arcgis.auth package

Subpackages

Submodules

arcgis.auth.api module

class arcgis.auth.api.EsriSession(auth=None, cert=None, verify_cert=True, allow_redirects=True, headers=None, referer='http', **kwargs)

Bases: object

The EsriSession class is designed to simplify access to the Esri WebGIS environments without the additional components of the arcgis or arcpy modules. It is designed to allow users to connect and manage all HTTP calls themselves with no hand holding.

Security is handled through the requests authentication model. Leveraging authentication handlers and primarily connecting to 10.8.1+ enterprise components.

The supported Authentication Schemes are:

1. Username/Password

2. Oauth 2

3. IWA/NTLM

4. Basic

5. Digest

6. PKI

7. API Keys

8. User Provided Tokens

9. Kerberos

Anyone can extend the authentication handlers by creating a class and inheriting from requests.auth.AuthBase.

The EsriSession authentication supports authentication chaining. Meaning users can stack authentication methods.

auth1 + auth2 + auth3

It is recommended that you do not stack unneeded authenicators because they can caused unintended failures.

Parameter	Description
auth	Optional AuthBase. This is a security handler that performs some sort of security check.
cert	Optional Tuple. The client side certificate as a tuple or string. It should be noted that EsriSession does not support encrypted private keys.
verify_cert	Optional Bool. When False all SSL certificate errors are ignored. The default is True.
allow_redirects	Optional Bool. When False if the URL redirects a user, an error will be raised. The default is True
headers	Optional Dict. An additional set of key/value(s) to append to any request’s header.
referer	Optional Str. The referer header value. The default is http. This is mainly used with token security.

Optional Arguments

Parameter	Description
trust_env	Optional Bool. The default is True. If False proxies will cause an error to be raised if set by .netrc files.
stream	Optional Bool. To enable handling streaming responses, set stream to True and iterate over the response with iter_lines. The default is False.
check_hostname	Optional Bool. When connecting to a side via IP Address with an SSL certificate, the hostname will not match. This allows a user to specify the hostname in the headers parameters and ignore hostname errors.
retries	Optional Int. The max number of tries to retry a service for 50x errors.
backoff_factor	Optional float. The amount of time in seconds to wait between retries.
status_to_retry	Optional Tuple. The status codes to run retries on. The default is (413, 429, 503, 500, 502, 504).
method_whitelist	Optional List. When retries is specified, the user can specifiy what methods are retried. The default is ‘POST’, ‘DELETE’, ‘GET’, ‘HEAD’, ‘OPTIONS’, ‘PUT’, ‘TRACE’
proxies	Optional Dict. A key/value mapping where the keys are the transfer protocol and the value is the <url>:<port>. example `python proxies = {"http" : 127.0.0.1:8080, "https" : 127.0.0.1:8081} session = EsriSession(proxies=proxies) `

property adapters

Returns an dictionary of mounted adapters.

Returns

dict

allow_redirects = None

property auth

Get/Set the Authentication Handler for the Session

property cert

Get/Set the users certificate as a (private, public) keys.

Returns

Tuple[str]

close()

Closes all adapters and as such the session

delete(url, **kwargs)

Sends a DELETE request. Returns Response object.

Parameters

• url – URL for the new Request object.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

get(url, **kwargs)

Sends a GET request. Returns Response object.

Parameters

• url – URL for the new Request object.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

head(url, **kwargs)

Sends a HEAD request. Returns Response object.

Parameters

• url – URL for the new Request object.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

property headers

Gets/Sets the headers from the current session object

mount(prefix, adapter)

Registers a connection adapter to a prefix.

Adapters are sorted in descending order by prefix length.

options(url, **kwargs)

Sends a OPTIONS request. Returns Response object.

Parameters

• url – URL for the new Request object.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

patch(url, data=None, **kwargs)

Sends a PATCH request. Returns Response object.

Parameters

• url – URL for the new Request object.

• data – (optional) Dictionary, list of tuples, bytes, or file-like object to send in the body of the Request.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

post(url, data=None, json=None, **kwargs)

Sends a POST request. Returns Response object.

Parameters

• url – URL for the new Request object.

• data – (optional) Dictionary, list of tuples, bytes, or file-like object to send in the body of the Request.

• json – (optional) json to send in the body of the Request.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

property proxies

Dictionary mapping protocol or protocol and host to the URL of the proxy. (e.g. {‘http’: ‘foo.bar:3128’, ‘http://host.name’: ‘foo.bar:4012’}) to be used on each Request.

Returns

dict

put(url, data=None, **kwargs)

Sends a PUT request. Returns Response object.

Parameters

• url – URL for the new Request object.

• data – (optional) Dictionary, list of tuples, bytes, or file-like object to send in the body of the Request.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

property referer

Gets/Sets the referer

property stream

Gets/Sets the stream property for the current session object

update_headers(values)

Performs an update call on the headers

property verify_cert

Get/Set property that allows for the verification of SSL certificates

Returns

bool

Module contents

class arcgis.auth.ArcGISProAuth(legacy=False)

Bases: requests.auth.AuthBase, arcgis.auth._auth._schain.SupportMultiAuth

Performs the ArcGIS Pro Authentication for a given request.

handle_40x(r, **kwargs)

Handles Case where token is invalid

property token

obtains the login token

class arcgis.auth.BaseEsriAuth

Bases: requests.auth.AuthBase

A base class that developers can inherit from to create custom authentication handlers.

For more information, please see: https://docs.python-requests.org/en/master/user/authentication/#new-forms-of-authentication

response_hook(response, **kwargs)

response hook logic

Returns

Response

property token

returns a ArcGIS Token as a string

Returns

string

class arcgis.auth.EsriAPIKeyAuth(api_key, referer=None, verify_cert=True, auth=None)

Bases: requests.auth.AuthBase, arcgis.auth._auth._schain.SupportMultiAuth

authentication for API Keys

add_api_token(r, **kwargs)

generates a server token using Portal token

api_key = None

auth = None

property token

Gets/Sets the API token

Returns

String

class arcgis.auth.EsriBasicAuth(username, password, referer='http', verify_cert=True, **kwargs)

Bases: requests.auth.HTTPBasicAuth, arcgis.auth._auth._schain.SupportMultiAuth

Describes a basic requests authentication.

auth = None

generate_portal_server_token(r, **kwargs)

generates a server token using Portal token

property token

Gets the token. This is always None for EsriBasicAuth

Returns

String

class arcgis.auth.EsriBuiltInAuth(url, username, password, expiration=None, legacy=False, verify_cert=True, referer=None, **kwargs)

Bases: requests.auth.AuthBase, arcgis.auth._auth._schain.SupportMultiAuth

Performs the BUILT-IN Login Authorization for ArcGIS Online and Enterprise

handle_401(r, **kwargs)

handles the issues in the response where token might be rejected

suspend()

Invalidates the login and checks any licenses back in

Returns

Bool. If True, the licenses is checked back in successfully, False, the process failed.

property token

obtains the login token

class arcgis.auth.EsriGenTokenAuth(token_url, referer, username=None, password=None, portal_auth=None, time_out=1440, verify_cert=True, legacy=False, **kwargs)

Bases: requests.auth.AuthBase, arcgis.auth._auth._schain.SupportMultiAuth

This form of Authentication leverages the generateToken endpoint from the ArcGIS Product. This is supported for ArcGIS Online, ArcGIS Enterprise and ArcGIS Server.

This form of authentication is considered legacy and should only be used with unfederated server products.

property expiration

Gets the time the token will expire on

handle_401(r, **kwargs)

handle_redirect(r, **kwargs)

init_per_thread_state()

property referer

property time_out

returns the time out time in minutes

token(server_url=None)

class arcgis.auth.EsriHttpNtlmAuth(username, password, session=None, send_cbt=True, **kwargs)

Bases: requests.auth.AuthBase

HTTP NTLM Authentication Handler for Requests.

Supports pass-the-hash.

This is derived from work of Jordan Borean and requests-ntlm/requests-ntlm2

generate_token(r, scheme, args)

generates the server token

response_hook(r, **kwargs)

The actual hook handler.

retry_using_http_NTLM_auth(auth_header_field, auth_header, response, auth_type, args)

Performs the NTLM handshake

exception arcgis.auth.EsriHttpResponseError(message)

Bases: Exception

Exception raised for http errors.

Attributes:

message – explanation of the error

class arcgis.auth.EsriKerberosAuth(referer=None, verify_cert=True, *, username=None, password=None, **kwargs)

Bases: requests.auth.AuthBase, arcgis.auth._auth._schain.SupportMultiAuth

generate_portal_server_token(r, **kwargs)

generates a server token using Portal token

property token

Gets the token. This is always None for KerberosAuth

Returns

String

class arcgis.auth.EsriNotebookAuth(token, referer=None, auth=None, **kwargs)

Bases: requests.auth.AuthBase, arcgis.auth._auth._schain.SupportMultiAuth

authentication for notebook servers Keys

add_token(r, **kwargs)

generates a server token using Portal token

auth = None

property token

Gets/Sets the API token

Returns

String

class arcgis.auth.EsriOAuth2Auth(base_url, client_id, client_secret=None, username=None, password=None, referer='http', expiration=1440, proxies=None, session=None, **kwargs)

Bases: requests.auth.AuthBase, arcgis.auth._auth._schain.SupportMultiAuth

Performs the OAuth Workflow for logging in to Enterprise

handle_40x(r, **kwargs)

Handles Case where token is invalid

property token

Gets the Oauth token

Returns

String

class arcgis.auth.EsriPKCEAuth(url, username, password, *, legacy=False, **kwargs)

Bases: arcgis.auth._auth._base.BaseEsriAuth

Implements OAuth 2.0 PKCE Workflow

response_hook(r, **kwargs)

response hook logic

Returns

Response

property token

returns a ArcGIS Token as a string

Returns

string

class arcgis.auth.EsriPKIAuth(cert, referer=None, verify_cert=True, **kwargs)

Bases: requests.auth.AuthBase, arcgis.auth._auth._schain.SupportMultiAuth

Handles PKI authentication when tokens are needed

generate_portal_server_token(r, **kwargs)

generates a server token using Portal token

property token

returns the authentication token

class arcgis.auth.EsriSession(auth=None, cert=None, verify_cert=True, allow_redirects=True, headers=None, referer='http', **kwargs)

Bases: object

The EsriSession class is designed to simplify access to the Esri WebGIS environments without the additional components of the arcgis or arcpy modules. It is designed to allow users to connect and manage all HTTP calls themselves with no hand holding.

Security is handled through the requests authentication model. Leveraging authentication handlers and primarily connecting to 10.8.1+ enterprise components.

The supported Authentication Schemes are:

1. Username/Password

2. Oauth 2

3. IWA/NTLM

4. Basic

5. Digest

6. PKI

7. API Keys

8. User Provided Tokens

9. Kerberos

Anyone can extend the authentication handlers by creating a class and inheriting from requests.auth.AuthBase.

The EsriSession authentication supports authentication chaining. Meaning users can stack authentication methods.

auth1 + auth2 + auth3

It is recommended that you do not stack unneeded authenicators because they can caused unintended failures.

Parameter	Description
auth	Optional AuthBase. This is a security handler that performs some sort of security check.
cert	Optional Tuple. The client side certificate as a tuple or string. It should be noted that EsriSession does not support encrypted private keys.
verify_cert	Optional Bool. When False all SSL certificate errors are ignored. The default is True.
allow_redirects	Optional Bool. When False if the URL redirects a user, an error will be raised. The default is True
headers	Optional Dict. An additional set of key/value(s) to append to any request’s header.
referer	Optional Str. The referer header value. The default is http. This is mainly used with token security.

Optional Arguments

Parameter	Description
trust_env	Optional Bool. The default is True. If False proxies will cause an error to be raised if set by .netrc files.
stream	Optional Bool. To enable handling streaming responses, set stream to True and iterate over the response with iter_lines. The default is False.
check_hostname	Optional Bool. When connecting to a side via IP Address with an SSL certificate, the hostname will not match. This allows a user to specify the hostname in the headers parameters and ignore hostname errors.
retries	Optional Int. The max number of tries to retry a service for 50x errors.
backoff_factor	Optional float. The amount of time in seconds to wait between retries.
status_to_retry	Optional Tuple. The status codes to run retries on. The default is (413, 429, 503, 500, 502, 504).
method_whitelist	Optional List. When retries is specified, the user can specifiy what methods are retried. The default is ‘POST’, ‘DELETE’, ‘GET’, ‘HEAD’, ‘OPTIONS’, ‘PUT’, ‘TRACE’
proxies	Optional Dict. A key/value mapping where the keys are the transfer protocol and the value is the <url>:<port>. example `python proxies = {"http" : 127.0.0.1:8080, "https" : 127.0.0.1:8081} session = EsriSession(proxies=proxies) `

property adapters

Returns an dictionary of mounted adapters.

Returns

dict

allow_redirects = None

property auth

Get/Set the Authentication Handler for the Session

property cert

Get/Set the users certificate as a (private, public) keys.

Returns

Tuple[str]

close()

Closes all adapters and as such the session

delete(url, **kwargs)

Sends a DELETE request. Returns Response object.

Parameters

• url – URL for the new Request object.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

get(url, **kwargs)

Sends a GET request. Returns Response object.

Parameters

• url – URL for the new Request object.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

head(url, **kwargs)

Sends a HEAD request. Returns Response object.

Parameters

• url – URL for the new Request object.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

property headers

Gets/Sets the headers from the current session object

mount(prefix, adapter)

Registers a connection adapter to a prefix.

Adapters are sorted in descending order by prefix length.

options(url, **kwargs)

Sends a OPTIONS request. Returns Response object.

Parameters

• url – URL for the new Request object.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

patch(url, data=None, **kwargs)

Sends a PATCH request. Returns Response object.

Parameters

• url – URL for the new Request object.

• data – (optional) Dictionary, list of tuples, bytes, or file-like object to send in the body of the Request.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

post(url, data=None, json=None, **kwargs)

Sends a POST request. Returns Response object.

Parameters

• url – URL for the new Request object.

• data – (optional) Dictionary, list of tuples, bytes, or file-like object to send in the body of the Request.

• json – (optional) json to send in the body of the Request.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

property proxies

Dictionary mapping protocol or protocol and host to the URL of the proxy. (e.g. {‘http’: ‘foo.bar:3128’, ‘http://host.name’: ‘foo.bar:4012’}) to be used on each Request.

Returns

dict

put(url, data=None, **kwargs)

Sends a PUT request. Returns Response object.

Parameters

• url – URL for the new Request object.

• data – (optional) Dictionary, list of tuples, bytes, or file-like object to send in the body of the Request.

• **kwargs – Optional arguments that request takes.

Return type

requests.Response

property referer

Gets/Sets the referer

property stream

Gets/Sets the stream property for the current session object

update_headers(values)

Performs an update call on the headers

property verify_cert

Get/Set property that allows for the verification of SSL certificates

Returns

bool

class arcgis.auth.EsriUserTokenAuth(token, referer=None, verify_cert=True, **kwargs)

Bases: requests.auth.AuthBase, arcgis.auth._auth._schain.SupportMultiAuth

Authentication Using User Created Tokens

auth = None

handle_40x(r, **kwargs)

Handles Case where token is invalid

token = None

class arcgis.auth.EsriWindowsAuth(username=None, password=None, referer=None, verify_cert=True, **kwargs)

Bases: requests.auth.AuthBase, arcgis.auth._auth._schain.SupportMultiAuth

generate_portal_server_token(r, **kwargs)

generates a server token using Portal token

property token

Gets the token. This is always None for EsriWindowsAuth

Returns

String