simple_openid_connect.flows.authorization_code_flow.client

Classes

AuthorizationCodeFlowClient(base_client)

A client that implements authorization code flow related functionality.
class simple_openid_connect.flows.authorization_code_flow.client.AuthorizationCodeFlowClient(base_client: OpenidClient)[source]

A client that implements authorization code flow related functionality.

It is exposed via OpenidClient.authorization_code_flow.

__init__(base_client: OpenidClient)[source]
exchange_code_for_tokens(authentication_response: AuthenticationSuccessResponse) TokenSuccessResponse | TokenErrorResponse[source]

Exchange a received code for access, refresh and id tokens.

You might want to use handle_authentication_result() if you don’t want to parse an authentication result from the users current url yourself.

Parameters:

authentication_response – The (successful) response which this app received after the user has come back from the OP.

Raises:
Returns:

The result of the token exchange

handle_authentication_result(current_url: str, additional_redirect_args: Mapping[str, str] | None = None, state: str | None = None, code_verifier: str | None = None, code_challenge: str | None = None, code_challenge_method: str | None = None) TokenSuccessResponse | TokenErrorResponse[source]

Handle an authentication result that is communicated to the RP in form of the user agents current url after having started an authentication process via start_authentication().

Parameters:

  • current_url – The current URL which the user is visiting. The authentication result should be encoded into this url by the authorization server.

  • additional_redirect_args – Additional URL parameters that were added to the redirect uri. They are probably still present in current_url but since they could be of any shape, no attempt is made here to automatically reconstruct them.

  • state – The state that was specified during the authentication initiation.

  • code_verifier – The code verifier intended for use with Proof Key for Code Exchange (PKCE) [RFC7636].

  • code_challenge – The code challenge intended for use with Proof Key for Code Exchange (PKCE) [RFC7636].

  • code_challenge_method – The code challenge method intended for use with Proof Key for Code Exchange (PKCE) [RFC7636], typically “S256” or “plain”.

Raises:
Returns:

The result of the token exchange

start_authentication(state: str | None = None, nonce: str | None = None, prompt: list[str] | None = None, code_challenge: str | None = None, code_challenge_method: str | None = None) str[source]

Start the authentication process by constructing an appropriate AuthenticationRequest, serializing it and returning a which the end user now needs to visit.

Parameters:

  • state – The state intended to prevent Cross-Site Request Forgery.

  • nonce – String value used to associate a Client session with an ID Token, and to mitigate replay attacks.

  • prompt – Specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are: “none”, “login”, “consent” and “select_account”, multiple may be given as a list.

  • code_challenge – The code challenge intended for use with Proof Key for Code Exchange (PKCE) [RFC7636].

  • code_challenge_method – The code challenge method intended for use with Proof Key for Code Exchange (PKCE) [RFC7636], typically “S256” or “plain”.

Raises:

ImpossibleOperationError – If the client has no redirect_uri configured and therefore cannot perform this operation.

Returns:

A URL to which the user agent should be redirected