Skip to content

angee.iam_integrate_oidc.protocol

OIDC protocol — OAuth plus verified identity.

The clean extension of the OAuth base: inherits the OAuth2 authorization-code/ refresh behavior from :class:~angee.integrate.oauth.client.OAuthClientProtocol and adds the OpenID Connect layer: ID-token verification, userinfo enrichment, and OIDC authorize parameters. Bound directly to the single OAuthClient row; when configured, discovery is owned by that row's discover_endpoints() method.

OAuthClientOidcProtocol

python
class OAuthClientOidcProtocol(OAuthClientProtocol)

OIDC login protocol for one OAuth client with OIDC login fields.

__init__

python
def __init__(oauth_client: Any) -> None

Bind to one OAuth client row.

authorize_url

python
def authorize_url(*,
                  state: str,
                  redirect_uri: str,
                  scopes: Iterable[str],
                  nonce: str | None = None,
                  code_challenge: str | None = None) -> str

Return the OIDC authorization URL — adds the openid scope and a nonce.

nonce is optional only to keep this substitutable for the OAuth base authorize_url; an OIDC login always binds one (it is verified back in the ID token), so a missing nonce is a programming error.

exchange_code

python
def exchange_code(*,
                  code: str,
                  redirect_uri: str,
                  code_verifier: str | None = None,
                  state: str | None = None) -> dict[str, Any]

Exchange an authorization code for tokens, discovering endpoints first.

verify_id_token

python
def verify_id_token(id_token: str,
                    *,
                    nonce: str | None = None,
                    _jwks_client: Any | None = None) -> dict[str, Any]

Verify and return claims from one OIDC ID token.

fetch_userinfo

python
def fetch_userinfo(access_token: str) -> dict[str, Any]

Fetch userinfo, resolving the endpoint from discovery when it is blank.

ensure_endpoints

python
def ensure_endpoints() -> dict[str, Any]

Fill blank endpoints on the OAuth client via discovery.

A no-op when the client carries no discovery_url (endpoints are then configured explicitly). The discovery document is cached per URL, so an explicitly-configured provider that also sets a discovery URL fetches at most once. In-memory only: the fetched endpoints serve the current request and are not persisted unless the caller saves the client.

Released under the AGPL-3.0 License.