angee.integrate.oauth.flow
Browser redirect-flow orchestration shared by connect and OIDC login.
The single owner of the OAuth/OIDC browser round-trip plumbing: issuing and session-binding single-use state, resolving the proposed redirect, the PKCE challenge, and re-loading the enabled OAuthClient a pending state names. The connect flow (this addon) and the login/link flow (iam_integrate_oidc) both build their start/complete on these; only the authorize-URL and claim handling differ between them (OAuth vs OIDC protocol).
issue_flow
def issue_flow(
request: HttpRequest,
oauth_client: Any,
redirect_uri: str,
*,
user_id: str | None = None,
next_path: str = "/",
flow: state.StateFlow = state.StateFlow.CONNECT,
integration_id: str = "") -> tuple[str, state.StateRecord, str, str]Issue and session-bind state for one redirect flow.
Returns (state_token, record, effective_redirect_uri, mode). The client owns whether the browser-proposed redirect works or a manual paste is needed; the effective redirect is what we issue, sign, and exchange.
remembered_oauth_client
def remembered_oauth_client(request: HttpRequest, state_token: str) -> AnyReturn the enabled, session-bound OAuth client for one pending state token.
consume_validated_state
def consume_validated_state(
oauth_client: Any, state_token: str, redirect_uri: str, *,
expected_flow: state.StateFlow) -> state.StateRecordConsume one state record and fail closed when it does not match this flow.
enabled_oauth_client
def enabled_oauth_client(oauth_client_sqid: str) -> AnyReturn one enabled OAuth client addressed by sqid, or raise.
coerce_next_path
def coerce_next_path(value: str, request: HttpRequest) -> strReturn a same-host post-flow redirect path, defaulting unsafe values to /.
pkce_challenge
def pkce_challenge(code_verifier: str | None) -> str | NoneReturn the S256 PKCE challenge for one verifier.