simple_openid_connect.client#

A more contiguous client implementation of the Openid-Connect protocol that offers simpler APIs at the cost of losing some flexibility.

Classes

OpenidClient(provider_config, provider_keys, ...)

A more contiguous client implementation of the Openid-Connect protocol that offers simpler APIs at the cost of losing some flexibility.

class simple_openid_connect.client.OpenidClient(provider_config: ProviderMetadata, provider_keys: List[JWK], authentication_redirect_uri: Optional[str], client_id: str, client_secret: Optional[str] = None, scope: str = 'openid')#

A more contiguous client implementation of the Openid-Connect protocol that offers simpler APIs at the cost of losing some flexibility.

__init__(provider_config: ProviderMetadata, provider_keys: List[JWK], authentication_redirect_uri: Optional[str], client_id: str, client_secret: Optional[str] = None, scope: str = 'openid')#
authorization_code_flow: AuthorizationCodeFlowClient#

authorization code flow related functionality

property client_type: Literal['public', 'confidential']#

Which type of client behavior is used.

This is based on whether a client secret has been passed during client construction

decode_id_token(raw_token: str) IdToken#

Decode and verify an encoded and signed id token

Parameters

raw_token – The encoded and signed id token. This could e.g. be retrieved as part of the authentication process and returned by the OP in TokenSuccessResponse.id_token.

exchange_refresh_token(refresh_token: str) Union[TokenSuccessResponse, TokenErrorResponse]#

Exchange a refresh token for new tokens

Parameters

refresh_token – The refresh token to use

Raises

UnsupportedByProviderError – If the provider only supports implicit flow and has no token endpoint.

fetch_userinfo(access_token: str) Union[UserinfoSuccessResponse, UserinfoErrorResponse]#

Fetch user information from the OP by doing a userinfo request.

Which users information is fetched is determined by the OP directly from the used access token.

Parameters

access_token – An access token which grants access to user information.

Raises

UnsupportedByProviderError – If the provider does not support userinfo requests or the userinfo endpoint is not known.

Returns

The OPs response

classmethod from_issuer_config(config: ProviderMetadata, authentication_redirect_uri: Optional[str], client_id: str, client_secret: Optional[str] = None, scope: str = 'openid') Self#

Create a new client instance with a resolved issuer configuration as base.

If you don’t have a configuration, use from_issuer_url() to automatically retrieve it.

Parameters
  • config – The configuration of the used issuer.

  • authentication_redirect_uri – URI that is used during the authentication flow to redirect back to this application.

  • client_id – The already known client id of your application. It must be already registered with the issuer.

  • client_secret – Optionally a client secret which has been assigned to your client from the issuer. If not supplied, this client is assumed to be public which means it has not client secret because it cannot be kept safe (e.g. a web-app).

  • scope – Which scopes to request from the OP

classmethod from_issuer_url(url: str, authentication_redirect_uri: Optional[str], client_id: str, client_secret: Optional[str] = None, scope: str = 'openid') Self#

Create a new client instance with an issuer url as base, automatically discovering information about the issuer in the process.

Parameters
  • url – The url to an Openid issuer

  • authentication_redirect_uri – URI that is used during the authentication flow to redirect back to this application.

  • client_id – The already known client id of your application. It must be already registered with the issuer.

  • client_secret – Optionally a client secret which has been assigned to your client from the issuer. If not supplied, this client is assumed to be public which means it has not client secret because it cannot be kept safe (e.g. a web-app).

  • scope – Which scopes to request from the OP

initiate_logout(request: Optional[RpInitiatedLogoutRequest] = None) str#

Initiate user logout as a Relying-Party

Parameters

request – Additional data pertaining to the logout

Raises

UnsupportedByProviderError – If the provider does not support Relying-Party-Initiated logout.

Returns

A url to which the user should be redirected

introspect_token(token: str, token_type_hint: Optional[str] = None) Union[TokenIntrospectionSuccessResponse, TokenIntrospectionErrorResponse]#

Introspect the given token at the OP.

Parameters
  • token – The token to introspect.

  • token_type_hint – Which type of token this is e.g. refresh_token or access_token.

Raises

UnsupportedByProviderError – If the provider does not support token introspection.

Returns

The OPs response