class keg_auth.core.AuthManager(mail_manager=None, blueprint='auth', endpoints=None, cli_group_name=None, grid_cls=None, login_authenticator=<class 'keg_auth.libs.authenticators.KegAuthenticator'>, request_loaders=None, permissions=None, entity_registry=None, oauth_authenticator=<class 'keg_auth.libs.authenticators.OAuthAuthenticator'>, password_policy_cls=<class 'keg_auth.libs.authenticators.DefaultPasswordPolicy'>)

Set up an auth management extension

Main manager for keg-auth authentication/authorization functions, and provides a central location and handle on the flask app to access CLI setup, navigation, authenticators, etc.

  • mail_manager – AuthMailManager instance used for mail functions. Can be None.
  • blueprint – name to use for the blueprint containing auth views
  • endpoints – dict of overrides to auth view endpoints
  • cli_group_name – name of the CLI group under which auth commands appear
  • grid_cls – webgrid class to serve as a base class to auth CRUD grids
  • login_authenticator – login authenticator class used by login view default: KegAuthenticator
  • request_loaders – registered loaders used for loading a user at request time from information not contained in the session (e.g. with an authorization header token). Can be scalar or an iterable
  • permissions – permission strings defined for the app, which will be synced to the database on app init. Can be a single string or an iterable
  • entity_registry – EntityRegistry instance on which User, Group, etc. are registered
  • password_policy_cls – A PasswordPolicy class to check password requirements in forms and CLI
add_navigation_menu(name, menu)

Create a navigation menu that may be referenced with the given name.

create_user(user_kwargs, _commit=True)

Create a new user record and optionally persist to the database.

  • user_kwargs – dict of values to construct the User record. Special arg is mail_enabled, which will be popped out.
  • _commit – option for persisting record to database. Default True.
create_user_cli(extra_args=None, **kwargs)

A thin layer between the cli and create_user() to transform the cli args into what the User entity expects for fields.

For example, if you had a required name field on your User entity, then you could do something like:

$ yourkegapp auth create-user "John Smith"

Then this method would get overriden in a sub-class like:

def create_user_cli(self, email, extra_args):
user_kwargs = dict(email=email, name=extra_args[0]) return self.create_user(user_kwargs)

Return an auth endpoint on the configured blueprint.


Returns a registered request loader, keyed by its identifier.


Inits KegAuth as a flask extension on the given app.


Add a CLI group for auth.


Provide app config defaults for crypto, mail, logins, etc.


Set up app jinja loader to use keg-auth templates, select2, etc.


Initialize user session loaders.


Place this extension on the app for reference, and onfigure flask-login.


Set up the entity registry for all auth objects.


Configure database with the defined set of permissions.

Synchronizes permission records in the database with those defined in the app. Ensures the sync method is called in the proper place during test runs, when the database is not fully available and set up at extension-loading time.


Generate a fresh token and send the account verification email.


Load a user from a request when testing. This gives a nice API for test clients to be logged in, rather than expecting all tests to set up an actual session.

See keg_auth.testing.AuthTestApp for a webtest wrapper using this loader.

url_for(ident, **kwargs)

Generate the URL for the endpoint identified by ident.


Fetch a user record via ID.


Fetch a user record via session key.