_token_data=None, save_token_file=True, save_profile_config=True, storage_provider=None) staticmethod

Initialize using the provided client config dictionary and custom storage provider for session persistence.

If a storage provider is not provided, a default file based storage provider will be used that is interoperable with the plauth CLI utility. If a custom storage provider is supplied, sessions will not be visible to the plauth CLI tools.

Parameters:

Name	Type	Description	Default
client_config	dict	The client configuration dictionary to use for authentication.	required
profile_name	str	The name of the profile to use for the created auth context.	required
initial_token_data	Optional[dict]	Optional initial token data to use for authentication. This may be used to pass in previously saved login state.	None
save_token_file	bool	Whether to save the access token to disk using the storage provider. If False, in-memory operation will be used, and login sessions will not be persisted.	True
save_profile_config	bool	Whether to save the profile configuration to disk using the storage provider.	True
storage_provider	Optional[ObjectStorageProvider]	Optional custom storage provider for session persistence. If not provided, a default storage provider will be used that utilizes the user's home directory for storage.	None

planet_auth_utils.PlanetAuthFactory.initialize_resource_server_validator(environment, trusted_auth_server_configs=None) staticmethod

Create an OIDC multi issuer validator suitable for use by a resource server to validate access tokens in the specified deployment environment.

If "custom" is selected, trusted_auth_server_configsmust also be specified. If custom is not selected, the aforementioned argument will be ignored. SeeOidcMultiIssuerValidator.from_auth_server_configs` for more info.

Parameters:

Name	Type	Description	Default
environment	str	Specify a built-in environment to use for the validator. Valid environments are defined by built-in profile provider implemented by the application developer.	required
trusted_auth_server_configs	Optional[List[dict]]	A list of trusted auth server configurations to use if the environment is one designated as a custom environment by the built-in profile provider implemented by the application developer.	None

planet_auth_utils.PlanetAuthFactory.load_auth_client_config_from_profile(profile_name) staticmethod

Load the auth client config from a profile name. Both built-in and used defined custom profiles are considered.

planet_auth_utils.PlanetAuthUserConfig

Bases: FileBackedJsonObject

Access a ~/.planet.json file to store preferences that are not part of a particular AuthClient configuration profile.

planet_auth_utils.Profile

Tools for managing configuration within a profile directory on disk.

planet_auth_utils.Profile.get_profile_file_path(filename, profile, override_path=None) staticmethod

Given a profile name and a file name, construct a file path for the file under the profile directory. If an override is given, it will always be chosen.

planet_auth_utils.Profile.get_profile_file_path_with_priority(filenames, profile, override_path=None) staticmethod

Given a list of candidate filenames, choose the first that that exists. If none exist, the last one will be used regardless of whether the file exists or not. If the application needs the first rather than the last entry to be the fallback value, it should repeat that value and the end of the list.

planet_auth_utils.Profile.profile_root() staticmethod

Root storage directory used for profile data.

planet_auth_utils.cmd_jwt(ctx)

JWT utility for working with tokens. These functions are primarily targeted towards debugging usage. Many of the functions do not perform token validation. THE CONTENTS OF UNVALIDATED TOKENS MUST BE TREATED AS UNTRUSTED AND POTENTIALLY MALICIOUS.

planet_auth_utils.cmd_jwt_decode(ctx, token, token_file, human_readable)

Decode a JWT token WITHOUT PERFORMING ANY VALIDATION.

planet_auth_utils.cmd_jwt_validate_oauth(ctx, token, token_file, audience, issuer, human_readable)

Perform signature validation on an RFC 9068 compliant JWT token. The iss and aud claims will be used to look up signing keys using OAuth2/OIDC discovery protocols and perform basic validation checks.

This command performs only basic signature verification and token validity checks. For checks against auth server token revocation lists, see the oauth command. For deeper checks specific to the claims and structure of Identity or Access tokens, see the oauth command.

WARNING:

THIS TOOL IS ABSOLUTELY INAPPROPRIATE FOR PRODUCTION TRUST USAGE. This is a development and debugging utility. The default behavior to inspect the token for issuer and audience information used to validate the token is wholly incorrect for a production use case. The decision of which issuers to trust with what audiences MUST be controlled by the service operator.

planet_auth_utils.cmd_oauth(ctx)

OAuth2 authentication commands.

planet_auth_utils.cmd_oauth_discovery(ctx)

Look up OAuth server discovery information.

planet_auth_utils.cmd_oauth_list_scopes(ctx)

List available OAuth scopes.

This command will query the auth server for available scopes that may be requested.

planet_auth_utils.cmd_oauth_login(ctx, scope, audience, open_browser, show_qr_code, organization, username, password, auth_client_id, auth_client_secret, sops, yes, project, extra)

Perform an initial login using OAuth.

planet_auth_utils.cmd_oauth_print_access_token(ctx, refresh)

Show the current OAuth access token. Stale tokens will be automatically refreshed. This command only applies to auth profiles that use OAuth access tokens.

planet_auth_utils.cmd_oauth_refresh(ctx, scope)

Obtain a new credential using the saved refresh token.

It is possible to request a refresh token with scopes that are different from what is currently possessed, but you will never be granted more scopes than what the user has authorized.

This command only applies to auth profiles that use OAuth access tokens.

planet_auth_utils.cmd_oauth_revoke_access_token(ctx)

Revoke the current access token.

Revoking the access token does not revoke the refresh token, which will remain powerful.

It should be noted that while this command revokes the access token with the auth services, access tokens are bearer tokens, and may still be accepted by some service endpoints. It is up to each service whether access tokens are accepted as bearer tokens, or double verified against the auth services.

planet_auth_utils.cmd_oauth_revoke_refresh_token(ctx)

Revoke the current refresh token.

After the refresh token has been revoked, it will be necessary to login again to access other services. Revoking the refresh token does not revoke the current access token, which may remain potent until its natural expiration time if not also revoked.

planet_auth_utils.cmd_oauth_userinfo(ctx)

Look up user information for the current user. Look up is performed by querying the authorization server using the current access token.

planet_auth_utils.cmd_oauth_validate_access_token_local(ctx, audience, scope, human_readable)

Validate the access token locally.

When scopes are passed to the access token validator, the validator performs an "any of" check. It will assert that any one of the scopes is present in the token. The validator does not assert that all scopes are present.

It no scopes are passed to the validator, none are required.

NOTICE

This functionality is not supported for all OAuth implementations. Access tokens are intended for consumption by resource servers, and may be opaque to the client.

planet_auth_utils.cmd_oauth_validate_access_token_remote(ctx, human_readable)

Validate the access token. Validation is performed by calling out to the auth provider's token introspection network service.

planet_auth_utils.cmd_oauth_validate_id_token_local(ctx, human_readable)

Validate the ID token. This command validates the ID token locally, checking the token signature and claims against expected values. While validation is performed locally, network access is still required to obtain the signing keys from the auth provider.

planet_auth_utils.cmd_oauth_validate_id_token_remote(ctx, human_readable)

Validate the ID token. Validation is performed by calling out to the auth provider's token introspection network service.

planet_auth_utils.cmd_oauth_validate_refresh_token_remote(ctx, human_readable)

Validate the refresh token. Validation is performed by calling out to the auth provider's token introspection network service.

planet_auth_utils.cmd_plauth_embedded(ctx)

Planet Auth Utility commands

Embeddable version of the Planet Auth Client root command. The embedded command differs from the stand-alone command in that it expects the context to be instantiated and options to be handled by the parent command. The planet_auth.Auth library context must be saved to the object field AUTH in the click context object.

See planet_auth_utils.PlanetAuthFactory.initialize_auth_client_context for user-friendly auth client context initialization.

See examples.

planet_auth_utils.cmd_plauth_login(ctx, scope, audience, open_browser, show_qr_code, organization, project, auth_profile, auth_client_id, auth_client_secret, auth_api_key, username, password, sops, yes)

Perform an initial login.

This command performs an initial login, obtains user authorization, and saves access tokens for the selected authentication profile. The specific process used depends on the selected options and authentication profile.

planet_auth_utils.cmd_plauth_reset()

Reset saved auth state.

Old auth state is not deleted. It is moved aside and preserved.

planet_auth_utils.cmd_plauth_version()

Show the version of planet auth components.

planet_auth_utils.cmd_pllegacy(ctx)

Planet legacy authentication commands.

planet_auth_utils.cmd_pllegacy_login(ctx, username, password, sops, yes)

Perform an initial login using Planet's legacy authentication interfaces.

planet_auth_utils.cmd_pllegacy_print_access_token(ctx)

Show the current legacy JWT access token.

planet_auth_utils.cmd_pllegacy_print_api_key(ctx)

Show the current API Key. This command only applies to auth profiles that use simple API keys.

planet_auth_utils.cmd_profile(ctx)

Manage auth profiles.

planet_auth_utils.cmd_profile_copy(sops, src, dst)

Copy an existing profile to create a new profile. Only the persistent profile configuration will be copied. User access tokens initialized via a call to login will not be copied.

Note: Depending on the type of [planet_auth.AuthClient] configured in the source profile, the new profile may have long term credentials (e.g. OAuth client credential secrets, API keys. etc.).

Note: External support files, such as public/private keypair files, are not copied.

This command will work with built-in as well as custom profiles, so it is possible to bootstrap profiles to manage multiple user identities with an otherwise default client profile:

profile copy my_app_builtin_default <my_new_profile>

planet_auth_utils.cmd_profile_create(sops, new_profile_name)

Wizard to create a new authentication profile.

planet_auth_utils.cmd_profile_list(long)

List auth profiles.

planet_auth_utils.cmd_profile_set(selected_profile)

Configure the default authentication profile. Preference will be saved to disk and will be used when one is not otherwise specified. Command line options and environment variables override on-disk preferences.

planet_auth_utils.cmd_profile_show(ctx)

Show the current authentication profiles.

planet_auth_utils.monkeypatch_hide_click_cmd_options(cmd, hide_options)

Monkey patch a click command to hide the specified command options. Useful when reusing click commands in contexts where you do not wish to expose all the options.

planet_auth_utils.opt_api_key(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_API_KEY)

Click option for specifying an API key

planet_auth_utils.opt_audience(default=None, hidden=False, required=False, envvar=EnvironmentVariables.AUTH_AUDIENCE)

Click option for specifying an OAuth token audience for the planet_auth package's click commands.

planet_auth_utils.opt_client_id(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_CLIENT_ID)

Click option for specifying an OAuth client ID.

planet_auth_utils.opt_client_secret(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_CLIENT_SECRET)

Click option for specifying an OAuth client secret.

planet_auth_utils.opt_extra(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_EXTRA)

Click option for specifying extra options.

planet_auth_utils.opt_human_readable(default=False, hidden=False)

Click option to toggle raw / human-readable formatting.

planet_auth_utils.opt_issuer(default=None, hidden=False, required=False, envvar=EnvironmentVariables.AUTH_ISSUER)

Click option for specifying an OAuth token issuer for the planet_auth package's click commands.

planet_auth_utils.opt_loglevel(default='INFO', hidden=False, envvar=EnvironmentVariables.AUTH_LOGLEVEL)

Click option for specifying a log level.

planet_auth_utils.opt_long(default=False, hidden=False)

Click option specifying that long or more detailed output should be produced.

planet_auth_utils.opt_open_browser(default=True, hidden=False)

Click option for specifying whether opening a browser is permitted for the planet_auth package's click commands.

planet_auth_utils.opt_organization(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_ORGANIZATION)

Click option for specifying an Organization.

planet_auth_utils.opt_password(default=None, hidden=True, envvar=EnvironmentVariables.AUTH_PASSWORD)

Click option for specifying a password for the planet_auth package's click commands.

planet_auth_utils.opt_profile(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_PROFILE)

Click option for specifying an auth profile for the planet_auth package's click commands.

planet_auth_utils.opt_project(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_PROJECT)

Click option for specifying a project ID.

planet_auth_utils.opt_qr_code(default=False, hidden=False)

Click option for specifying whether a QR code should be displayed.

planet_auth_utils.opt_refresh(default=True, hidden=False)

Click option specifying a refresh should be attempted if applicable.

planet_auth_utils.opt_scope(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_SCOPE)

Click option for specifying an OAuth token scope for the planet_auth package's click commands.

planet_auth_utils.opt_sops(default=False, hidden=False)

Click option specifying that SOPS should be used.

planet_auth_utils.opt_token(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_TOKEN)

Click option for specifying a token literal.

planet_auth_utils.opt_token_file(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_TOKEN_FILE)

Click option for specifying a token file location for the planet_auth package's click commands.

planet_auth_utils.opt_username(default=None, hidden=True, envvar=EnvironmentVariables.AUTH_USERNAME)

Click option for specifying a username for the planet_auth package's click commands.

planet_auth_utils.opt_yes_no(default=None, hidden=False)

Click option to bypass prompts with a yes or no selection.

planet_auth_utils.recast_exceptions_to_click(*exceptions, **params)

Decorator to catch exceptions and raise them as ClickExceptions. Useful to apply to click commands to supress stack traces that might be otherwise exposed to the end-user.

planet_auth_utils.builtins

planet_auth_utils.builtins.Builtins

planet_auth_utils.builtins.Builtins.builtin_profile_names() staticmethod

Return a list of all the built-in profile names.

planet_auth_utils.commands

planet_auth_utils.commands.cli

planet_auth_utils.commands.cli.jwt_cmd

planet_auth_utils.commands.cli.jwt_cmd.cmd_jwt(ctx)

JWT utility for working with tokens. These functions are primarily targeted towards debugging usage. Many of the functions do not perform token validation. THE CONTENTS OF UNVALIDATED TOKENS MUST BE TREATED AS UNTRUSTED AND POTENTIALLY MALICIOUS.

planet_auth_utils.commands.cli.jwt_cmd.cmd_jwt_decode(ctx, token, token_file, human_readable)

Decode a JWT token WITHOUT PERFORMING ANY VALIDATION.

planet_auth_utils.commands.cli.jwt_cmd.cmd_jwt_validate_hs512(ctx, token, token_file, human_readable)

Validate a JWT signed with a HS512 signature

planet_auth_utils.commands.cli.jwt_cmd.cmd_jwt_validate_oauth(ctx, token, token_file, audience, issuer, human_readable)

Perform signature validation on an RFC 9068 compliant JWT token. The iss and aud claims will be used to look up signing keys using OAuth2/OIDC discovery protocols and perform basic validation checks.

This command performs only basic signature verification and token validity checks. For checks against auth server token revocation lists, see the oauth command. For deeper checks specific to the claims and structure of Identity or Access tokens, see the oauth command.

WARNING:

THIS TOOL IS ABSOLUTELY INAPPROPRIATE FOR PRODUCTION TRUST USAGE. This is a development and debugging utility. The default behavior to inspect the token for issuer and audience information used to validate the token is wholly incorrect for a production use case. The decision of which issuers to trust with what audiences MUST be controlled by the service operator.

planet_auth_utils.commands.cli.jwt_cmd.cmd_jwt_validate_rs256(ctx, token, token_file, human_readable)

Validate a JWT signed with a RS256 signature

planet_auth_utils.commands.cli.main

planet_auth_utils.commands.cli.main.cmd_plauth(ctx, loglevel, auth_profile)

Planet Auth Utility commands

planet_auth_utils.commands.cli.main.cmd_plauth_embedded(ctx)

Planet Auth Utility commands

Embeddable version of the Planet Auth Client root command. The embedded command differs from the stand-alone command in that it expects the context to be instantiated and options to be handled by the parent command. The planet_auth.Auth library context must be saved to the object field AUTH in the click context object.

See planet_auth_utils.PlanetAuthFactory.initialize_auth_client_context for user-friendly auth client context initialization.

See examples.

planet_auth_utils.commands.cli.main.cmd_plauth_login(ctx, scope, audience, open_browser, show_qr_code, organization, project, auth_profile, auth_client_id, auth_client_secret, auth_api_key, username, password, sops, yes)

Perform an initial login.

This command performs an initial login, obtains user authorization, and saves access tokens for the selected authentication profile. The specific process used depends on the selected options and authentication profile.

planet_auth_utils.commands.cli.main.cmd_plauth_reset()

Reset saved auth state.

Old auth state is not deleted. It is moved aside and preserved.

planet_auth_utils.commands.cli.main.cmd_plauth_version()

Show the version of planet auth components.

planet_auth_utils.commands.cli.oauth_cmd

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth(ctx)

OAuth2 authentication commands.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_decode_jwt_access_token(ctx, human_readable)

Decode a JWT access token locally. NO VALIDATION IS PERFORMED. This function is intended for local debugging purposes. Note: Access tokens need not be JWTs. This function will not work for authorization servers that issue access tokens in other formats.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_decode_jwt_id_token(ctx, human_readable)

Decode a JWT ID token locally. NO VALIDATION IS PERFORMED. This function is intended for local debugging purposes.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_decode_jwt_refresh_token(ctx, human_readable)

Decode a JWT refresh token locally. NO VALIDATION IS PERFORMED. This function is intended for local debugging purposes. Note: Refresh tokens need not be JWTs. This function will not work for authorization servers that issue refresh tokens in other formats.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_discovery(ctx)

Look up OAuth server discovery information.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_list_scopes(ctx)

List available OAuth scopes.

This command will query the auth server for available scopes that may be requested.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_login(ctx, scope, audience, open_browser, show_qr_code, organization, username, password, auth_client_id, auth_client_secret, sops, yes, project, extra)

Perform an initial login using OAuth.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_print_access_token(ctx, refresh)

Show the current OAuth access token. Stale tokens will be automatically refreshed. This command only applies to auth profiles that use OAuth access tokens.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_refresh(ctx, scope)

Obtain a new credential using the saved refresh token.

It is possible to request a refresh token with scopes that are different from what is currently possessed, but you will never be granted more scopes than what the user has authorized.

This command only applies to auth profiles that use OAuth access tokens.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_revoke_access_token(ctx)

Revoke the current access token.

Revoking the access token does not revoke the refresh token, which will remain powerful.

It should be noted that while this command revokes the access token with the auth services, access tokens are bearer tokens, and may still be accepted by some service endpoints. It is up to each service whether access tokens are accepted as bearer tokens, or double verified against the auth services.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_revoke_refresh_token(ctx)

Revoke the current refresh token.

After the refresh token has been revoked, it will be necessary to login again to access other services. Revoking the refresh token does not revoke the current access token, which may remain potent until its natural expiration time if not also revoked.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_userinfo(ctx)

Look up user information for the current user. Look up is performed by querying the authorization server using the current access token.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_validate_access_token_local(ctx, audience, scope, human_readable)

Validate the access token locally.

When scopes are passed to the access token validator, the validator performs an "any of" check. It will assert that any one of the scopes is present in the token. The validator does not assert that all scopes are present.

It no scopes are passed to the validator, none are required.

NOTICE

This functionality is not supported for all OAuth implementations. Access tokens are intended for consumption by resource servers, and may be opaque to the client.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_validate_access_token_remote(ctx, human_readable)

Validate the access token. Validation is performed by calling out to the auth provider's token introspection network service.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_validate_id_token_local(ctx, human_readable)

Validate the ID token. This command validates the ID token locally, checking the token signature and claims against expected values. While validation is performed locally, network access is still required to obtain the signing keys from the auth provider.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_validate_id_token_remote(ctx, human_readable)

Validate the ID token. Validation is performed by calling out to the auth provider's token introspection network service.

planet_auth_utils.commands.cli.oauth_cmd.cmd_oauth_validate_refresh_token_remote(ctx, human_readable)

Validate the refresh token. Validation is performed by calling out to the auth provider's token introspection network service.

planet_auth_utils.commands.cli.options

planet_auth_utils.commands.cli.options.opt_api_key(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_API_KEY)

Click option for specifying an API key

planet_auth_utils.commands.cli.options.opt_audience(default=None, hidden=False, required=False, envvar=EnvironmentVariables.AUTH_AUDIENCE)

Click option for specifying an OAuth token audience for the planet_auth package's click commands.

planet_auth_utils.commands.cli.options.opt_client_id(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_CLIENT_ID)

Click option for specifying an OAuth client ID.

planet_auth_utils.commands.cli.options.opt_client_secret(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_CLIENT_SECRET)

Click option for specifying an OAuth client secret.

planet_auth_utils.commands.cli.options.opt_extra(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_EXTRA)

Click option for specifying extra options.

planet_auth_utils.commands.cli.options.opt_human_readable(default=False, hidden=False)

Click option to toggle raw / human-readable formatting.

planet_auth_utils.commands.cli.options.opt_issuer(default=None, hidden=False, required=False, envvar=EnvironmentVariables.AUTH_ISSUER)

Click option for specifying an OAuth token issuer for the planet_auth package's click commands.

planet_auth_utils.commands.cli.options.opt_loglevel(default='INFO', hidden=False, envvar=EnvironmentVariables.AUTH_LOGLEVEL)

Click option for specifying a log level.

planet_auth_utils.commands.cli.options.opt_long(default=False, hidden=False)

Click option specifying that long or more detailed output should be produced.

planet_auth_utils.commands.cli.options.opt_open_browser(default=True, hidden=False)

Click option for specifying whether opening a browser is permitted for the planet_auth package's click commands.

planet_auth_utils.commands.cli.options.opt_organization(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_ORGANIZATION)

Click option for specifying an Organization.

planet_auth_utils.commands.cli.options.opt_password(default=None, hidden=True, envvar=EnvironmentVariables.AUTH_PASSWORD)

Click option for specifying a password for the planet_auth package's click commands.

planet_auth_utils.commands.cli.options.opt_profile(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_PROFILE)

Click option for specifying an auth profile for the planet_auth package's click commands.

planet_auth_utils.commands.cli.options.opt_project(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_PROJECT)

Click option for specifying a project ID.

planet_auth_utils.commands.cli.options.opt_qr_code(default=False, hidden=False)

Click option for specifying whether a QR code should be displayed.

planet_auth_utils.commands.cli.options.opt_refresh(default=True, hidden=False)

Click option specifying a refresh should be attempted if applicable.

planet_auth_utils.commands.cli.options.opt_scope(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_SCOPE)

Click option for specifying an OAuth token scope for the planet_auth package's click commands.

planet_auth_utils.commands.cli.options.opt_sops(default=False, hidden=False)

Click option specifying that SOPS should be used.

planet_auth_utils.commands.cli.options.opt_token(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_TOKEN)

Click option for specifying a token literal.

planet_auth_utils.commands.cli.options.opt_token_file(default=None, hidden=False, envvar=EnvironmentVariables.AUTH_TOKEN_FILE)

Click option for specifying a token file location for the planet_auth package's click commands.

planet_auth_utils.commands.cli.options.opt_username(default=None, hidden=True, envvar=EnvironmentVariables.AUTH_USERNAME)

Click option for specifying a username for the planet_auth package's click commands.

planet_auth_utils.commands.cli.options.opt_yes_no(default=None, hidden=False)

Click option to bypass prompts with a yes or no selection.

planet_auth_utils.commands.cli.planet_legacy_auth_cmd

planet_auth_utils.commands.cli.planet_legacy_auth_cmd.cmd_pllegacy(ctx)

Planet legacy authentication commands.

planet_auth_utils.commands.cli.planet_legacy_auth_cmd.cmd_pllegacy_login(ctx, username, password, sops, yes)

Perform an initial login using Planet's legacy authentication interfaces.

planet_auth_utils.commands.cli.planet_legacy_auth_cmd.cmd_pllegacy_print_access_token(ctx)

Show the current legacy JWT access token.

planet_auth_utils.commands.cli.planet_legacy_auth_cmd.cmd_pllegacy_print_api_key(ctx)

Show the current API Key. This command only applies to auth profiles that use simple API keys.

planet_auth_utils.commands.cli.profile_cmd

planet_auth_utils.commands.cli.profile_cmd.cmd_profile(ctx)

Manage auth profiles.

planet_auth_utils.commands.cli.profile_cmd.cmd_profile_copy(sops, src, dst)

Copy an existing profile to create a new profile. Only the persistent profile configuration will be copied. User access tokens initialized via a call to login will not be copied.

Note: Depending on the type of [planet_auth.AuthClient] configured in the source profile, the new profile may have long term credentials (e.g. OAuth client credential secrets, API keys. etc.).

Note: External support files, such as public/private keypair files, are not copied.

This command will work with built-in as well as custom profiles, so it is possible to bootstrap profiles to manage multiple user identities with an otherwise default client profile:

profile copy my_app_builtin_default <my_new_profile>

planet_auth_utils.commands.cli.profile_cmd.cmd_profile_create(sops, new_profile_name)

Wizard to create a new authentication profile.

planet_auth_utils.commands.cli.profile_cmd.cmd_profile_edit()

Edit an existing profile.

planet_auth_utils.commands.cli.profile_cmd.cmd_profile_list(long)

List auth profiles.

planet_auth_utils.commands.cli.profile_cmd.cmd_profile_set(selected_profile)

Configure the default authentication profile. Preference will be saved to disk and will be used when one is not otherwise specified. Command line options and environment variables override on-disk preferences.

planet_auth_utils.commands.cli.profile_cmd.cmd_profile_show(ctx)

Show the current authentication profiles.

planet_auth_utils.commands.cli.util

planet_auth_utils.commands.cli.util.monkeypatch_hide_click_cmd_options(cmd, hide_options)

Monkey patch a click command to hide the specified command options. Useful when reusing click commands in contexts where you do not wish to expose all the options.

planet_auth_utils.commands.cli.util.recast_exceptions_to_click(*exceptions, **params)

Decorator to catch exceptions and raise them as ClickExceptions. Useful to apply to click commands to supress stack traces that might be otherwise exposed to the end-user.

planet_auth_utils.constants

planet_auth_utils.constants.EnvironmentVariables

Environment Variables used in the planet_auth_utils packages

planet_auth_utils.constants.EnvironmentVariables.AUTH_API_KEY()

A literal Planet API key.

planet_auth_utils.constants.EnvironmentVariables.AUTH_AUDIENCE()

Audience to use when requesting or validating OAuth tokens.

planet_auth_utils.constants.EnvironmentVariables.AUTH_CLIENT_ID()

Client ID for an OAuth service account

planet_auth_utils.constants.EnvironmentVariables.AUTH_CLIENT_SECRET()

Client Secret for an OAuth service account

planet_auth_utils.constants.EnvironmentVariables.AUTH_EXTRA()

List of extra options. Values should be formatted as =. Multiple options should be whitespace delimited.

planet_auth_utils.constants.EnvironmentVariables.AUTH_ISSUER()

Issuer to use when requesting or validating OAuth tokens.

planet_auth_utils.constants.EnvironmentVariables.AUTH_LOGLEVEL()

Specify the log level.

planet_auth_utils.constants.EnvironmentVariables.AUTH_ORGANIZATION()

Organization to use when performing client authentication. Only used for some authentication mechanisms.

planet_auth_utils.constants.EnvironmentVariables.AUTH_PASSWORD()

Password to use when performing client authentication. Only used for some authentication mechanisms.

planet_auth_utils.constants.EnvironmentVariables.AUTH_PROFILE()

Name of a profile to use for auth client configuration.

planet_auth_utils.constants.EnvironmentVariables.AUTH_PROJECT()

Project ID to use when performing authentication. Not all implementations understand this option.

planet_auth_utils.constants.EnvironmentVariables.AUTH_SCOPE()

List of scopes to request when requesting OAuth tokens. Multiple scopes should be whitespace delimited.

planet_auth_utils.constants.EnvironmentVariables.AUTH_TOKEN()

Literal token string.

planet_auth_utils.constants.EnvironmentVariables.AUTH_TOKEN_FILE()

File path to use for storing tokens.

planet_auth_utils.constants.EnvironmentVariables.AUTH_USERNAME()

Username to use when performing client authentication. Only used for some authentication mechanisms.

planet_auth_utils.plauth_factory

planet_auth_utils.plauth_factory.MissingArgumentException

Bases: AuthException

Raised when not all custom environment arguments are specified.

planet_auth_utils.plauth_factory.PlanetAuthFactory

planet_auth_utils.plauth_factory.PlanetAuthFactory.initialize_auth_client_context(auth_profile_opt=None, auth_client_id_opt=None, auth_client_secret_opt=None, auth_api_key_opt=None, token_file_opt=None, save_token_file=True, save_profile_config=False, use_env=True, use_configfile=True) staticmethod

Helper function to initialize the Auth context in applications.

Between built-in profiles to interactively login users, customer or third party registered OAuth clients and corresponding custom profiles that may be saved on disk, OAuth service account profiles, and static API keys, there are a number of ways to configure how an application built with this library should authenticate requests made to the service. Add to this configration may come from explict parameters set by the user, environment variables, configuration files, or values hard-coded by the application developer, and the number of possibilities rises.

This helper function is provided to help build applications with a consistent user experience when sharing auth context with the CLI. This function does not support using custom storage providers at this time.

Arguments to this function are taken to be explicitly set by the user or application developer, and are given the highest priority. Internally, the priority used for the source of any particular configuration values is, from highest to lowest priority, as follows:

• Arguments to this function.
• Environment variables.
• Values from configuration file.
• Built-in defaults.

In constructing the returned Auth context, the following priority is applied, from highest to lowest:

• A user selected auth profile, as specified by auth_profile_opt. This may either specify a built-in profile name, or a fully custom profile defined by files in a ~/.planet/<profile name> directory.
• A user selected OAuth service account, as specified by auth_client_id_opt and auth_client_secret_opt.
• A user specified API key, as specified by auth_api_key_opt
• A user selected auth profile, as determined from either environment variables or config files.
• A user selected OAuth service account, as determined from either environment variables or config files.
• A user selected API key, as determined from either environment variables or config files.
• A built-in default auth profile, which may require interactive user authentication.

Example

@click.group(help="my cli main help message")
@opt_auth_profile()
@opt_auth_client_id()
@opt_auth_client_secret()
@click.pass_context
def my_cli_main(ctx, auth_profile, auth_client_id, auth_client_secret):
    ctx.ensure_object(dict)
    ctx.obj["AUTH"] = PlanetAuthFactory.initialize_auth_client_context(
        auth_profile_opt=auth_profile, auth_client_id_opt=auth_client_id, auth_client_secret_opt=auth_client_secret
    )
    # Click program may now use the auth context in all commands...

Parameters:

Name	Type	Description	Default
auth_profile_opt	Optional[str]	The name of a built-in or custom profile to use for authentication. This option should reflect the explict choice of the user or application developer.	None
auth_client_id_opt	Optional[str]	The client ID of a registered OAuth client to use for authentication. This option should reflect the explict choice of the user or application developer.	None
auth_client_secret_opt	Optional[str]	The client secret of a registered OAuth client to use for authentication. This option should reflect the explict choice of the user or application developer.	None
auth_api_key_opt	Optional[str]	The API key to use for authentication. Deprecated. This option should reflect the explict choice of the user or application developer.	None
token_file_opt	Optional[str]	The path to a file to store the access token. This options should not generally be used, and may be removed in the future.	None
save_token_file	bool	Whether to save the access token to disk. If False, in-memory operation will be used, and login sessions will not be persisted locally.	True
save_profile_config	bool	Whether to save the profile configuration to disk.	False
use_env	bool	Whether to use environment variables to determine configuration values.	True
use_configfile	bool	Whether to use configuration files to determine configuration values.	True

planet_auth_utils.plauth_factory.PlanetAuthFactory.initialize_auth_client_context_from_custom_config(client_config, profile_name, initial_token_data=None, save_token_file=True, save_profile_config=True, storage_provider=None) staticmethod

Initialize using the provided client config dictionary and custom storage provider for session persistence.

If a storage provider is not provided, a default file based storage provider will be used that is interoperable with the plauth CLI utility. If a custom storage provider is supplied, sessions will not be visible to the plauth CLI tools.

Parameters:

Name	Type	Description	Default
client_config	dict	The client configuration dictionary to use for authentication.	required
profile_name	str	The name of the profile to use for the created auth context.	required
initial_token_data	Optional[dict]	Optional initial token data to use for authentication. This may be used to pass in previously saved login state.	None
save_token_file	bool	Whether to save the access token to disk using the storage provider. If False, in-memory operation will be used, and login sessions will not be persisted.	True
save_profile_config	bool	Whether to save the profile configuration to disk using the storage provider.	True
storage_provider	Optional[ObjectStorageProvider]	Optional custom storage provider for session persistence. If not provided, a default storage provider will be used that utilizes the user's home directory for storage.	None

planet_auth_utils.plauth_factory.PlanetAuthFactory.initialize_resource_server_validator(environment, trusted_auth_server_configs=None) staticmethod

Create an OIDC multi issuer validator suitable for use by a resource server to validate access tokens in the specified deployment environment.

If "custom" is selected, trusted_auth_server_configsmust also be specified. If custom is not selected, the aforementioned argument will be ignored. SeeOidcMultiIssuerValidator.from_auth_server_configs` for more info.

Parameters:

Name	Type	Description	Default
environment	str	Specify a built-in environment to use for the validator. Valid environments are defined by built-in profile provider implemented by the application developer.	required
trusted_auth_server_configs	Optional[List[dict]]	A list of trusted auth server configurations to use if the environment is one designated as a custom environment by the built-in profile provider implemented by the application developer.	None

planet_auth_utils.plauth_factory.PlanetAuthFactory.load_auth_client_config_from_profile(profile_name) staticmethod

Load the auth client config from a profile name. Both built-in and used defined custom profiles are considered.

planet_auth_utils.plauth_user_config

planet_auth_utils.plauth_user_config.PlanetAuthUserConfig

Bases: FileBackedJsonObject

Access a ~/.planet.json file to store preferences that are not part of a particular AuthClient configuration profile.

planet_auth_utils.plauth_user_config.PlanetAuthUserConfigEnhanced

Bases: PlanetAuthUserConfig

Provide an enhanced view of the ~/.planet.json configuration file, with utilities to consolidate the retrieval of configuration parameters user overrides, environment variables, the configuration file, or fallback internals defaults.

planet_auth_utils.plauth_user_config.PlanetAuthUserConfigEnhanced.effective_conf_value(config_key, override_value=None, fallback_value=None, env_var_name=None, use_env=True, use_configfile=True)

Return the effective configuration value synthesized from a variety of sources, with the following priority applied: - Explicit values from the user are given the highest priority. - Values taken from environment variables are then considered. - Values taken from the user's configuration file are then next considered. The default user configuration file is ~/.planet.json. - Built-in default values are considered last. Parameters: config_key: The configuration key to look up. By default, this will be used both for reading the user's configuration file, and used as the environment variable to search for. override_value: User provided override value. If this value is supplied, it will be returned. fallback_value: A fallback default value to return if the config parameter cannot be found in the user's configuration file or the environment, and the user did not provide an explicit override value. env_var_name: Name of the environment variable to search for a value. If not provided, the config_key will also be used as the environment variable. use_env: Boolean controlling whether the environment should be considered. By default, the environment will be searched for configuration values, but this behavior can be surprised using this parameter. use_configfile: Boolean controlling whether the user configuration file should be considered. By default, the user configuration file will be searched for configuration values, but this behavior can be surprised using this parameter.

planet_auth_utils.profile

planet_auth_utils.profile.Profile

Tools for managing configuration within a profile directory on disk.

planet_auth_utils.profile.Profile.get_profile_file_path(filename, profile, override_path=None) staticmethod

Given a profile name and a file name, construct a file path for the file under the profile directory. If an override is given, it will always be chosen.

planet_auth_utils.profile.Profile.get_profile_file_path_with_priority(filenames, profile, override_path=None) staticmethod

Given a list of candidate filenames, choose the first that that exists. If none exist, the last one will be used regardless of whether the file exists or not. If the application needs the first rather than the last entry to be the fallback value, it should repeat that value and the end of the list.

planet_auth_utils.profile.Profile.profile_root() staticmethod

Root storage directory used for profile data.