autobahn.wamp.auth

Classes

AuthAnonymous

AuthCryptoSign

AuthScram

Implements "wamp-scram" authentication for components.

AuthTicket

AuthWampCra

Functions

check_totp(secret, ticket)

Check a TOTP value received from a principal trying to authenticate against

compute_totp(secret[, offset])

Computes the current TOTP code.

compute_wcs(key, challenge)

Compute an WAMP-CRA authentication signature from an authentication

create_authenticator(name, **kwargs)

Accepts various keys and values to configure an authenticator. The

derive_key(secret, salt[, iterations, keylen])

Computes a derived cryptographic key from a password according to PBKDF2.

derive_scram_credential(→ Dict)

Derive WAMP-SCRAM credentials from user email and password. The SCRAM parameters used

generate_totp_secret([length])

Generates a new Base32 encoded, random secret.

generate_wcs([length])

Generates a new random secret for use with WAMP-CRA.

pbkdf2(data, salt[, iterations, keylen, hashfunc])

Returns a binary digest for the PBKDF2 hash algorithm of data

qrcode_from_totp(secret, label, issuer)

Module Contents

class AuthAnonymous(**kw)[source]

Bases: object

_args[source]
property authextra[source]
name = 'anonymous'[source]
on_challenge(session, challenge)[source]
on_welcome(msg, authextra)[source]
class AuthCryptoSign(**kw)[source]

Bases: object

_args[source]
_channel_binding[source]
_privkey[source]
property authextra[source]
name = 'cryptosign'[source]
on_challenge(session, challenge)[source]
on_welcome(msg, authextra)[source]
class AuthScram(**kw)[source]

Bases: object

Implements “wamp-scram” authentication for components.

NOTE: This is a prototype of a draft spec; see https://github.com/wamp-proto/wamp-proto/issues/135

_args[source]
_client_nonce = None[source]
property authextra[source]
name = 'scram'[source]
on_challenge(session, challenge)[source]
on_welcome(session, authextra)[source]

When the server is satisfied, it sends a ‘WELCOME’ message.

This hook allows us an opportunity to deny the session right before it gets set up – we check the server-signature thus authorizing the server and if it fails we drop the connection.

class AuthTicket(**kw)[source]

Bases: object

_args[source]
property authextra[source]
name = 'ticket'[source]
on_challenge(session, challenge)[source]
on_welcome(msg, authextra)[source]
class AuthWampCra(**kw)[source]

Bases: object

_args[source]
_secret[source]
property authextra[source]
name = 'wampcra'[source]
on_challenge(session, challenge)[source]
on_welcome(msg, authextra)[source]
check_totp(secret, ticket)[source]

Check a TOTP value received from a principal trying to authenticate against the expected value computed from the secret shared between the principal and the authenticating entity.

The Internet can be slow, and clocks might not match exactly, so some leniency is allowed. RFC6238 recommends looking an extra time step in either direction, which essentially opens the window from 30 seconds to 90 seconds.

Parameters:

  • secret (unicode) – The secret shared between the principal (eg a client) that is authenticating, and the authenticating entity (eg a server).

  • ticket (unicode) – The TOTP value to be checked.

Returns:

True if the TOTP value is correct, else False.

Return type:

bool

compute_totp(secret, offset=0)[source]

Computes the current TOTP code.

Parameters:

  • secret (unicode) – Base32 encoded secret.

  • offset (int) – Time offset (in steps, use eg -1, 0, +1 for compliance with RFC6238) for which to compute TOTP.

Returns:

TOTP for current time (+/- offset).

Return type:

unicode

compute_wcs(key, challenge)[source]

Compute an WAMP-CRA authentication signature from an authentication challenge and a (derived) key.

Parameters:

  • key (bytes) – The key derived (via PBKDF2) from the secret.

  • challenge (bytes) – The authentication challenge to sign.

Returns:

The authentication signature.

Return type:

bytes

create_authenticator(name, **kwargs)[source]

Accepts various keys and values to configure an authenticator. The valid keys depend on the kind of authenticator but all can understand: authextra, authid and authrole

Returns:

an instance implementing IAuthenticator with the given configuration.

derive_key(secret, salt, iterations=1000, keylen=32)[source]

Computes a derived cryptographic key from a password according to PBKDF2.

See also

http://en.wikipedia.org/wiki/PBKDF2

Parameters:

  • secret (bytes or unicode) – The secret.

  • salt (bytes or unicode) – The salt to be used.

  • iterations (int) – Number of iterations of derivation algorithm to run.

  • keylen (int) – Length of the key to derive in bytes.

Returns:

The derived key in Base64 encoding.

Return type:

bytes

derive_scram_credential(email: str, password: str, salt: bytes | None = None) Dict[source]

Derive WAMP-SCRAM credentials from user email and password. The SCRAM parameters used are the following (these are also contained in the returned credentials):

  • kdf argon2id-13

  • time cost 4096

  • memory cost 512

  • parallelism 1

See draft-irtf-cfrg-argon2 and argon2-cffi.

Parameters:

  • email – User email.

  • password – User password.

  • salt – Optional salt to use (must be 16 bytes long). If none is given, compute salt from email as salt = SHA256(email)[:16].

Returns:

WAMP-SCRAM credentials. When serialized, the returned credentials can be copy-pasted into the config.json node configuration for a Crossbar.io node.

generate_totp_secret(length=10)[source]

Generates a new Base32 encoded, random secret.

See also

http://en.wikipedia.org/wiki/Base32

Parameters:

length (int) – The length of the entropy used to generate the secret.

Returns:

The generated secret in Base32 (letters A-Z and digits 2-7). The length of the generated secret is length * 8 / 5 octets.

Return type:

unicode

generate_wcs(length=14)[source]

Generates a new random secret for use with WAMP-CRA.

The secret generated is a random character sequence drawn from

  • upper and lower case latin letters

  • digits

Parameters:

length (int) – The length of the secret to generate.

Returns:

The generated secret. The length of the generated is length octets.

Return type:

bytes

pbkdf2(data, salt, iterations=1000, keylen=32, hashfunc=None)[source]

Returns a binary digest for the PBKDF2 hash algorithm of data with the given salt. It iterates iterations time and produces a key of keylen bytes. By default SHA-256 is used as hash function, a different hashlib hashfunc can be provided.

Parameters:

  • data (bytes) – The data for which to compute the PBKDF2 derived key.

  • salt (bytes) – The salt to use for deriving the key.

  • iterations (int) – The number of iterations to perform in PBKDF2.

  • keylen (int) – The length of the cryptographic key to derive.

  • hashfunc (str) – Name of the hash algorithm to use

Returns:

The derived cryptographic key.

Return type:

bytes

qrcode_from_totp(secret, label, issuer)[source]