Globus App

This page provides reference documentation for GlobusApp and associated classes. For a narrative-style introduction to the concepts contained within GlobusApp, see Using a GlobusApp.

class globus_sdk.experimental.globus_app.GlobusApp(app_name='Unnamed Globus App', *, login_client=None, client_id=None, client_secret=None, scope_requirements=None, config=GlobusAppConfig(login_flow_manager=None, login_redirect_uri=None, token_storage='json', request_refresh_tokens=False, token_validation_error_handler=<function resolve_by_login_flow>, environment='production'))[source]

GlobusApp is an abstract base class providing an interface for simplifying authentication with Globus services.

A GlobusApp manages scope requirements across multiple resource servers, runs login flows through its LoginFlowManager, handles token storage and validation through its ValidatingTokenStorage, and provides up-to-date authorizers from its AuthorizerFactory through get_authorizer.

A GlobusApp is accepted as an initialization parameter to any SDK-provided service client, automatically handling the client’s default scope requirements and providing the client with an authorizer.

Parameters:
  • app_name (str) – A string to identify this app. Used for default tokenstorage location and in the future will be used to set user-agent when this app is attached to a service client

  • login_client (AuthLoginClient | None) – An AuthLoginCLient that will be used for running authentication flows. Different classes of GlobusApp may require specific classes of AuthLoginClient. Mutually exclusive with ``client_id and client_secret.

  • client_id (UUIDLike | None) – A client UUID used to construct an AuthLoginCLient for running authentication flows. The type of AuthLoginCLient will depend on the type of GlobusApp. Mutually exclusive with login_client.

  • client_secret (str | None) – The value of the client secret for client_id if it uses secrets. Mutually exclusive with login_client.

  • scope_requirements (t.Mapping[str, ScopeCollectionType] | None) – A dictionary of scope requirements indexed by resource server. The dict value may be a scope, scope string, or list of scopes or scope strings.

  • config (GlobusAppConfig) – A GlobusAppConfig used to control various behaviors of this app.

Variables:

token_storage – The ValidatingTokenStorage containing tokens for the app. Authorization mediated by the app will use this object, so modifying this will impact clients which are defined to use the app whenever they fetch tokens.

add_scope_requirements(scope_requirements)[source]

Add given scope requirements to the app’s scope requirements. Any duplicate requirements will be deduplicated later at authorization url creation time.

Parameters:

scope_requirements (t.Mapping[str, ScopeCollectionType]) – a dict of Scopes indexed by resource server that will be added to this app’s scope requirements

get_authorizer(resource_server, *, skip_error_handling=False)[source]

Get a GlobusAuthorizer from the app’s authorizer factory for a specified resource server. The type of authorizer is dependent on the app.

Parameters:
  • resource_server (str) – The resource server for which the requested Authorizer should provide authorization headers.

  • skip_error_handling (bool) – If True, skip the configured token validation error handler when a TokenValidationError is raised. Default: False.

Return type:

GlobusAuthorizer

login(*, auth_params=None, force=False)[source]

Log an auth entity into the app, if needed, storing the resulting tokens.

A login flow will be performed if any of the following are true:
  • The kwarg auth_params is provided.

  • The kwarg force is set to True.

  • The method self.login_required() evaluates to True.

Parameters:
  • auth_params (GlobusAuthorizationParameters | None) – An optional set of authorization parameters to establish requirements and controls for the login flow.

  • force (bool) – If True, perform a login flow even if one does not appear to be necessary.

login_required()[source]

Determine if a login flow will be required to interact with resource servers under the current scope requirements.

This will return false if any of the following are true:
  • Access tokens have never been issued.

  • Access tokens have been issued but have insufficient scopes.

  • Access tokens have expired and wouldn’t be resolved with refresh tokens.

Returns:

True if a login flow appears to be required, False otherwise.

Return type:

bool

logout()[source]

Logout an auth entity from the app.

This will remove and revoke all tokens stored for the current app user.

property scope_requirements: dict[str, list[Scope]]

Access a copy of app’s aggregate scope requirements.

Modifying the returned dict will not affect the app’s scope requirements. To add scope requirements, use GlobusApp.add_scope_requirements().

class globus_sdk.experimental.globus_app.UserApp(app_name='Unnamed Globus App', *, login_client=None, client_id=None, client_secret=None, scope_requirements=None, config=GlobusAppConfig(login_flow_manager=None, login_redirect_uri=None, token_storage='json', request_refresh_tokens=False, token_validation_error_handler=<function resolve_by_login_flow>, environment='production'))[source]

A GlobusApp for login methods that require an interactive flow with a user.

UserApps are most commonly used with native application clients by passing a NativeAppAuthClient as login_client or the native application’s client_id.

If using a templated client, either pass a ConfidentialAppAuthClient as login_client` or the templated client’s client_id and client_secret. This will not work for standard confidential clients.

By default a UserApp will create a CommandLineLoginFlowManager for running login flows, which can be overridden through config.

app = UserApp("myapp", client_id=NATIVE_APP_CLIENT_ID)
client = TransferClient(app=app)
res = client.endpoint_search("Tutorial Collection")
class globus_sdk.experimental.globus_app.ClientApp(app_name='Unnamed Globus App', *, login_client=None, client_id=None, client_secret=None, scope_requirements=None, config=GlobusAppConfig(login_flow_manager=None, login_redirect_uri=None, token_storage='json', request_refresh_tokens=False, token_validation_error_handler=<function resolve_by_login_flow>, environment='production'))[source]

A GlobusApp using client credentials - useful for service accounts and automation use cases.

ClientApps are always used with confidential clients either by passing a ConfidentialAppAuthClient as login_client or providing the client’s client_id and client_secret pair.

ClientApps do not use a LoginFlowManager and will raise an error if given one through config.

app = ClientApp("myapp", CLIENT_ID, CLIENT_SECRET)
client = TransferClient(app=app)
res = client.endpoint_search("Tutorial Collection")