Added a sample config file and its related parser and setup.

config/galaxy.ini.sample

@@ -1129,6 +1129,11 @@ use_interactive = True
 #openid_config_file = config/openid_conf.xml
 #openid_consumer_cache_path = database/openid_consumer_cache
 
+# Sets OAuth2.0 the path to client secret file. Note that this file should be
+# on a path inaccessible to public.
+#enable_oauth2 = True
+#oauth2_config_file = config/oauth2_config.xml
+
 # XML config file that allows the use of different authentication providers
 # (e.g. LDAP) instead or in addition to local authentication (.sample is used
 # if default does not exist).

lib/galaxy/app.py

@@ -167,6 +167,9 @@ def __init__( self, **kwargs ):
                 )
                 self.heartbeat.daemon = True
                 self.application_stack.register_postfork_function(self.heartbeat.start)
+        if self.config.enable_oauth2:
+            from galaxy import authnz
+            self.authnz_manager = authnz.AuthnzManager( self.config.oauth2_config )
         self.sentry_client = None
         if self.config.sentry_dsn:
 

lib/galaxy/authnz/__init__.py

@@ -0,0 +1,41 @@
+"""
+Contains implementations for authentication and authorization against third-party
+OAuth2.0 authorization servers and OpenID Connect Identity providers.
+
+This package follows "authorization code flow" authentication protocol to authenticate
+Galaxy users against third-party identity providers.
+
+Additionally, this package implements functionalist's to request temporary access
+credentials for cloud-based resource providers (e.g., Amazon AWS, Microsoft Azure).
+"""
+
+import logging
+import xml.etree.ElementTree as ET
+from xml.etree.ElementTree import ParseError
+
+log = logging.getLogger( __name__ )
+
+class AuthnzManager( object ):
+
+    def __init__( self, config ):
+        self._parse_config( config )
+        return
+
+    def _parse_config( self, config ):
+        self.providers = {}
+        try:
+            tree = ET.parse( config )
+            root = tree.getroot()
+            if root.tag != 'OAuth2.0':
+                raise ParseError( "The root element in OAuth2.0 config xml file is expected to be `OAuth2.0`, found `{}` instead -- unable to continue.".format( root.tag ) )
+            for child in root:
+                if child.tag != 'provider':
+                    raise ParseError( "Expect a node with `provider` tag, found a node with `{}` tag instead -- unable to continue.".format( child.tag ) )
+                if 'name' not in child.attrib:
+                    raise ParseError( "Could not find a node attribute 'name' -- unable to continue." )
+                if 'client_secret_file' not in child.attrib:
+                    raise ParseError("Could not find a node attribute 'client_secret_file' -- unable to continue.")
+                self.providers[child.get( 'name' )] = child.get( 'client_secret_file' )
+        except Exception:
+            log.exception("Malformed OAuth2.0 Configuration XML -- unable to continue.")
+            raise

lib/galaxy/config.py

@@ -153,6 +153,9 @@ def __init__( self, **kwargs ):
         self.tool_data_path = resolve_path( kwargs.get( "tool_data_path", "tool-data" ), os.getcwd() )
         self.builds_file_path = resolve_path( kwargs.get( "builds_file_path", os.path.join( self.tool_data_path, 'shared', 'ucsc', 'builds.txt') ), self.root )
         self.len_file_path = resolve_path( kwargs.get( "len_file_path", os.path.join( self.tool_data_path, 'shared', 'ucsc', 'chrom') ), self.root )
+        # Galaxy OAuth2.0 settings.
+        self.enable_oauth2 = kwargs.get( "enable_oauth2", False )
+        self.oauth2_config = kwargs.get( "oauth2_config_file", None )
         # The value of migrated_tools_config is the file reserved for containing only those tools that have been eliminated from the distribution
         # and moved to the tool shed.
         self.integrated_tool_panel_config = resolve_path( kwargs.get( 'integrated_tool_panel_config', 'integrated_tool_panel.xml' ), self.root )