autobahn.wamp.auth

Module Contents

Classes

AuthAnonymous

AuthTicket

AuthCryptoSign

AuthScram

Implements "wamp-scram" authentication for components.

AuthWampCra

Functions

create_authenticator(name, **kwargs)

Accepts various keys and values to configure an authenticator. The

generate_totp_secret([length])

Generates a new Base32 encoded, random secret.

compute_totp(secret[, offset])

Computes the current TOTP code.

check_totp(secret, ticket)

Check a TOTP value received from a principal trying to authenticate against

qrcode_from_totp(secret, label, issuer)

pbkdf2(data, salt[, iterations, keylen, hashfunc])

Returns a binary digest for the PBKDF2 hash algorithm of data

derive_key(secret, salt[, iterations, keylen])

Computes a derived cryptographic key from a password according to PBKDF2.

generate_wcs([length])

Generates a new random secret for use with WAMP-CRA.

compute_wcs(key, challenge)

Compute an WAMP-CRA authentication signature from an authentication

derive_scram_credential(→ Dict)

Derive WAMP-SCRAM credentials from user email and password. The SCRAM parameters used
autobahn.wamp.auth.create_authenticator(name, **kwargs)[source]

Accepts various keys and values to configure an authenticator. The valid keys depend on the kind of authenticator but all can understand: authextra, authid and authrole

Returns

an instance implementing IAuthenticator with the given configuration.

class autobahn.wamp.auth.AuthAnonymous(**kw)[source]

Bases: object

property authextra
name = anonymous
on_challenge(session, challenge)[source]
on_welcome(msg, authextra)[source]
class autobahn.wamp.auth.AuthTicket(**kw)[source]

Bases: object

property authextra
name = ticket
on_challenge(session, challenge)[source]
on_welcome(msg, authextra)[source]
class autobahn.wamp.auth.AuthCryptoSign(**kw)[source]

Bases: object

property authextra
name = cryptosign
on_challenge(session, challenge)[source]
on_welcome(msg, authextra)[source]
class autobahn.wamp.auth.AuthScram(**kw)[source]

Bases: object

Implements “wamp-scram” authentication for components.

NOTE: This is a prototype of a draft spec; see https://github.com/wamp-proto/wamp-proto/issues/135

property authextra
name = scram
on_challenge(session, challenge)[source]
on_welcome(session, authextra)[source]

When the server is satisfied, it sends a ‘WELCOME’ message.

This hook allows us an opportunity to deny the session right before it gets set up – we check the server-signature thus authorizing the server and if it fails we drop the connection.

class autobahn.wamp.auth.AuthWampCra(**kw)[source]

Bases: object

property authextra
name = wampcra
on_challenge(session, challenge)[source]
on_welcome(msg, authextra)[source]
autobahn.wamp.auth.generate_totp_secret(length=10)[source]

Generates a new Base32 encoded, random secret.

See also

http://en.wikipedia.org/wiki/Base32

Parameters

length (int) – The length of the entropy used to generate the secret.

Returns

The generated secret in Base32 (letters A-Z and digits 2-7). The length of the generated secret is length * 8 / 5 octets.

Return type

unicode

autobahn.wamp.auth.compute_totp(secret, offset=0)[source]

Computes the current TOTP code.

Parameters

  • secret (unicode) – Base32 encoded secret.

  • offset (int) – Time offset (in steps, use eg -1, 0, +1 for compliance with RFC6238) for which to compute TOTP.

Returns

TOTP for current time (+/- offset).

Return type

unicode

autobahn.wamp.auth.check_totp(secret, ticket)[source]

Check a TOTP value received from a principal trying to authenticate against the expected value computed from the secret shared between the principal and the authenticating entity.

The Internet can be slow, and clocks might not match exactly, so some leniency is allowed. RFC6238 recommends looking an extra time step in either direction, which essentially opens the window from 30 seconds to 90 seconds.

Parameters

  • secret (unicode) – The secret shared between the principal (eg a client) that is authenticating, and the authenticating entity (eg a server).

  • ticket (unicode) – The TOTP value to be checked.

Returns

True if the TOTP value is correct, else False.

Return type

bool

autobahn.wamp.auth.qrcode_from_totp(secret, label, issuer)[source]
autobahn.wamp.auth.pbkdf2(data, salt, iterations=1000, keylen=32, hashfunc=None)[source]

Returns a binary digest for the PBKDF2 hash algorithm of data with the given salt. It iterates iterations time and produces a key of keylen bytes. By default SHA-256 is used as hash function, a different hashlib hashfunc can be provided.

Parameters

  • data (bytes) – The data for which to compute the PBKDF2 derived key.

  • salt (bytes) – The salt to use for deriving the key.

  • iterations (int) – The number of iterations to perform in PBKDF2.

  • keylen (int) – The length of the cryptographic key to derive.

  • hashfunc (str) – Name of the hash algorithm to use

Returns

The derived cryptographic key.

Return type

bytes

autobahn.wamp.auth.derive_key(secret, salt, iterations=1000, keylen=32)[source]

Computes a derived cryptographic key from a password according to PBKDF2.

See also

http://en.wikipedia.org/wiki/PBKDF2

Parameters

  • secret (bytes or unicode) – The secret.

  • salt (bytes or unicode) – The salt to be used.

  • iterations (int) – Number of iterations of derivation algorithm to run.

  • keylen (int) – Length of the key to derive in bytes.

Returns

The derived key in Base64 encoding.

Return type

bytes

autobahn.wamp.auth.generate_wcs(length=14)[source]

Generates a new random secret for use with WAMP-CRA.

The secret generated is a random character sequence drawn from

  • upper and lower case latin letters

  • digits

Parameters

length (int) – The length of the secret to generate.

Returns

The generated secret. The length of the generated is length octets.

Return type

bytes

autobahn.wamp.auth.compute_wcs(key, challenge)[source]

Compute an WAMP-CRA authentication signature from an authentication challenge and a (derived) key.

Parameters

  • key (bytes) – The key derived (via PBKDF2) from the secret.

  • challenge (bytes) – The authentication challenge to sign.

Returns

The authentication signature.

Return type

bytes

autobahn.wamp.auth.derive_scram_credential(email: str, password: str, salt: Optional[bytes] = None) Dict[source]

Derive WAMP-SCRAM credentials from user email and password. The SCRAM parameters used are the following (these are also contained in the returned credentials):

  • kdf argon2id-13

  • time cost 4096

  • memory cost 512

  • parallelism 1

See draft-irtf-cfrg-argon2 and argon2-cffi.

Parameters

  • email – User email.

  • password – User password.

  • salt – Optional salt to use (must be 16 bytes long). If none is given, compute salt from email as salt = SHA256(email)[:16].

Returns

WAMP-SCRAM credentials. When serialized, the returned credentials can be copy-pasted into the config.json node configuration for a Crossbar.io node.