angee.iam_integrate_oidc.protocol
OIDC protocol — OAuth plus verified identity.
The clean extension of the OAuth base: inherits the OAuth2 authorization-code/ refresh behavior from :class:~angee.integrate.oauth.client.OAuthClientProtocol and adds the OpenID Connect layer: ID-token verification, userinfo enrichment, and OIDC authorize parameters. Bound directly to the single OAuthClient row; when configured, discovery is owned by that row's discover_endpoints() method.
OAuthClientOidcProtocol
class OAuthClientOidcProtocol(OAuthClientProtocol)OIDC login protocol for one OAuth client with OIDC login fields.
__init__
def __init__(oauth_client: Any) -> NoneBind to one OAuth client row.
authorize_url
def authorize_url(*,
state: str,
redirect_uri: str,
scopes: Iterable[str],
nonce: str | None = None,
code_challenge: str | None = None) -> strReturn the OIDC authorization URL — adds the openid scope and a nonce.
nonce is optional only to keep this substitutable for the OAuth base authorize_url; an OIDC login always binds one (it is verified back in the ID token), so a missing nonce is a programming error.
exchange_code
def exchange_code(*,
code: str,
redirect_uri: str,
code_verifier: str | None = None,
state: str | None = None) -> dict[str, Any]Exchange an authorization code for tokens, discovering endpoints first.
verify_id_token
def verify_id_token(id_token: str,
*,
nonce: str | None = None,
_jwks_client: Any | None = None) -> dict[str, Any]Verify and return claims from one OIDC ID token.
fetch_userinfo
def fetch_userinfo(access_token: str) -> dict[str, Any]Fetch userinfo, resolving the endpoint from discovery when it is blank.
ensure_endpoints
def ensure_endpoints() -> dict[str, Any]Fill blank endpoints on the OAuth client via discovery.
A no-op when the client carries no discovery_url (endpoints are then configured explicitly). The discovery document is cached per URL, so an explicitly-configured provider that also sets a discovery URL fetches at most once. In-memory only: the fetched endpoints serve the current request and are not persisted unless the caller saves the client.