Skip to main content

A package that implements the Relying Party Authorization Code Flow for OpenId Connect

Project description

Openidcpy

A package that implements the Authorization Flow client for the OpenID Connect relying party. The package can be used to fetch OpenID Connect tokens using Authorization Flow and validate them using JWKS. The client has been implemented with KeyCloak as the OpenID Connect Authorization Provider.

Usage

The only class of use is OidcClient which can be imported in code as:

from openidcpy import OidcClient

You'd need to initialize this client as follows:

discovery_url = 'The .well_known discovery endpoint'
client_id = 'The client id assigned to the RP'
client_secret = 'The client secret assigned to RP if the client is private, otherwise None'
client = OidcClient(discovery_url=discovery_url, client_id=client_id, client_secret=client_secret)

The client basically exposes 3 methods that, if called in sequence, complete the Authorization Flow. The first call is to create the authorization code url:

response_type = 'code'  # Always `code` for Authorization Flow
redirect_uri = 'uri where the relying party is running'
scopes = ['openid', 'email', 'profile'] # Array of requested scopes
state = 'Some random generated value that is returned in the redirect, prevents csrf'
url = client.create_auth_url(response_type=response_type, redirect_uri=redirect_uri, scopes=scopes, state=state)

You'll need to redirect your application to the above url. The redirection will cause the auth server's login page to be displayed. Once the user logs in, the browser is redirected to the redirect_uri passed into the above call with an authorization code. You'll need to exchange the code with the JWT token as follows:

url = 'redirect_uri + query params, basically the endpoint on which the auth server redirected'
redirect_uri = 'uri where the relying party is running'
scopes = ['openid', 'email', 'profile'] # Array of requested scopes
state = 'Same value from the previous request'
tokens = client.get_tokens_from_code(url=url, redirect_uri=redirect_uri, scopes=scopes, state=state)

Now, depending on the scopes you used the tokens dictionary can have either access_token, the id_token or both.

The next step is to validate these tokens, for which the client provides the following method:

id_token = tokens['id_token']
claims = client.validate_jwt(id_token)

The method validates the signature of the token, the audience (whether the token was intended for you) and the expiration of the token. The claims dictionary will contain the decoded contents of the token. Based on the scopes you specified, it can contain the email or preferred_username.

External Dependencies

  • requests (2.20.0)
  • python-jose (3.0.1)

Contributions

Contributions are strongly encouraged, since this is just a basic implementation of the Authorization and there's a lot more to OpenId Connect that can be added here. I will try to add the rest whenever I find the time but if I can't, feel free to add it yourself.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

openidcpy-0.7.tar.gz (4.0 kB view details)

Uploaded Source

File details

Details for the file openidcpy-0.7.tar.gz.

File metadata

  • Download URL: openidcpy-0.7.tar.gz
  • Upload date:
  • Size: 4.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.12.1 pkginfo/1.5.0.1 requests/2.21.0 setuptools/39.1.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.7.2

File hashes

Hashes for openidcpy-0.7.tar.gz
Algorithm Hash digest
SHA256 06e25bbf78d4fdbcd87272a6462f437b85d9afe755f86b5a9b4b06fddaa68864
MD5 3d33c3e8aaedf38afb54fbcddc30d2f3
BLAKE2b-256 fd8e1bf1f265134b73d6f7d6876c10b4857af9830eb48d9db99fdb5b73246aaf

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page