oneid.session

SessionBase

class oneid.session.SessionBase(identity_credentials=None, project_credentials=None, oneid_credentials=None, peer_credentials=None, config=None)[source]

Abstract Session Class

Variables:
  • identity_credentials – TDI identity Credentials
  • project_credentials – unique project credentials Credentials
  • oneid_credentials – TDI project credentials Credentials
  • oneid_credentials – peer credentials Credentials
  • config – Dictionary or configuration keyword arguments

DeviceSession

class oneid.session.DeviceSession(identity_credentials=None, project_credentials=None, oneid_credentials=None, peer_credentials=None, config=None)[source]
verify_message(message, rekey_credentials=None)[source]

Verify a message received from the Project

Parameters:
  • message – JSON formatted JWS with at least two signatures
  • rekey_credentials – List of Credential
Returns:

verified message or False if not valid

prepare_message(encrypt_to_peers=True, other_recipients=None, *args, **kwargs)[source]

Prepare a message before sending

Parameters:
  • encrypt_to_peers (bool) – If True (default), and peer_credentials available, encrypt the message to them
  • other_recipients (list of Credential) – Additional recipients to encrypt to
Returns:

Signed JWS

add_signature(message, default_jwt_kid=None)[source]

Add this Device’s signature to a message

Note that the semantics of this signature are application-specific. If the application expects only verified messages to be co-signed, the caller is responsible for verifying the message first. Otherwise, the signature only indicates that the message was processed by this Device.

Likewise, this method will not decrypt a JWE. If the message was encrypted for this Device, and should be decrypted and re-signed, the caller should do that through other means, such as verify_message() and prepare_message().

Parameters:
  • message (str) – Previously-signed JWS (Compact or JSON) or JWT
  • default_jwt_kid (str) – (optional) value for ‘kid’ header field if passing a JWT without one
Returns:

Signed JWS with additional Device signature

ServerSession

class oneid.session.ServerSession(identity_credentials=None, project_credentials=None, oneid_credentials=None, peer_credentials=None, config=None)[source]

Enable Server to request two-factor Authentication from TDI Core

prepare_message(rekey_credentials=None, encrypt_to_peers=True, other_recipients=None, **kwargs)[source]

Build message that has two-factor signatures

Parameters:
  • rekey_credentials (list) – (optional) rekey credentials
  • encrypt_to_peers (bool) – If True (default), and peer_credentials available, encrypt the message to them
  • other_recipients (list of Credential) – Additional recipients to encrypt to
Returns:

Signed JWS to be sent to devices

verify_message(message, device_credentials, get_oneid_cosignature=True)[source]

Verify a message received from/through one or more Devices

Parameters:
  • message – JSON formatted JWS or JWT signed by the Device
  • device_credentialsCredential (or list of them) to verify Device signature(s) against
  • get_oneid_cosignature – (default: True) verify with TDI Core first
Returns:

verified message or False if not valid

AdminSession

class oneid.session.AdminSession(identity_credentials, project_credentials=None, oneid_credentials=None, config=None)[source]

Admin Users will only interface with TDI Core service, They only need an identity_credentials and oneid_credentials to verify responses