simple_openid_connect.flows.authorization_code_flow

The Authorization Code Flow returns an Authorization Code to the Client, which can then exchange it for an ID Token and an Access Token. This provides the benefit of not exposing any tokens to the User Agent and possibly other malicious applications with access to the User Agent. The Authorization Server can also authenticate the Client before exchanging the Authorization Code for an Access Token.

The Authorization Code flow is suitable for Clients that can securely maintain a Client Secret between themselves and the Authorization Server.

Functions

exchange_code_for_tokens(token_endpoint, ...)

Exchange a received code for access, refresh and id tokens.

handle_authentication_result(current_url, ...)

Handle an authentication result that is communicated to the RP in form of the user agents current url after having started an authentication process via start_authentication().

start_authentication(authorization_endpoint, ...)

Start the authentication process by constructing an appropriate AuthenticationRequest, serializing it and returning a which the end user now needs to visit.
simple_openid_connect.flows.authorization_code_flow.exchange_code_for_tokens(token_endpoint: str, authentication_response: AuthenticationSuccessResponse, redirect_uri: str, client_authentication: ClientAuthenticationMethod, code_verifier: str | None = None, code_challenge: str | None = None, code_challenge_method: str | None = None) TokenSuccessResponse | TokenErrorResponse[source]

Exchange a received code for access, refresh and id tokens.

You might want to use handle_authentication_result() if you don’t want to parse an authentication result from the users current url yourself.

Parameters:

  • token_endpoint – The endpoint of the OP at which tokens can be exchanged. Corresponds to ProviderMetadata.token_endpoint

  • authentication_response – The (successful) response which this app received after the user has come back from the OP.

  • redirect_uri – The callback URI that was specified during the authentication initiation.

  • client_authentication – A way for the client to authenticate itself

Returns:

The result of the token exchange

simple_openid_connect.flows.authorization_code_flow.handle_authentication_result(current_url: str, token_endpoint: str, client_authentication: ClientAuthenticationMethod, redirect_uri: Literal['auto'] | str = 'auto', state: str | None = None, code_verifier: str | None = None, code_challenge: str | None = None, code_challenge_method: str | None = None) TokenSuccessResponse | TokenErrorResponse[source]

Handle an authentication result that is communicated to the RP in form of the user agents current url after having started an authentication process via start_authentication().

Parameters:

  • current_url – The current URL which the user is visiting. The authentication result should be encoded into this url by the authorization server.

  • token_endpoint – The endpoint of the OP at which tokens can be exchanged. Corresponds to ProviderMetadata.token_endpoint

  • client_authentication – A way for the client to authenticate itself

  • redirect_uri – The redirect_uri that was specified during the authentication initiation. If the special value auto is used, it is assumed that current_url is the that callback and it is stripped of query parameters and fragments to reproduce the originally supplied one.

  • state – The state that was specified during the authentication initiation.

Raises:

  • AuthenticationFailedError – If the current url indicates an authentication failure that prevents an access token from being retrieved.

  • ValidationError – If the returned state does not match the given state.

Returns:

The result of the token exchange

simple_openid_connect.flows.authorization_code_flow.start_authentication(authorization_endpoint: str, scope: str, client_id: str, redirect_uri: str, state: str | None = None, nonce: str | None = None, prompt: list[str] | None = None, code_challenge: str | None = None, code_challenge_method: str | None = None) str[source]

Start the authentication process by constructing an appropriate AuthenticationRequest, serializing it and returning a which the end user now needs to visit.

Parameters:

  • state – The state intended to prevent Cross-Site Request Forgery.

  • nonce – String value used to associate a Client session with an ID Token, and to mitigate replay attacks.

  • prompt – Specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are: “none”, “login”, “consent” and “select_account”, multiple may be given as a list.

Returns:

A URL to which the user agent should be redirected

Modules

client