Skip to content

angee.iam_integrate_oidc.identity

OIDC login identity resolution: verify an external identity into an Angee user.

The login bridge between integrate (the OAuth/OIDC connection substrate) and iam (the user and session). It completes the login/link redirect using the OIDC protocol, then resolves the verified claims to a host user — returning an existing linked owner, or linking/creating one when the provider's OAuth-client login policy allows. Account-connect (no login) lives in integrate.connect.

LoginCompletion

python
@dataclass(frozen=True, slots=True)
class LoginCompletion()

Resolved user and verified claims from one completed OIDC login flow.

__post_init__

python
def __post_init__() -> None

Bind Django's session backend contract for direct login().

LinkCompletion

python
@dataclass(frozen=True, slots=True)
class LinkCompletion()

Linked account, captured user, and verified claims from one OIDC link flow.

OidcLoginCompletion

python
class OidcLoginCompletion()

Complete one OIDC login/link redirect against an OAuth client.

__init__

python
def __init__(oauth_client: Any) -> None

Bind completion to the OAuth client captured by session state.

complete_login

python
def complete_login(*, code: str, state_token: str,
                   redirect_uri: str) -> LoginCompletion

Complete an OIDC login redirect and return the resolved user with claims.

python
def complete_link(*, code: str, state_token: str,
                  redirect_uri: str) -> LinkCompletion

Complete an authenticated OIDC account-link redirect and return the linked account.

Links the verified external identity to the start-flow user and stores its OAuth credential under (user, provider) — the same shape as connect, but gated on a verified ID token.

OidcIdentityResolver

python
class OidcIdentityResolver()

Resolve OIDC claims to a host user, linking or provisioning when policy allows.

Operates on get_user_model() (the host's swappable user model) through generic Django manager methods, so it is correct whatever the host's User is. The per-provider login policy is read from the OAuth client row.

__init__

python
def __init__(oauth_client: Any) -> None

Bind resolution to the OAuth client whose OIDC login policy applies.

resolve

python
def resolve(*, sub: str, email: str | None,
            claims: dict[str, Any]) -> AbstractBaseUser

Return the user for one verified OIDC identity, or fail closed.

python
def user_for_link_state(record: StateRecord) -> AbstractBaseUser

Return the user captured when the authenticated link flow started.

resolve

python
def resolve(oauth_client: Any, *, sub: str, email: str | None,
            claims: dict[str, Any]) -> AbstractBaseUser

Resolve OIDC claims to a host user, linking or provisioning when policy allows.

The identity-resolution seam the login completion calls (and callers/tests can substitute); delegates to :class:OidcIdentityResolver.

complete_login

python
def complete_login(oauth_client: Any, *, code: str, state_token: str,
                   redirect_uri: str) -> LoginCompletion

Complete an OIDC login redirect and return the resolved user with claims.

python
def complete_link(oauth_client: Any, *, code: str, state_token: str,
                  redirect_uri: str) -> LinkCompletion

Complete an authenticated OIDC account-link redirect and return the linked account.

The linked user is the one captured in state when the flow started, never a later session user.

is_only_oidc_sign_in

python
def is_only_oidc_sign_in(user: Any) -> bool

Return whether user has no password and only one OIDC sign-in account.

The guard the disconnect path consults before removing a sign-in credential, so a user who logs in solely through OIDC cannot strip their last way back in.

Released under the AGPL-3.0 License.