H2O Python Clients Authentication Helpers.
pip install h2o-authn
Package provides two top level classes h2o_authn.TokenProvider
and h2o_authn.AsyncTokenProvider
with identical constructors accepting following arguments:
refresh_token
: Refresh token which will used for the access token exchange.client_id
: OAuth 2.0 client id that will be used or the access token exchange.issuer_url
ortoken_endpoint_url
needs to be providedissuer_url
: Base URL of the issuer. This URL will be used for the discovery to obtain token endpoint. Mutually exclusive with the token_endpoint_url argument.token_endpoint_url
: URL of the token endpoint that should be used for the access token exchange. Mutually exclusive with the issuer_url argument.
client_secret
: Optional OAuth 2.0 client secret for the confidential clients. Used only when provided.scope
: Optionally sets the the scope for which the access token should be requested.expiry_threshold
: How long before token expiration should token be refreshed when needed. This does not mean that the token will be refreshed before it expires, only indicates the earliest moment before the expiration when refresh would occur. (default: 5s)expires_in_fallback
: Fallback value for the expires_in value. Will be used when token response does not contains expires_in field.minimal_refresh_period
: Optionally minimal period between the earliest token refresh exchanges.
Both classes has identical interface in sync or async variant.
provider = h2o_authn.TokenProvider(...)
aprovider = h2o_authn.AsyncTokenProvider(...)
# Calling the providers directly makes sure that fresh access token is available
# and returns it.
access_token = provider()
access_token = await aprovider()
# Calling the token() returns h2o_authn.token.Token instance.
token = provider.token()
token = await aprovider.token()
# It can used as str.
assert token == access_token
# And contains additional attributes when available.
token.exp # Is expiration of the token as datetime.datetime
token.scope # Is scope of the token if server provided it.
# Sync/Async variants can be converted from one to another.
provider = aprovider.as_sync()
aprovider = provider.as_async()
# When access token with different scope is needed new instance can cloned from
# the current with different scope.
provider = provider.with_scope("new scopes")
aprovider = aprovider.with_scope("new scopes")
import h2o_authn
import h2o_mlops_client as mlops
provider = h2o_authn.TokenProvider(...)
mlops_client = mlops.Client(
gateway_url="https://mlops-api.cloud.h2o.ai",
token_provider=provider,
)
...
import h2o_authn
import h2o_drive
from h2o_wave import Q, app, ui
from h2o_wave import main
@app("/")
async def serve(q: Q):
provider = h2o_authn.AsyncTokenProvider(
refresh_token=q.auth.refresh_token,
issuer_url=os.getenv("H2O_WAVE_OIDC_PROVIDER_URL"),
client_id=os.getenv("H2O_WAVE_OIDC_CLIENT_ID"),
client_secret=os.getenv("H2O_WAVE_OIDC_CLIENT_SECRET"),
)
my_home = await h2o_drive.MyHome(token=provider)
...
import h2o_authn
import h2osteam
import h2osteam.clients
provider = h2o_authn.TokenProvider(...)
h2osteam.login(
url="https://steam.cloud-dev.h2o.ai", access_token=provider()
)
client = h2osteam.clients.DriverlessClient()
...
I you use the token provider to access H2O.ai services running in your H2O AI Cloud environment, you
can simply the configuration by using h2o-authn[discovery]
extension.
For more info regarding H2O Cloud Discovery, please see H2O Cloud Discovery Client
pip install h2o-authn[discovery]
Module h2o_authn.discovery
provides new
and new_async
functions which
accepts following arguments:
discovery
: The Discovery object to use for configuration.client
: The name of the client to use for configuration. Defaults to "platform".scope
: The scope to use for the token requests.expiry_threshold
: How long before token expiration should token be refreshed when needed. This does not mean that the token will be refreshed before it expires, only indicates the earliest moment before the expiration when refresh would occur. (default: 5s)expires_in_fallback
: Fallback value for the expires_in value. Will be used when token response does not contains expires_in field.minimal_refresh_period
: Optionally minimal period between the earliest token refresh exchanges.
import h2o_authn.discovery
import h2o_discovery
import h2o_mlops_client as mlops
discovery = h2o_discovery.discover()
provider = h2o_authn.discovery.create(discovery)
mlops_client = mlops.Client(
gateway_url=discovery.services["mlops-api"].uri,
token_provider=provider,
)
...