angee.iam_integrate_oidc.identity
OIDC login identity resolution: verify an external identity into an Angee user.
The login bridge between integrate (the OAuth/OIDC connection substrate) and iam (the user and session). It completes the login/link redirect using the OIDC protocol, then resolves the verified claims to a host user — returning an existing linked owner, or linking/creating one when the provider's OAuth-client login policy allows. Account-connect (no login) lives in integrate.connect.
LoginCompletion
@dataclass(frozen=True, slots=True)
class LoginCompletion()Resolved user and verified claims from one completed OIDC login flow.
__post_init__
def __post_init__() -> NoneBind Django's session backend contract for direct login().
LinkCompletion
@dataclass(frozen=True, slots=True)
class LinkCompletion()Linked account, captured user, and verified claims from one OIDC link flow.
OidcLoginCompletion
class OidcLoginCompletion()Complete one OIDC login/link redirect against an OAuth client.
__init__
def __init__(oauth_client: Any) -> NoneBind completion to the OAuth client captured by session state.
complete_login
def complete_login(*, code: str, state_token: str,
redirect_uri: str) -> LoginCompletionComplete an OIDC login redirect and return the resolved user with claims.
complete_link
def complete_link(*, code: str, state_token: str,
redirect_uri: str) -> LinkCompletionComplete an authenticated OIDC account-link redirect and return the linked account.
Links the verified external identity to the start-flow user and stores its OAuth credential under (user, provider) — the same shape as connect, but gated on a verified ID token.
OidcIdentityResolver
class OidcIdentityResolver()Resolve OIDC claims to a host user, linking or provisioning when policy allows.
Operates on get_user_model() (the host's swappable user model) through generic Django manager methods, so it is correct whatever the host's User is. The per-provider login policy is read from the OAuth client row.
__init__
def __init__(oauth_client: Any) -> NoneBind resolution to the OAuth client whose OIDC login policy applies.
resolve
def resolve(*, sub: str, email: str | None,
claims: dict[str, Any]) -> AbstractBaseUserReturn the user for one verified OIDC identity, or fail closed.
user_for_link_state
def user_for_link_state(record: StateRecord) -> AbstractBaseUserReturn the user captured when the authenticated link flow started.
resolve
def resolve(oauth_client: Any, *, sub: str, email: str | None,
claims: dict[str, Any]) -> AbstractBaseUserResolve OIDC claims to a host user, linking or provisioning when policy allows.
The identity-resolution seam the login completion calls (and callers/tests can substitute); delegates to :class:OidcIdentityResolver.
complete_login
def complete_login(oauth_client: Any, *, code: str, state_token: str,
redirect_uri: str) -> LoginCompletionComplete an OIDC login redirect and return the resolved user with claims.
complete_link
def complete_link(oauth_client: Any, *, code: str, state_token: str,
redirect_uri: str) -> LinkCompletionComplete an authenticated OIDC account-link redirect and return the linked account.
The linked user is the one captured in state when the flow started, never a later session user.
is_only_oidc_sign_in
def is_only_oidc_sign_in(user: Any) -> boolReturn whether user has no password and only one OIDC sign-in account.
The guard the disconnect path consults before removing a sign-in credential, so a user who logs in solely through OIDC cannot strip their last way back in.