Client Class

Reference

OpenID Connect is a layer on top of the OAuth2.

See its specs at https://openid.net/connect/

Inheritance: Client

Client

Constructor

Client(server_configuration, client_id, on_obtaining_tokens=<function Client.<lambda>>, on_removing_rt=<function Client.<lambda>>, on_updating_rt=<function Client.<lambda>>, **kwargs)

Parameters

server_configuration

client_id

on_obtaining_tokens

default value: lambda event: None

on_removing_rt

default value: lambda token_item: None

on_updating_rt

default value: lambda token_item, new_rt: None

Methods

build_auth_request_uri	Generate an authorization uri to be visited by resource owner. Return value and all other parameters are the same as <xref:oauth2.Client.build_auth_request_uri>, plus new parameter(s):
decode_id_token	See decode_id_token.
initiate_auth_code_flow	Initiate an auth code flow. It provides nonce protection automatically. See <xref:oauth2.Client.initiate_auth_code_flow> in parent class for descriptions on other parameters and return value.
obtain_token_by_auth_code_flow	Validate the auth_response being redirected back, and then obtain tokens, including ID token which can be used for user sign in. Internally, it implements nonce to mitigate replay attack. It also implements PKCE to mitigate the auth code interception attack. See <xref:oauth2.Client.obtain_token_by_auth_code_flow> in parent class for descriptions on other parameters and return value.
obtain_token_by_authorization_code	Get a token via authorization code. a.k.a. Authorization Code Grant. Return value and all other parameters are the same as <xref:oauth2.Client.obtain_token_by_authorization_code>, plus new parameter(s):
obtain_token_by_browser	A native app can use this method to obtain token via a local browser. Internally, it implements nonce to mitigate replay attack. It also implements PKCE to mitigate the auth code interception attack. See <xref:oauth2.Client.obtain_token_by_browser> in parent class for descriptions on other parameters and return value.

build_auth_request_uri

Generate an authorization uri to be visited by resource owner.

Return value and all other parameters are the same as <xref:oauth2.Client.build_auth_request_uri>, plus new parameter(s):

build_auth_request_uri(response_type, nonce=None, **kwargs)

Parameters

nonce

Required

A hard-to-guess string used to mitigate replay attacks. See also OIDC specs.

nonce

default value: None

decode_id_token

See decode_id_token.

decode_id_token(id_token, nonce=None)

Parameters

id_token

Required

nonce

default value: None

initiate_auth_code_flow

Initiate an auth code flow.

It provides nonce protection automatically.

See <xref:oauth2.Client.initiate_auth_code_flow> in parent class for descriptions on other parameters and return value.

initiate_auth_code_flow(scope=None, **kwargs)

Parameters

scope: list

default value: None

A list of strings, e.g. ["profile", "email", ...]. This method will automatically send ["openid"] to the wire, although it won't modify your input list.

obtain_token_by_auth_code_flow

Validate the auth_response being redirected back, and then obtain tokens, including ID token which can be used for user sign in.

Internally, it implements nonce to mitigate replay attack. It also implements PKCE to mitigate the auth code interception attack.

See <xref:oauth2.Client.obtain_token_by_auth_code_flow> in parent class for descriptions on other parameters and return value.

obtain_token_by_auth_code_flow(auth_code_flow, auth_response, **kwargs)

Parameters

auth_code_flow

Required

auth_response

Required

obtain_token_by_authorization_code

Get a token via authorization code. a.k.a. Authorization Code Grant.

Return value and all other parameters are the same as <xref:oauth2.Client.obtain_token_by_authorization_code>, plus new parameter(s):

obtain_token_by_authorization_code(code, nonce=None, **kwargs)

Parameters

nonce

Required

If you provided a nonce when calling build_auth_request_uri, same nonce should also be provided here, so that we'll validate it. An exception will be raised if the nonce in id token mismatches.

nonce

default value: None

obtain_token_by_browser

A native app can use this method to obtain token via a local browser.

Internally, it implements nonce to mitigate replay attack. It also implements PKCE to mitigate the auth code interception attack.

See <xref:oauth2.Client.obtain_token_by_browser> in parent class for descriptions on other parameters and return value.

obtain_token_by_browser(display=None, prompt=None, max_age=None, ui_locales=None, id_token_hint=None, login_hint=None, acr_values=None, **kwargs)

Parameters

display: string

default value: None

Defined in OIDC.

prompt: string

default value: None

Defined in OIDC. You can find the valid string values defined in <xref:oidc.Prompt>.

max_age: int

default value: None

Defined in OIDC.

ui_locales: string

default value: None

Defined in OIDC.

id_token_hint: string

default value: None

Defined in OIDC.

login_hint: string

default value: None

Defined in OIDC.

acr_values: string

default value: None

Defined in OIDC.

Client Class

Constructor

Parameters

Methods

build_auth_request_uri

Parameters

decode_id_token

Parameters

initiate_auth_code_flow

Parameters

obtain_token_by_auth_code_flow

Parameters

obtain_token_by_authorization_code

Parameters

obtain_token_by_browser

Parameters

Feedback