Authorization of Scale API calls

There are three methods of authorization for the 10Duke Scale API.

• For confidential applications, there is 10Duke Scale JWT authorization.
• For public applications, there is ID Token authorization.
• Where License Keys are issued, the License Key can take the place of authorization.

You can read further background on these in the 10Duke Scale API documentation

Authorization hooks

Hooks are provided for IdToken and ScaleJwt authorization schemes.

These can be found in the tenduke_core.auth and tenduke_scale.auth modules repsectively:

• tenduke_core.auth.IdTokenAuth
• tenduke_scale.auth.ScaleJwtAuth

IdToken Authorization

tenduke_core.auth.IdTokenAuth can be accessed via the tenduke_core.auth.OAuthClient or you can construct one yourself.

The __init__ method of tenduke_core.auth.IdTokenAuth expects a callable that returns the latest id_token for the authenticated session. This is for scenarios where the lifetime of the application instance is longer that the expiration of the id_token.

from tenduke_core.auth import PkceFlowClient
from tenduke_core.auth.oidc_discovery import load_openid_config
from tenduke_core.config import TendukeConfig

from tenduke_scale.http import ScaleSessionFactory
from tenduke_scale.license_checkout import EnforcedLicenseCheckoutClient

config = TendukeConfig.load(
    idp_oidc_discovery_url="https://idp.example.com/user/.well-known/openid-configuration",
)
session_factory = ScaleSessionFactory(config, "id-token-auth-example", "1.0.0")
load_openid_config(session_factory, config)
oauth_client = PkceFlowClient(config, session_factory)

# authenticate user
oauth_client.login_with_default_browser()
# oauth_client now has an id_token
auth = oauth_client.auth()
# we can now use the auth hook to setup a session
# use config to get the session so that other configuration parameters are applied (e.g.
# timeouts or proxy)
session_factory = ScaleSessionFactory(config, "id-token-auth-example", "1.0.0")
session = session_factory.create(auth=auth)
checkout_client = EnforcedLicenseCheckoutClient(
    "https://example-tenant.lic-api.scale.10duke.com",
    session,
)

# checkout_client is ready to go, all requests will use the id_token for authorization
# if the id_token expires, the client will attempt to get a new one (if a refresh_token
# was issued)

ScaleJWT Authorization

To use the tenduke_scale.auth.ScaleJwtAuth hook, some configuration needs to be in place on your 10Duke Scale API tenant.

There needs to be a token validation key.

Use the console to generate a key pair.

Set the role to Verify Scale JWT, make note of the key id, and copy/export the private key.

With the key id and the private key, you can initialize tenduke_scale.auth.ScaleJwtAuth.

from datetime import timedelta

from tenduke_core.config import TendukeConfig

from tenduke_scale.auth import ScaleJwtAuth, ScaleJwtClaims
from tenduke_scale.http import ScaleSessionFactory
from tenduke_scale.license_checkout import EnforcedLicenseCheckoutClient

with open("PATH_TO_PRIVATE_KEY_FOR_AUTH", encoding="utf-8") as file:
    private_key = file.read()

config = TendukeConfig(
    token_path=".",  # noqa: S106
    public_key_path=".",
    licensing_api_url="YOUR_SCALE_API_URL",
)

claims = ScaleJwtClaims(
    "SUBSCIBER_ID",
    "ISSUER_ID",
    timedelta(hours=2),
    ["Licensing.action"],
)
auth = ScaleJwtAuth("YOUR_KEY_ID", private_key, claims, config)
session_factory = ScaleSessionFactory(config, "scale-jwt-authorization-example", "1.0.0")
session = session_factory.create(auth=auth)
checkout_client = EnforcedLicenseCheckoutClient(
    "https://example-tenant.lic-api.scale.10duke.com",
    session,
)
# checkout_client is ready to go, all requests will use the Scale JWT for authorization
# if the JWT expires, the auth hook will create another with the same claims and a the
# same duration (new expiry time set using initial valid_for value).

License Key Authorization

If your application is using License Keys, then use the appropriate methods of the license checkout clients for example: tenduke_scale.license_checkout.EnforcedLicenseCheckoutClient.checkout_single_by_license_key.

No authorization hook is required. It is still recommended to set up the license checkout client session using the session factory so that any configuration parameters that affect session behavior (e.g. timeouts or proxies) are applied.