API
requests_oauth2client
¶
Main module for requests_oauth2client
.
You can import any class from any submodule directly from this main module.
ApiClient
¶
A Wrapper around requests.Session with extra features for REST API calls.
Additional features compared to using a requests.Session directly:
- You must set a root url at creation time, which then allows passing relative urls at request time.
- It may also raise exceptions instead of returning error responses.
- You can also pass additional kwargs at init time, which will be used to configure the Session, instead of setting them later.
- for parameters passed as
json
,params
ordata
, values that areNone
can be automatically discarded from the request - boolean values in
data
orparams
fields can be serialized to values that are suitable for the target API, like"true"
or"false"
, or"1"
/"0"
, instead of the default values"True"
or"False"
.
base_url
will serve as root for relative urls passed to
ApiClient.request(),
ApiClient.get(), etc.
An HTTPError
will be raised everytime an API call returns an error code (>= 400), unless
you set raise_for_status
to False
. Additional parameters passed at init time, including
auth
will be used to configure the Session.
Usage
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|
Parameters:
Name | Type | Description | Default |
---|---|---|---|
base_url |
str
|
the base api url, that is the root for all the target API endpoints. |
required |
auth |
AuthBase | None
|
the requests.auth.AuthBase to use as authentication handler. |
None
|
timeout |
int | None
|
the default timeout, in seconds, to use for each request from this |
60
|
raise_for_status |
bool
|
if |
True
|
none_fields |
Literal['include', 'exclude', 'empty']
|
what to do with parameters with value
|
'exclude'
|
bool_fields |
tuple[Any, Any] | None
|
a tuple of (true_value, false_value). Fields from |
('true', 'false')
|
session |
Session | None
|
a preconfigured |
None
|
**session_kwargs |
Any
|
additional kwargs to configure the underlying |
{}
|
Source code in requests_oauth2client/api_client.py
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 |
|
request(method, url=None, *, params=None, data=None, headers=None, cookies=None, files=None, auth=None, timeout=None, allow_redirects=False, proxies=None, hooks=None, stream=None, verify=None, cert=None, json=None, raise_for_status=None, none_fields=None, bool_fields=None)
¶
Overridden request
method with extra features.
Features added compared to plain request():
- takes a relative path instead of a full url, which will be appended to the base_url
- it can raise an exception when the API returns a non-success status code
- allow_redirects is False by default (since API usually don't use redirects)
data
orjson
fields with valueNone
can either be included or excluded from the request- boolean fields can be serialized to
'true'
or'false'
instead of'True'
and'False'
Parameters:
Name | Type | Description | Default |
---|---|---|---|
method |
str
|
the HTTP method to use |
required |
url |
None | str | bytes | Iterable[str | bytes | int]
|
the url where the request will be sent to. Can be a path, as str ; that path will be joined to the configured API url. Can also be an iterable of path segments, that will be joined to the root url. |
None
|
raise_for_status |
bool | None
|
like the parameter of the same name from |
None
|
none_fields |
Literal['include', 'exclude', 'empty'] | None
|
like the parameter of the same name from |
None
|
bool_fields |
tuple[Any, Any] | None
|
like the parameter of the same name from |
None
|
Returns:
Type | Description |
---|---|
Response
|
a requests.Response as returned by requests |
Source code in requests_oauth2client/api_client.py
120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 |
|
to_absolute_url(relative_url=None)
¶
Convert a relative url to an absolute url.
Given a relative_url
, return the matching absolute url, based on the base_url
that is
configured for this API.
The result of this method is different from a standard urljoin()
, because a relative_url
that starts with a "/" will not override the path from the base url. You can also pass an
iterable of path parts as relative url, which will be properly joined with "/". Those parts
may be str
(which will be urlencoded) or bytes
(which will be decoded as UTF-8 first) or
any other type (which will be converted to str
first, using the str() function
). See the
table below for example results which would exhibit most cases:
base_url | relative_url | result_url |
---|---|---|
"https://myhost.com/root" | "/path" | "https://myhost.com/root/path" |
"https://myhost.com/root" | "/path" | "https://myhost.com/root/path" |
"https://myhost.com/root" | b"/path" | "https://myhost.com/root/path" |
"https://myhost.com/root" | "path" | "https://myhost.com/root/path" |
"https://myhost.com/root" | None | "https://myhost.com/root" |
"https://myhost.com/root" | ("user", 1, "resource") | "https://myhost.com/root/user/1/resource" |
"https://myhost.com/root" | "https://otherhost.org/foo" | ValueError |
Parameters:
Name | Type | Description | Default |
---|---|---|---|
relative_url |
None | str | bytes | Iterable[str | bytes | int]
|
a relative url |
None
|
Returns:
Type | Description |
---|---|
str
|
the resulting absolute url |
Source code in requests_oauth2client/api_client.py
256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 |
|
get(url=None, raise_for_status=None, **kwargs)
¶
Send a GET request. Return a Response object.
The passed url
may be relative to the url passed at initialization time. It takes the same
parameters as ApiClient.request().
Parameters:
Name | Type | Description | Default |
---|---|---|---|
url |
None | str | bytes | Iterable[str | bytes | int]
|
a url where the request will be sent. |
None
|
raise_for_status |
bool | None
|
overrides the |
None
|
**kwargs |
Any
|
Optional arguments that request() takes. |
{}
|
Returns:
Type | Description |
---|---|
Response
|
a Response object. |
Raises:
Type | Description |
---|---|
HTTPError
|
if |
Source code in requests_oauth2client/api_client.py
322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 |
|
post(url=None, raise_for_status=None, **kwargs)
¶
Send a POST request. Return a Response object.
The passed url
may be relative to the url passed at initialization time. It takes the same
parameters as ApiClient.request().
Parameters:
Name | Type | Description | Default |
---|---|---|---|
url |
str | bytes | Iterable[str | bytes] | None
|
an url where the request will be sent. |
None
|
raise_for_status |
bool | None
|
overrides the |
None
|
**kwargs |
Any
|
Optional arguments that |
{}
|
Returns:
Type | Description |
---|---|
Response
|
a Response object. |
Raises:
Type | Description |
---|---|
HTTPError
|
if |
Source code in requests_oauth2client/api_client.py
347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 |
|
patch(url=None, raise_for_status=None, **kwargs)
¶
Send a PATCH request. Return a Response object.
The passed url
may be relative to the url passed at initialization time. It takes the same
parameters as ApiClient.request().
Parameters:
Name | Type | Description | Default |
---|---|---|---|
url |
str | bytes | Iterable[str | bytes] | None
|
an url where the request will be sent. |
None
|
raise_for_status |
bool | None
|
overrides the |
None
|
**kwargs |
Any
|
Optional arguments that |
{}
|
Returns:
Type | Description |
---|---|
Response
|
a Response object. |
Raises:
Type | Description |
---|---|
HTTPError
|
if |
Source code in requests_oauth2client/api_client.py
372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 |
|
put(url=None, raise_for_status=None, **kwargs)
¶
Send a PUT request. Return a Response object.
The passed url
may be relative to the url passed at initialization time. It takes the same
parameters as ApiClient.request().
Parameters:
Name | Type | Description | Default |
---|---|---|---|
url |
str | bytes | Iterable[str | bytes] | None
|
a url where the request will be sent. |
None
|
raise_for_status |
bool | None
|
overrides the |
None
|
**kwargs |
Any
|
additional kwargs for |
{}
|
Returns:
Type | Description |
---|---|
Response
|
a Response object. |
Raises:
Type | Description |
---|---|
HTTPError
|
if |
Source code in requests_oauth2client/api_client.py
397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 |
|
delete(url=None, raise_for_status=None, **kwargs)
¶
Send a DELETE request. Return a Response object.
The passed url
may be relative to the url passed at initialization time. It takes the same
parameters as ApiClient.request().
Parameters:
Name | Type | Description | Default |
---|---|---|---|
url |
str | bytes | Iterable[str | bytes] | None
|
a url where the request will be sent. |
None
|
raise_for_status |
bool | None
|
overrides the |
None
|
**kwargs |
Any
|
additional kwargs for |
{}
|
Returns:
Type | Description |
---|---|
Response
|
a Response object. |
Raises:
Type | Description |
---|---|
HTTPError
|
if |
Source code in requests_oauth2client/api_client.py
422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 |
|
BaseOAuth2RenewableTokenAuth
¶
Bases: BearerAuth
Base class for BearerToken-based Auth Handlers, with an obtainable or renewable token.
In addition to adding a properly formatted Authorization
header, this will obtain a new token
once the current token is expired. Expiration is detected based on the expires_in
hint
returned by the AS. A configurable leeway
, in number of seconds, will make sure that a new
token is obtained some seconds before the actual expiration is reached. This may help in
situations where the client, AS and RS have slightly offset clocks.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
an OAuth2Client |
required |
token |
None | BearerToken | str
|
an initial Access Token, if you have one already. In most cases, leave |
None
|
leeway |
int
|
expiration leeway, in number of seconds |
20
|
token_kwargs |
Any
|
additional kwargs to include in token requests |
{}
|
Source code in requests_oauth2client/auth.py
103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 |
|
renew_token()
¶
Obtain a new Bearer Token.
Subclasses should implement this.
Source code in requests_oauth2client/auth.py
139 140 141 142 143 144 145 |
|
forget_token()
¶
Forget the current token, forcing a renewal on the next HTTP request.
Source code in requests_oauth2client/auth.py
147 148 149 |
|
BearerAuth
¶
Bases: AuthBase
An Auth Handler that includes a Bearer Token in API calls, as defined in RFC6750$2.1.
As a prerequisite to using this AuthBase
, you have to obtain an access token manually.
You most likely don't want to do that by yourself, but instead use an instance of
OAuth2Client to do that for you.
See the others Auth Handlers in this module, which will automatically obtain
access tokens from an OAuth 2.x server.
Usage
1 2 |
|
The HTTP request will look like:
1 2 3 |
|
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token |
str | BearerToken | None
|
a BearerToken or a string
to use as token for this Auth Handler. If |
None
|
Source code in requests_oauth2client/auth.py
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
|
token: BearerToken | None
property
writable
¶
Return the [BearerToken] that is used for authorization against the API.
Returns:
Type | Description |
---|---|
BearerToken | None
|
the configured BearerToken used with this |
BearerToken | None
|
AuthHandler. |
OAuth2AccessTokenAuth
¶
Bases: BaseOAuth2RenewableTokenAuth
Authentication Handler for OAuth 2.0 Access Tokens and (optional) Refresh Tokens.
This Requests Auth handler implementation uses an access token as Bearer token, and can automatically refresh it when expired, if a refresh token is available.
Token can be a simple str
containing a raw access token value, or a
BearerToken that can contain a refresh_token. If a
refresh_token and an expiration date are available, this Auth Handler will automatically refresh
the access token once it is expired.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
the OAuth2Client to use to refresh tokens. |
required |
token |
None | BearerToken | str
|
a access token that has been previously obtained |
None
|
**token_kwargs |
Any
|
additional kwargs to pass to the token endpoint |
{}
|
Usage
```python client = OAuth2Client(token_endpoint="https://my.as.local/token", auth=("client_id", "client_secret")) token = BearerToken( access_token="access_token", expires_in=600, refresh_token="refresh_token" ) # obtain a BearerToken any way you see fit, including a refresh token oauth2at_auth = OAuth2ClientCredentialsAuth(client, token, scope="my_scope") resp = requests.post("https://my.api.local/resource", auth=oauth2at_auth) ````
Source code in requests_oauth2client/auth.py
178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 |
|
renew_token()
¶
Obtain a new token, using the Refresh Token, if available.
Source code in requests_oauth2client/auth.py
206 207 208 209 210 |
|
OAuth2AuthorizationCodeAuth
¶
Bases: OAuth2AccessTokenAuth
Authentication handler for the Authorization Code grant.
This Requests Auth handler implementation exchanges an Authorization Code for an access token, then automatically refreshes it once it is expired.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
the OAuth2Client to use to obtain Access Tokens. |
required |
code |
str | AuthorizationResponse
|
an Authorization Code that has been obtained from the AS. |
required |
**token_kwargs |
Any
|
additional kwargs to pass to the token endpoint |
{}
|
Usage
```python client = OAuth2Client(token_endpoint="https://my.as.local/token", auth=("client_id", "client_secret")) code = "my_code" # you must obtain this code yourself resp = requests.post("https://my.api.local/resource", auth=OAuth2AuthorizationCodeAuth(client, code)) ````
Source code in requests_oauth2client/auth.py
213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 |
|
exchange_code_for_token()
¶
Obtain the initial access token with the authorization_code grant.
Source code in requests_oauth2client/auth.py
262 263 264 265 266 |
|
OAuth2ClientCredentialsAuth
¶
Bases: BaseOAuth2RenewableTokenAuth
An Auth Handler for the Client Credentials grant.
This requests AuthBase automatically gets Access Tokens from an OAuth 2.0 Token Endpoint with the Client Credentials grant, and will get a new one once the current one is expired.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
the OAuth2Client to use to obtain Access Tokens. |
required |
**token_kwargs |
Any
|
extra kw parameters to pass to the Token Endpoint. May include |
{}
|
Usage
1 2 3 |
|
Source code in requests_oauth2client/auth.py
152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 |
|
renew_token()
¶
Obtain a new token for use within this Auth Handler.
Source code in requests_oauth2client/auth.py
172 173 174 175 |
|
OAuth2DeviceCodeAuth
¶
Bases: OAuth2AccessTokenAuth
Authentication Handler for the Device Code Flow.
This Requests Auth handler implementation exchanges a Device Code for an Access Token, then automatically refreshes it once it is expired.
It needs a Device Code and an OAuth2Client to be able to get a token from the AS Token Endpoint just before the first request using this Auth Handler is being sent.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
the OAuth2Client to use to obtain Access Tokens. |
required |
device_code |
str | DeviceAuthorizationResponse
|
a Device Code obtained from the AS. |
required |
interval |
int
|
the interval to use to pool the Token Endpoint, in seconds. |
5
|
expires_in |
int
|
the lifetime of the token, in seconds. |
360
|
**token_kwargs |
Any
|
additional kwargs to pass to the token endpoint. |
{}
|
Usage
```python client = OAuth2Client(token_endpoint="https://my.as.local/token", auth=("client_id", "client_secret")) device_code = client.device_authorization() auth = OAuth2DeviceCodeAuth(client, device_code) resp = requests.post("https://my.api.local/resource", auth=auth) ````
Source code in requests_oauth2client/auth.py
316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 |
|
exchange_device_code_for_token()
¶
Exchange the Device Code for an access token.
This will poll the Token Endpoint until the user finishes the authorization process.
Source code in requests_oauth2client/auth.py
374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 |
|
OAuth2ResourceOwnerPasswordAuth
¶
Bases: BaseOAuth2RenewableTokenAuth
Authentication Handler for the Resource Owner Password Flow.
This Requests Auth handler implementation exchanges the user credentials for an Access Token, then automatically obtains a new one once it is expired.
Note that this flow is considered deprecated, and the Authorization Code flow should be used whenever possible. Among other bad things, ROPC does not support SSO nor MFA and depends on the user typing its credentials directly inside the application instead of on a dedicated login page, which makes it totally insecure for 3rd party apps.
It needs the username and password and an OAuth2Client to be able to get a token from the AS Token Endpoint just before the first request using this Auth Handler is being sent.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
the OAuth2Client to use to obtain Access Tokens |
required |
username |
str
|
the username |
required |
password |
str
|
the user password |
required |
leeway |
int
|
an amount of time, in seconds |
20
|
**token_kwargs |
Any
|
additional kwargs to pass to the token endpoint |
{}
|
Source code in requests_oauth2client/auth.py
269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 |
|
renew_token()
¶
Exchange the user credentials for an Access Token.
Source code in requests_oauth2client/auth.py
306 307 308 309 310 311 312 313 |
|
AuthorizationRequest
¶
Represent an Authorization Request.
This class makes it easy to generate valid Authorization Request URI (possibly including a state, nonce, PKCE, and custom args), to store all parameters, and to validate an Authorization Response.
All parameters passed at init time will be included in the request query parameters as-is, excepted for a few parameters which have a special behaviour:
state
: if...
(default), a randomstate
parameter will be generated for you. You may pass your ownstate
asstr
, or set it toNone
so that thestate
parameter will not be included in the request. You may access that state in thestate
attribute from this request.nonce
: if...
(default) andscope
includes 'openid', a randomnonce
will be generated and included in the request. You may access thatnonce
in thenonce
attribute from this request.code_verifier
: ifNone
, andcode_challenge_method
is'S256'
or'plain'
, a validcode_challenge
andcode_verifier
for PKCE will be automatically generated, and thecode_challenge
will be included in the request. You may pass your owncode_verifier
as astr
parameter, in which case the appropriatecode_challenge
will be included in the request, according to thecode_challenge_method
.authorization_response_iss_parameter_supported
andissuer
: those are used for Server Issuer Identification. Ifìssuer
is set and an issuer is included in the Authorization Response, then the consistency between those 2 values will be checked when usingvalidate_callback()
. If issuer is not included in the response, andauthorization_response_iss_parameter_supported
isFalse
(default), then no issuer check is performed. Setauthorization_response_iss_parameter_supported
toTrue
to enforce server identification: if no issuer is included in the Authorization Response, then an error will be raised instead.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
authorization_endpoint |
str
|
the uri for the authorization endpoint. |
required |
client_id |
str
|
the client_id to include in the request. |
required |
redirect_uri |
str | None
|
the redirect_uri to include in the request. This is required in OAuth 2.0 and optional
in OAuth 2.1. Pass |
None
|
scope |
None | str | Iterable[str]
|
the scope to include in the request, as an iterable of |
'openid'
|
response_type |
str
|
the response type to include in the request. |
'code'
|
state |
str | ellipsis | None
|
the state to include in the request, or |
...
|
nonce |
str | ellipsis | None
|
the nonce to include in the request, or |
...
|
code_verifier |
str | None
|
the code verifier to include in the request.
If left as |
None
|
code_challenge_method |
str | None
|
the method to use to derive the |
'S256'
|
acr_values |
str | Iterable[str] | None
|
requested Authentication Context Class Reference values. |
None
|
issuer |
str | None
|
Issuer Identifier value from the OAuth/OIDC Server, if using Server Issuer Identification. |
None
|
**kwargs |
Any
|
extra parameters to include in the request, as-is. |
{}
|
Source code in requests_oauth2client/authorization_request.py
201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 |
|
args: dict[str, Any]
property
¶
Return a dict with all the query parameters from this AuthorizationRequest.
Returns:
Type | Description |
---|---|
dict[str, Any]
|
a dict of parameters |
furl: furl
property
¶
Return the Authorization Request URI, as a furl
.
uri: str
property
¶
Return the Authorization Request URI, as a str
.
generate_state()
classmethod
¶
Generate a random state
parameter.
Source code in requests_oauth2client/authorization_request.py
279 280 281 282 |
|
generate_nonce()
classmethod
¶
Generate a random nonce
.
Source code in requests_oauth2client/authorization_request.py
284 285 286 287 |
|
as_dict()
¶
Return the full argument dict.
This can be used to serialize this request and/or to initialize a similar request.
Source code in requests_oauth2client/authorization_request.py
371 372 373 374 375 376 377 378 379 380 |
|
validate_callback(response)
¶
Validate an Authorization Response against this Request.
Validate a given Authorization Response URI against this Authorization Request, and return an AuthorizationResponse.
This includes matching the state
parameter, checking for returned errors, and extracting
the returned code
and other parameters.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
str
|
the Authorization Response URI. This can be the full URL, or just the query parameters (still encoded as x-www-form-urlencoded). |
required |
Returns:
Type | Description |
---|---|
AuthorizationResponse
|
the extracted code, if all checks are successful |
Raises:
Type | Description |
---|---|
MismatchingIssuer
|
if the 'iss' received from the response does not match the expected value. |
MismatchingState
|
if the response |
OAuth2Error
|
if the response includes an error. |
MissingAuthCode
|
if the response does not contain a |
NotImplementedError
|
if response_type anything else than 'code'. |
Source code in requests_oauth2client/authorization_request.py
397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 |
|
sign_request_jwt(jwk, alg=None, lifetime=None)
¶
Sign the request
object that matches this Authorization Request parameters.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
jwk |
Jwk | dict[str, Any]
|
the JWK to use to sign the request |
required |
alg |
str | None
|
the alg to use to sign the request, if the provided |
None
|
lifetime |
int | None
|
an optional number of seconds of validity for the signed request.
If present, |
None
|
Returns:
Type | Description |
---|---|
SignedJwt
|
a |
Source code in requests_oauth2client/authorization_request.py
463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 |
|
sign(jwk, alg=None, lifetime=None, **kwargs)
¶
Sign this Authorization Request and return a new one.
This replaces all parameters with a signed request
JWT.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
jwk |
Jwk | dict[str, Any]
|
the JWK to use to sign the request |
required |
alg |
str | None
|
the alg to use to sign the request, if the provided |
None
|
lifetime |
int | None
|
lifetime of the resulting Jwt (used to calculate the 'exp' claim). By default, don't use an 'exp' claim. |
None
|
kwargs |
Any
|
additional query parameters to include in the signed authorization request |
{}
|
Returns:
Type | Description |
---|---|
RequestParameterAuthorizationRequest
|
the signed Authorization Request |
Source code in requests_oauth2client/authorization_request.py
491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 |
|
sign_and_encrypt_request_jwt(sign_jwk, enc_jwk, sign_alg=None, enc_alg=None, enc='A128CBC-HS256', lifetime=None)
¶
Sign and encrypt a request
object for this Authorization Request.
The signed request
will contain the same parameters as this AuthorizationRequest.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
sign_jwk |
Jwk | dict[str, Any]
|
the JWK to use to sign the request |
required |
enc_jwk |
Jwk | dict[str, Any]
|
the JWK to use to encrypt the request |
required |
sign_alg |
str | None
|
the alg to use to sign the request, if |
None
|
enc_alg |
str | None
|
the alg to use to encrypt the request, if |
None
|
enc |
str
|
the encoding to use to encrypt the request. |
'A128CBC-HS256'
|
lifetime |
int | None
|
lifetime of the resulting Jwt (used to calculate the 'exp' claim). By default, do not include an 'exp' claim. |
None
|
Returns:
Type | Description |
---|---|
JweCompact
|
the signed and encrypted request object, as a |
Source code in requests_oauth2client/authorization_request.py
522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 |
|
sign_and_encrypt(sign_jwk, enc_jwk, sign_alg=None, enc_alg=None, enc='A128CBC-HS256', lifetime=None)
¶
Sign and encrypt the current Authorization Request.
This replaces all parameters with a matching request
object.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
sign_jwk |
Jwk | dict[str, Any]
|
the JWK to use to sign the request |
required |
enc_jwk |
Jwk | dict[str, Any]
|
the JWK to use to encrypt the request |
required |
sign_alg |
str | None
|
the alg to use to sign the request, if |
None
|
enc_alg |
str | None
|
the alg to use to encrypt the request, if |
None
|
enc |
str
|
the encoding to use to encrypt the request. |
'A128CBC-HS256'
|
lifetime |
int | None
|
lifetime of the resulting Jwt (used to calculate the 'exp' claim). By default, do not include an 'exp' claim. |
None
|
Returns:
Type | Description |
---|---|
RequestParameterAuthorizationRequest
|
a |
Source code in requests_oauth2client/authorization_request.py
561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 |
|
on_response_error(response)
¶
Error handler for Authorization Response errors.
Triggered by validate_callback() if the response uri contains an error.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
str
|
the Authorization Response URI. This can be the full URL, or just the query parameters. |
required |
Returns:
Type | Description |
---|---|
AuthorizationResponse
|
may return a default code that will be returned by |
AuthorizationResponse
|
will most likely raise exceptions instead. |
Source code in requests_oauth2client/authorization_request.py
601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 |
|
AuthorizationRequestSerializer
¶
(De)Serializer for AuthorizationRequest
instances.
You might need to store pending authorization requests in session, either server-side or client- side. This class is here to help you do that.
Source code in requests_oauth2client/authorization_request.py
766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 |
|
default_dumper(azr)
staticmethod
¶
Provide a default dumper implementation.
Serialize an AuthorizationRequest as JSON, then compress with deflate, then encodes as base64url.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
azr |
AuthorizationRequest
|
the |
required |
Returns:
Type | Description |
---|---|
str
|
the serialized value |
Source code in requests_oauth2client/authorization_request.py
782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 |
|
default_loader(serialized, azr_class=AuthorizationRequest)
staticmethod
¶
Provide a default deserializer implementation.
This does the opposite operations than default_dumper
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
serialized |
str
|
the serialized AuthorizationRequest |
required |
azr_class |
type[AuthorizationRequest]
|
the class to deserialize the Authorization Request to |
AuthorizationRequest
|
Returns:
Type | Description |
---|---|
AuthorizationRequest
|
an AuthorizationRequest |
Source code in requests_oauth2client/authorization_request.py
801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 |
|
dumps(azr)
¶
Serialize and compress a given AuthorizationRequest for easier storage.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
azr |
AuthorizationRequest
|
an AuthorizationRequest to serialize |
required |
Returns:
Type | Description |
---|---|
str
|
the serialized AuthorizationRequest, as a str |
Source code in requests_oauth2client/authorization_request.py
820 821 822 823 824 825 826 827 828 829 830 |
|
loads(serialized)
¶
Deserialize a serialized AuthorizationRequest.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
serialized |
str
|
the serialized AuthorizationRequest |
required |
Returns:
Type | Description |
---|---|
AuthorizationRequest
|
the deserialized AuthorizationRequest |
Source code in requests_oauth2client/authorization_request.py
832 833 834 835 836 837 838 839 840 841 842 |
|
AuthorizationResponse
¶
Represent a successful Authorization Response.
An Authorization Response is the redirection initiated by the AS to the client's redirection
endpoint (redirect_uri) after an Authorization Request. This Response is typically created with
a call to AuthorizationRequest.validate_callback()
once the call to the client Redirection
Endpoint is made. AuthorizationResponse contains the following, all accessible as attributes:
- all the parameters that have been returned by the AS, most notably the
code
, and optional parameters such asstate
. - the redirect_uri that was used for the Authorization Request
- the code_verifier matching the code_challenge that was used for the Authorization Request
Parameters redirect_uri
and code_verifier
must be those from the matching
AuthorizationRequest
. All other parameters including code
and state
must be those
extracted from the Authorization Response parameters.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
code |
str
|
the authorization code returned by the AS |
required |
redirect_uri |
str | None
|
the redirect_uri that was passed as parameter in the AuthorizationRequest |
None
|
code_verifier |
str | None
|
the code_verifier matching the code_challenge that was passed as parameter in the AuthorizationRequest |
None
|
state |
str | None
|
the state returned by the AS |
None
|
**kwargs |
str
|
other parameters as returned by the AS |
{}
|
Source code in requests_oauth2client/authorization_request.py
118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 |
|
CodeChallengeMethods
¶
Bases: str
, Enum
PKCE Code Challenge Methods.
Source code in requests_oauth2client/authorization_request.py
111 112 113 114 115 |
|
PkceUtils
¶
Contains helper methods for PKCE, as described in RFC7636.
See RFC7636.
Source code in requests_oauth2client/authorization_request.py
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
|
code_verifier_re = re.compile('^[a-zA-Z0-9_\\-~.]{43,128}$')
class-attribute
instance-attribute
¶
A regex that matches valid code verifiers.
generate_code_verifier()
classmethod
¶
Generate a valid code_verifier
.
Returns:
Type | Description |
---|---|
str
|
a |
Source code in requests_oauth2client/authorization_request.py
40 41 42 43 44 45 46 47 48 |
|
derive_challenge(verifier, method='S256')
classmethod
¶
Derive the code_challenge
from a given code_verifier
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
verifier |
str | bytes
|
a code verifier |
required |
method |
str
|
the method to use for deriving the challenge. Accepts 'S256' or 'plain'. |
'S256'
|
Returns:
Type | Description |
---|---|
str
|
a |
Source code in requests_oauth2client/authorization_request.py
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
|
generate_code_verifier_and_challenge(method='S256')
classmethod
¶
Generate a valid code_verifier
and derive its code_challenge
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
method |
str
|
the method to use for deriving the challenge. Accepts 'S256' or 'plain'. |
'S256'
|
Returns:
Type | Description |
---|---|
tuple[str, str]
|
a |
Source code in requests_oauth2client/authorization_request.py
80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
|
validate_code_verifier(verifier, challenge, method='S256')
classmethod
¶
Validate a code_verifier
against a code_challenge
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
verifier |
str
|
the |
required |
challenge |
str
|
the |
required |
method |
str
|
the method to use for deriving the challenge. Accepts 'S256' or 'plain'. |
'S256'
|
Returns:
Type | Description |
---|---|
bool
|
|
Source code in requests_oauth2client/authorization_request.py
95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
|
RequestParameterAuthorizationRequest
¶
Represent an Authorization Request that includes a request
JWT.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
authorization_endpoint |
str
|
the Authorization Endpoint uri |
required |
client_id |
str
|
the client_id |
required |
request |
str
|
the request JWT |
required |
expires_at |
datetime | None
|
the expiration date for this request |
None
|
kwargs |
Any
|
extra parameters to include in the request |
{}
|
Source code in requests_oauth2client/authorization_request.py
645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 |
|
RequestUriParameterAuthorizationRequest
¶
Represent an Authorization Request that includes a request_uri
parameter.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
authorization_endpoint |
str
|
the Authorization Endpoint uri |
required |
client_id |
str
|
the client_id |
required |
request_uri |
str
|
the request_uri |
required |
expires_at |
datetime | None
|
the expiration date for this request |
None
|
kwargs |
Any
|
extra parameters to include in the request |
{}
|
Source code in requests_oauth2client/authorization_request.py
708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 |
|
BackChannelAuthenticationPoolingJob
¶
Bases: TokenEndpointPoolingJob
A pooling job for the BackChannel Authentication flow.
This will poll the Token Endpoint until the user finishes with its authentication.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
an OAuth2Client that will be used to pool the token endpoint. |
required |
auth_req_id |
str | BackChannelAuthenticationResponse
|
an |
required |
interval |
int | None
|
The pooling interval to use. This overrides the one in |
None
|
slow_down_interval |
int
|
Number of seconds to add to the pooling interval when the AS returns a slow down request. |
5
|
requests_kwargs |
dict[str, Any] | None
|
Additional parameters for the underlying calls to requests.request. |
None
|
**token_kwargs |
Any
|
Additional parameters for the token request. |
{}
|
auth=("client_id", "client_secret") ) pool_job = BackChannelAuthenticationPoolingJob( client=client, auth_req_id="my_auth_req_id" )
1 |
|
Source code in requests_oauth2client/backchannel_authentication.py
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 |
|
token_request()
¶
Implement the CIBA token request.
This actually calls [OAuth2Client.ciba(auth_req_id)] on client
.
Returns:
Type | Description |
---|---|
BearerToken
|
Source code in requests_oauth2client/backchannel_authentication.py
136 137 138 139 140 141 142 143 144 145 |
|
BackChannelAuthenticationResponse
¶
Represent a BackChannel Authentication Response.
This contains all the parameters that are returned by the AS as a result of a BackChannel
Authentication Request, such as auth_req_id
(required), and the optional expires_at
,
interval
, and/or any custom parameters.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
auth_req_id |
str
|
the |
required |
expires_at |
datetime | None
|
the date when the |
None
|
interval |
int | None
|
the Token Endpoint pooling interval, in seconds, as returned by the AS. |
20
|
**kwargs |
Any
|
any additional custom parameters as returned by the AS. |
{}
|
Source code in requests_oauth2client/backchannel_authentication.py
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
|
is_expired(leeway=0)
¶
Return True
if the auth_req_id
within this response is expired.
Expiration is evaluated at the time of the call. If there is no "expires_at" hint (which is
derived from the expires_in
hint returned by the AS BackChannel Authentication endpoint),
this will return None
.
Returns:
Type | Description |
---|---|
bool | None
|
|
bool | None
|
no |
Source code in requests_oauth2client/backchannel_authentication.py
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
|
GrantType
¶
Bases: str
, Enum
An enum of standardized grant_type
values.
Source code in requests_oauth2client/client.py
1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 |
|
OAuth2Client
¶
An OAuth 2.x Client, that can send requests to an OAuth 2.x Authorization Server.
OAuth2Client
is able to obtain tokens from the Token Endpoint using any of the standardised
Grant Types, and to communicate with the various backend endpoints like the Revocation,
Introspection, and UserInfo Endpoint.
To init an OAuth2Client, you only need the url to the Token Endpoint and the Credentials (a client_id and one of a secret or private_key) that will be used to authenticate to that endpoint. Other endpoint urls, such as the Authorization Endpoint, Revocation Endpoint, etc. can be passed as parameter as well if you intend to use them.
This class is not intended to help with the end-user authentication or any request that goes in
a browser. For authentication requests, see
AuthorizationRequest. You
may use the method authorization_request()
to generate AuthorizationRequest
s with the
preconfigured authorization_endpoint
, client_id
and `redirect_uri' from this client.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token_endpoint |
str
|
the Token Endpoint URI where this client will get access tokens |
required |
auth |
AuthBase | tuple[str, str] | tuple[str, Jwk] | tuple[str, dict[str, Any]] | str | None
|
the authentication handler to use for client authentication on the token endpoint. Can be:
|
None
|
client_id |
str | None
|
client ID (use either this or |
None
|
client_secret |
str | None
|
client secret (use either this or |
None
|
private_key |
Jwk | dict[str, Any] | None
|
private_key to use for client authentication (use either this or |
None
|
revocation_endpoint |
str | None
|
the Revocation Endpoint URI to use for revoking tokens |
None
|
introspection_endpoint |
str | None
|
the Introspection Endpoint URI to use to get info about tokens |
None
|
userinfo_endpoint |
str | None
|
the Userinfo Endpoint URI to use to get information about the user |
None
|
authorization_endpoint |
str | None
|
the Authorization Endpoint URI, used for initializing Authorization Requests |
None
|
redirect_uri |
str | None
|
the redirect_uri for this client |
None
|
backchannel_authentication_endpoint |
str | None
|
the BackChannel Authentication URI |
None
|
device_authorization_endpoint |
str | None
|
the Device Authorization Endpoint URI to use to authorize devices |
None
|
jwks_uri |
str | None
|
the JWKS URI to use to obtain the AS public keys |
None
|
code_challenge_method |
str
|
challenge method to use for PKCE (should always be 'S256') |
'S256'
|
session |
Session | None
|
a requests Session to use when sending HTTP requests. Useful if some extra parameters such as proxy or client certificate must be used to connect to the AS. |
None
|
testing |
bool
|
if |
False
|
**extra_metadata |
Any
|
additional metadata for this client, unused by this class, but may be
used by subclasses. Those will be accessible with the |
{}
|
Usage
1 2 3 4 5 6 7 8 9 10 11 |
|
Source code in requests_oauth2client/client.py
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 |
|
client_id: str
property
¶
Client ID.
client_secret: str | None
property
¶
Client Secret.
client_jwks: JwkSet
property
¶
A JwkSet
containing the public keys for this client.
Keys are:
- the public key for client assertion signature verification (if using private_key_jwt)
- the ID Token encryption key
validate_endpoint_uri(attribute, uri)
¶
Validate that an endpoint URI is suitable for use.
If you need to disable some checks (for AS testing purposes only!), provide a different method here.
Source code in requests_oauth2client/client.py
255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 |
|
validate_issuer_uri(attribute, uri)
¶
Validate that an Issuer identifier is suitable for use.
This is the same check as an endpoint URI, but the path may be (and usually is) empty.
Source code in requests_oauth2client/client.py
279 280 281 282 283 284 285 286 287 288 289 290 291 292 |
|
token_request(data, timeout=10, **requests_kwargs)
¶
Send a request to the token endpoint.
Authentication will be added automatically based on the defined auth
for this client.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
data |
dict[str, Any]
|
parameters to send to the token endpoint. Items with a |
required |
timeout |
int
|
a timeout value for the call |
10
|
**requests_kwargs |
Any
|
additional parameters for requests.post() |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
the token endpoint response, as |
BearerToken
|
|
Source code in requests_oauth2client/client.py
369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 |
|
parse_token_response(response)
¶
Parse a Response returned by the Token Endpoint.
Invoked by token_request to parse
responses returned by the Token Endpoint. Those responses contain an access_token
and
additional attributes.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the Response returned by the Token Endpoint. |
required |
Returns:
Type | Description |
---|---|
BearerToken
|
a |
BearerToken
|
contents. |
Source code in requests_oauth2client/client.py
400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 |
|
on_token_error(response)
¶
Error handler for token_request()
.
Invoked by token_request when the Token Endpoint returns an error.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the Response returned by the Token Endpoint. |
required |
Returns:
Type | Description |
---|---|
BearerToken
|
nothing, and raises an exception instead. But a subclass may return a |
BearerToken
|
|
BearerToken
|
behaviour if needed. |
Source code in requests_oauth2client/client.py
425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 |
|
client_credentials(scope=None, *, requests_kwargs=None, **token_kwargs)
¶
Send a request to the token endpoint using the client_credentials
grant.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
scope |
str | Iterable[str] | None
|
the scope to send with the request. Can be a str, or an iterable of str.
to pass that way include |
None
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the call to requests |
None
|
**token_kwargs |
Any
|
additional parameters for the token endpoint, alongside |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a TokenResponse |
Source code in requests_oauth2client/client.py
451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 |
|
authorization_code(code, *, validate=True, requests_kwargs=None, **token_kwargs)
¶
Send a request to the token endpoint with the authorization_code
grant.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
code |
str | AuthorizationResponse
|
an authorization code or an |
required |
validate |
bool
|
if |
True
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the call to requests |
None
|
**token_kwargs |
Any
|
additional parameters for the token endpoint, alongside |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 |
|
refresh_token(refresh_token, requests_kwargs=None, **token_kwargs)
¶
Send a request to the token endpoint with the refresh_token
grant.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
refresh_token |
str | BearerToken
|
a refresh_token, as a string, or as a |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the call to |
None
|
**token_kwargs |
Any
|
additional parameters for the token endpoint,
alongside |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 |
|
device_code(device_code, requests_kwargs=None, **token_kwargs)
¶
Send a request to the token endpoint using the Device Code grant.
The grant_type is urn:ietf:params:oauth:grant-type:device_code
. This needs a Device Code,
or a DeviceAuthorizationResponse
as parameter.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
device_code |
str | DeviceAuthorizationResponse
|
a device code, or a |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the call to requests |
None
|
**token_kwargs |
Any
|
additional parameters for the token endpoint, alongside |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 |
|
ciba(auth_req_id, requests_kwargs=None, **token_kwargs)
¶
Send a CIBA request to the Token Endpoint.
A CIBA request is a Token Request using the urn:openid:params:grant-type:ciba
grant.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
auth_req_id |
str | BackChannelAuthenticationResponse
|
an authentication request ID, as returned by the AS |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the call to requests |
None
|
**token_kwargs |
Any
|
additional parameters for the token endpoint, alongside |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 |
|
token_exchange(subject_token, subject_token_type=None, actor_token=None, actor_token_type=None, requested_token_type=None, requests_kwargs=None, **token_kwargs)
¶
Send a Token Exchange request.
A Token Exchange request is actually a request to the Token Endpoint with a grant_type
urn:ietf:params:oauth:grant-type:token-exchange
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
subject_token |
str | BearerToken | IdToken
|
the subject token to exchange for a new token. |
required |
subject_token_type |
str | None
|
a token type identifier for the subject_token, mandatory if it cannot be guessed based
on |
None
|
actor_token |
None | str | BearerToken | IdToken
|
the actor token to include in the request, if any. |
None
|
actor_token_type |
str | None
|
a token type identifier for the actor_token, mandatory if it cannot be guessed based
on |
None
|
requested_token_type |
str | None
|
a token type identifier for the requested token. |
None
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters to pass to the underlying |
None
|
**token_kwargs |
Any
|
additional parameters to include in the request body. |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 |
|
jwt_bearer(assertion, requests_kwargs=None, **token_kwargs)
¶
Send a request using a JWT as authorization grant.
This is defined in (RFC7523 $2.1)[https://www.rfc-editor.org/rfc/rfc7523.html#section-2.1).
Parameters:
Name | Type | Description | Default |
---|---|---|---|
assertion |
Jwt | str
|
a JWT (as an instance of |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters to pass to the underlying |
None
|
**token_kwargs |
Any
|
additional parameters to include in the request body. |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 |
|
resource_owner_password(username, password, requests_kwargs=None, **token_kwargs)
¶
Send a request using the Resource Owner Password Grant.
This Grant Type is deprecated and should only be used when there is no other choice.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
username |
str
|
the resource owner user name |
required |
password |
str
|
the resource owner password |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters to pass to the underlying |
None
|
**token_kwargs |
Any
|
additional parameters to include in the request body. |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 |
|
authorization_request(*, scope='openid', response_type='code', redirect_uri=None, state=..., nonce=..., code_verifier=None, **kwargs)
¶
Generate an Authorization Request for this client.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
scope |
None | str | Iterable[str]
|
the |
'openid'
|
response_type |
str
|
the |
'code'
|
redirect_uri |
str | None
|
the |
None
|
state |
str | ellipsis | None
|
the |
...
|
nonce |
str | ellipsis | None
|
a |
...
|
code_verifier |
str | None
|
the PKCE |
None
|
**kwargs |
Any
|
additional parameters to include in the auth request |
{}
|
Returns:
Type | Description |
---|---|
AuthorizationRequest
|
an AuthorizationRequest with the supplied parameters |
Source code in requests_oauth2client/client.py
731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 |
|
pushed_authorization_request(authorization_request, requests_kwargs=None)
¶
Send a Pushed Authorization Request.
This sends a request to the Pushed Authorization Request Endpoint, and returns a
RequestUriParameterAuthorizationRequest
initialized with the AS response.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
authorization_request |
AuthorizationRequest
|
the authorization request to send |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters for |
None
|
Returns:
Type | Description |
---|---|
RequestUriParameterAuthorizationRequest
|
the |
Source code in requests_oauth2client/client.py
787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 |
|
parse_pushed_authorization_response(response)
¶
Parse the response obtained by pushed_authorization_request()
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the |
required |
Returns:
Type | Description |
---|---|
RequestUriParameterAuthorizationRequest
|
a RequestUriParameterAuthorizationRequest instance |
Source code in requests_oauth2client/client.py
815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 |
|
on_pushed_authorization_request_error(response)
¶
Error Handler for Pushed Authorization Endpoint errors.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the HTTP response as returned by the AS PAR endpoint. |
required |
Returns:
Type | Description |
---|---|
RequestUriParameterAuthorizationRequest
|
a RequestUriParameterAuthorizationRequest, if the error is recoverable |
Raises:
Type | Description |
---|---|
EndpointError
|
a subclass of this error depending on the error returned by the AS |
InvalidPushedAuthorizationResponse
|
if the returned response is not following the |
specifications UnknownTokenEndpointError
|
for unknown/unhandled errors |
Source code in requests_oauth2client/client.py
838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 |
|
userinfo(access_token)
¶
Call the UserInfo endpoint.
This sends a request to the UserInfo endpoint, with the specified access_token, and returns the parsed result.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
access_token |
BearerToken | str
|
the access token to use |
required |
Returns:
Type | Description |
---|---|
Any
|
the Response returned by the userinfo endpoint. |
Source code in requests_oauth2client/client.py
866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 |
|
parse_userinfo_response(resp)
¶
Parse the response obtained by userinfo()
.
Invoked by userinfo() to parse the response from the UserInfo endpoint, this will extract and return its JSON content.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
resp |
Response
|
a Response returned from the UserInfo endpoint. |
required |
Returns:
Type | Description |
---|---|
Any
|
the parsed JSON content from this response. |
Source code in requests_oauth2client/client.py
886 887 888 889 890 891 892 893 894 895 896 897 898 899 |
|
on_userinfo_error(resp)
¶
Parse UserInfo error response.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
resp |
Response
|
a Response returned from the UserInfo endpoint. |
required |
Returns:
Type | Description |
---|---|
Any
|
nothing, raises exception instead. |
Source code in requests_oauth2client/client.py
901 902 903 904 905 906 907 908 909 910 911 |
|
get_token_type(token_type=None, token=None)
classmethod
¶
Get standardized token type identifiers.
Return a standardized token type identifier, based on a short token_type
hint and/or a
token value.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token_type |
str | None
|
a token_type hint, as |
None
|
token |
None | str | BearerToken | IdToken
|
a token value, as an instance of |
None
|
Returns:
Type | Description |
---|---|
str
|
the token_type as defined in the Token Exchange RFC8693. |
Source code in requests_oauth2client/client.py
913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 |
|
revoke_access_token(access_token, requests_kwargs=None, **revoke_kwargs)
¶
Send a request to the Revocation Endpoint to revoke an access token.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
access_token |
BearerToken | str
|
the access token to revoke |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the underlying requests.post() call |
None
|
**revoke_kwargs |
Any
|
additional parameters to pass to the revocation endpoint |
{}
|
Source code in requests_oauth2client/client.py
979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 |
|
revoke_refresh_token(refresh_token, requests_kwargs=None, **revoke_kwargs)
¶
Send a request to the Revocation Endpoint to revoke a refresh token.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
refresh_token |
str | BearerToken
|
the refresh token to revoke. |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters to pass to the revocation endpoint. |
None
|
**revoke_kwargs |
Any
|
additional parameters to pass to the revocation endpoint. |
{}
|
Returns:
Type | Description |
---|---|
bool
|
|
bool
|
revocation endpoint. |
Source code in requests_oauth2client/client.py
1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 |
|
revoke_token(token, token_type_hint=None, requests_kwargs=None, **revoke_kwargs)
¶
Send a Token Revocation request.
By default, authentication will be the same than the one used for the Token Endpoint.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token |
str | BearerToken
|
the token to revoke. |
required |
token_type_hint |
str | None
|
a token_type_hint to send to the revocation endpoint. |
None
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters to the underling call to requests.post() |
None
|
**revoke_kwargs |
Any
|
additional parameters to send to the revocation endpoint. |
{}
|
Returns:
Type | Description |
---|---|
bool
|
|
bool
|
non-standardised error is returned. |
Source code in requests_oauth2client/client.py
1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 |
|
on_revocation_error(response)
¶
Error handler for revoke_token()
.
Invoked by revoke_token() when the revocation endpoint returns an error.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the Response as returned by the Revocation Endpoint |
required |
Returns:
Type | Description |
---|---|
bool
|
|
bool
|
revocation response. |
Source code in requests_oauth2client/client.py
1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 |
|
introspect_token(token, token_type_hint=None, requests_kwargs=None, **introspect_kwargs)
¶
Send a request to the Introspection Endpoint.
Parameter token
can be:
- a
str
- a
BearerToken
instance
You may pass any arbitrary token
and token_type_hint
values as str
. Those will
be included in the request, as-is.
If token
is a BearerToken
, then token_type_hint
must be either:
None
: the access_token will be instrospected and no token_type_hint will be included in the requestaccess_token
: same asNone
, but the token_type_hint will be included- or
refresh_token
: only available if a Refresh Token is present in the BearerToken.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token |
str | BearerToken
|
the token to instrospect |
required |
token_type_hint |
str | None
|
the |
None
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters to the underling call to requests.post() |
None
|
**introspect_kwargs |
Any
|
additional parameters to send to the introspection endpoint. |
{}
|
Returns:
Type | Description |
---|---|
Any
|
the response as returned by the Introspection Endpoint. |
Source code in requests_oauth2client/client.py
1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 |
|
parse_introspection_response(response)
¶
Parse Token Introspection Responses received by introspect_token()
.
Invoked by introspect_token() to parse the returned response. This decodes the JSON content if possible, otherwise it returns the response as a string.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the Response as returned by the Introspection Endpoint. |
required |
Returns:
Type | Description |
---|---|
Any
|
the decoded JSON content, or a |
Source code in requests_oauth2client/client.py
1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 |
|
on_introspection_error(response)
¶
Error handler for introspect_token()
.
Invoked by introspect_token() to parse the returned response in the case an error is returned.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the response as returned by the Introspection Endpoint. |
required |
Returns:
Type | Description |
---|---|
Any
|
usually raises exceptions. A subclass can return a default response instead. |
Source code in requests_oauth2client/client.py
1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 |
|
backchannel_authentication_request(scope='openid', *, client_notification_token=None, acr_values=None, login_hint_token=None, id_token_hint=None, login_hint=None, binding_message=None, user_code=None, requested_expiry=None, private_jwk=None, alg=None, requests_kwargs=None, **ciba_kwargs)
¶
Send a CIBA Authentication Request.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
scope |
None | str | Iterable[str]
|
the scope to include in the request. |
'openid'
|
client_notification_token |
str | None
|
the Client Notification Token to include in the request. |
None
|
acr_values |
None | str | Iterable[str]
|
the acr values to include in the request. |
None
|
login_hint_token |
str | None
|
the Login Hint Token to include in the request. |
None
|
id_token_hint |
str | None
|
the ID Token Hint to include in the request. |
None
|
login_hint |
str | None
|
the Login Hint to include in the request. |
None
|
binding_message |
str | None
|
the Binding Message to include in the request. |
None
|
user_code |
str | None
|
the User Code to include in the request |
None
|
requested_expiry |
int | None
|
the Requested Expiry, in seconds, to include in the request. |
None
|
private_jwk |
Jwk | dict[str, Any] | None
|
the JWK to use to sign the request (optional) |
None
|
alg |
str | None
|
the alg to use to sign the request, if the provided JWK does not include an "alg" parameter. |
None
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters for |
None
|
**ciba_kwargs |
Any
|
additional parameters to include in the request. |
{}
|
Returns:
Type | Description |
---|---|
BackChannelAuthenticationResponse
|
a BackChannelAuthenticationResponse as returned by AS |
Source code in requests_oauth2client/client.py
1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 |
|
parse_backchannel_authentication_response(response)
¶
Parse a response received by backchannel_authentication_request()
.
Invoked by backchannel_authentication_request() to parse the response returned by the BackChannel Authentication Endpoint.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the response returned by the BackChannel Authentication Endpoint. |
required |
Returns:
Type | Description |
---|---|
BackChannelAuthenticationResponse
|
a |
Source code in requests_oauth2client/client.py
1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 |
|
on_backchannel_authentication_error(response)
¶
Error handler for backchannel_authentication_request()
.
Invoked by backchannel_authentication_request() to parse the response returned by the BackChannel Authentication Endpoint, when it is an error.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the response returned by the BackChannel Authentication Endpoint. |
required |
Returns:
Type | Description |
---|---|
BackChannelAuthenticationResponse
|
usually raises an exception. But a subclass can return a default response instead. |
Source code in requests_oauth2client/client.py
1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 |
|
authorize_device(requests_kwargs=None, **data)
¶
Send a Device Authorization Request.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
**data |
Any
|
additional data to send to the Device Authorization Endpoint |
{}
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters for |
None
|
Returns:
Type | Description |
---|---|
DeviceAuthorizationResponse
|
a Device Authorization Response |
Source code in requests_oauth2client/client.py
1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 |
|
parse_device_authorization_response(response)
¶
Parse a Device Authorization Response received by authorize_device()
.
Invoked by authorize_device() to parse the response returned by the Device Authorization Endpoint.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the response returned by the Device Authorization Endpoint. |
required |
Returns:
Type | Description |
---|---|
DeviceAuthorizationResponse
|
a |
Source code in requests_oauth2client/client.py
1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 |
|
on_device_authorization_error(response)
¶
Error handler for authorize_device()
.
Invoked by authorize_device() to parse the response returned by the Device Authorization Endpoint, when that response is an error.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the response returned by the Device Authorization Endpoint. |
required |
Returns:
Type | Description |
---|---|
DeviceAuthorizationResponse
|
usually raises an Exception. But a subclass may return a default response instead. |
Source code in requests_oauth2client/client.py
1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 |
|
update_authorization_server_public_keys(requests_kwargs=None)
¶
Update the cached AS public keys by retrieving them from its jwks_uri
.
Public keys are returned by this method, as a jwskate.JwkSet
. They are also
available in attribute authorization_server_jwks
.
Returns:
Type | Description |
---|---|
JwkSet
|
the retrieved public keys |
Raises:
Type | Description |
---|---|
ValueError
|
if no |
Source code in requests_oauth2client/client.py
1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 |
|
from_discovery_endpoint(url=None, issuer=None, *, auth=None, client_id=None, client_secret=None, private_key=None, session=None, testing=False, **kwargs)
classmethod
¶
Initialise an OAuth2Client based on Authorization Server Metadata.
This will retrieve the standardised metadata document available at url
, and will extract
all Endpoint Uris from that document, will fetch the current public keys from its
jwks_uri
, then will initialise an OAuth2Client based on those endpoints.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
url |
str | None
|
the url where the server metadata will be retrieved |
None
|
auth |
AuthBase | tuple[str, str] | str | None
|
the authentication handler to use for client authentication |
None
|
client_id |
str | None
|
client ID |
None
|
client_secret |
str | None
|
client secret to use to authenticate the client |
None
|
private_key |
Jwk | dict[str, Any] | None
|
private key to sign client assertions |
None
|
session |
Session | None
|
a |
None
|
issuer |
str | None
|
if an issuer is given, check that it matches the one from the retrieved document |
None
|
testing |
bool
|
if True, don't try to validate the endpoint urls that are part of the document |
False
|
**kwargs |
Any
|
additional keyword parameters to pass to OAuth2Client |
{}
|
Returns:
Type | Description |
---|---|
OAuth2Client
|
an OAuth2Client with endpoint initialised based on the obtained metadata |
Raises:
Type | Description |
---|---|
ValueError
|
if neither |
HTTPError
|
if an error happens while fetching the documents |
Source code in requests_oauth2client/client.py
1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 |
|
from_discovery_document(discovery, issuer=None, *, auth=None, client_id=None, client_secret=None, private_key=None, authorization_server_jwks=None, session=None, https=True, testing=False, **kwargs)
classmethod
¶
Initialise an OAuth2Client, based on the server metadata from discovery
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
discovery |
dict[str, Any]
|
a dict of server metadata, in the same format as retrieved from a discovery endpoint. |
required |
issuer |
str | None
|
if an issuer is given, check that it matches the one mentioned in the document |
None
|
auth |
AuthBase | tuple[str, str] | str | None
|
the authentication handler to use for client authentication |
None
|
client_id |
str | None
|
client ID |
None
|
client_secret |
str | None
|
client secret to use to authenticate the client |
None
|
private_key |
Jwk | dict[str, Any] | None
|
private key to sign client assertions |
None
|
authorization_server_jwks |
JwkSet | dict[str, Any] | None
|
the current authorization server JWKS keys |
None
|
session |
Session | None
|
a requests Session to use to retrieve the document and initialise the client with |
None
|
https |
bool
|
(deprecated) if |
True
|
testing |
bool
|
if True, don't try to validate the endpoint urls that are part of the document |
False
|
**kwargs |
Any
|
additional args that will be passed to OAuth2Client |
{}
|
Returns:
Type | Description |
---|---|
OAuth2Client
|
an |
Source code in requests_oauth2client/client.py
1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 |
|
BaseClientAuthenticationMethod
¶
Bases: AuthBase
Base class for all Client Authentication methods. This extends [requests.auth.AuthBase].
This base class only checks that requests are suitable to add Client Authentication parameters to, and doesn't modify the request.
Source code in requests_oauth2client/client_authentication.py
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
|
ClientAssertionAuthenticationMethod
¶
Bases: BaseClientAuthenticationMethod
Base class for assertion-based client authentication methods.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client_id |
str
|
the client_id to use |
required |
alg |
str
|
the alg to use to sign generated Client Assertions. |
required |
lifetime |
int
|
the lifetime to use for generated Client Assertions. |
required |
jti_gen |
Callable[[], str]
|
a function to generate JWT Token Ids ( |
required |
aud |
str | None
|
the audience value to use. If |
None
|
Source code in requests_oauth2client/client_authentication.py
132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 |
|
client_assertion(audience)
¶
Generate a Client Assertion for a specific audience.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
audience |
str
|
the audience to use for the |
required |
Returns:
Type | Description |
---|---|
str
|
a Client Assertion, as |
Source code in requests_oauth2client/client_authentication.py
158 159 160 161 162 163 164 165 166 167 168 |
|
ClientSecretBasic
¶
Bases: BaseClientAuthenticationMethod
Implement client_secret_basic
authentication.
With this method, the client sends its Client ID and Secret, in the Authorization header, with the "Basic" scheme, in each authenticated request to the AS.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client_id |
str
|
|
required |
client_secret |
str
|
|
required |
Source code in requests_oauth2client/client_authentication.py
59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
|
ClientSecretJwt
¶
Bases: ClientAssertionAuthenticationMethod
Implement client_secret_jwt
client authentication method.
With this method, the client generates and signs a client assertion that is symmetrically
signed with its Client Secret. The assertion is then sent to the AS in a client_assertion
field with each authenticated request.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client_id |
str
|
the |
required |
client_secret |
str
|
the |
required |
alg |
str
|
the alg to use to sign generated Client Assertions. |
'HS256'
|
lifetime |
int
|
the lifetime to use for generated Client Assertions. |
60
|
jti_gen |
Callable[[], Any]
|
a function to generate JWT Token Ids ( |
lambda: uuid4()
|
aud |
str | None
|
the audience value to use. If |
None
|
Source code in requests_oauth2client/client_authentication.py
198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 |
|
client_assertion(audience)
¶
Generate a symmetrically signed Client Assertion.
Assertion is signed with the client_secret
as key and the alg
passed at init time.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
audience |
str
|
the audience to use for the generated Client Assertion. |
required |
Returns:
Type | Description |
---|---|
str
|
a Client Assertion, as |
Source code in requests_oauth2client/client_authentication.py
227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 |
|
ClientSecretPost
¶
Bases: BaseClientAuthenticationMethod
Implement client_secret_post
client authentication method.
With this method, the client inserts its client_id and client_secret in each authenticated request to the AS.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client_id |
str
|
|
required |
client_secret |
str
|
|
required |
Source code in requests_oauth2client/client_authentication.py
94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 |
|
PrivateKeyJwt
¶
Bases: ClientAssertionAuthenticationMethod
Implement private_key_jwt
client authentication method.
With this method, the client generates and sends a client_assertion, that is asymmetrically signed with a private key, on each direct request to the Authorization Server.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client_id |
str
|
the |
required |
private_jwk |
Jwk | dict[str, Any]
|
the private JWK to use to sign generated Client Assertions. |
required |
alg |
str
|
the alg to use to sign generated Client Assertions. |
RS256
|
lifetime |
int
|
the lifetime to use for generated Client Assertions. |
60
|
jti_gen |
Callable[[], Any]
|
a function to generate JWT Token Ids ( |
lambda: uuid4()
|
aud |
str | None
|
the audience value to use. If |
None
|
Source code in requests_oauth2client/client_authentication.py
260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 |
|
client_assertion(audience)
¶
Generate a Client Assertion, asymmetrically signed with private_jwk
as key.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
audience |
str
|
the audience to use for the generated Client Assertion. |
required |
Returns:
Type | Description |
---|---|
str
|
a Client Assertion. |
Source code in requests_oauth2client/client_authentication.py
304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 |
|
PublicApp
¶
Bases: BaseClientAuthenticationMethod
Implement the none
authentication method for public apps.
This scheme is used for Public Clients, which do not have any secret credentials. Those only send their client_id to the Authorization Server.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client_id |
str
|
the client_id to use. |
required |
Source code in requests_oauth2client/client_authentication.py
333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 |
|
DeviceAuthorizationPoolingJob
¶
Bases: TokenEndpointPoolingJob
A Token Endpoint pooling job for the Device Authorization Flow.
This periodically checks if the user has finished with his authorization in a Device Authorization flow.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
an OAuth2Client that will be used to pool the token endpoint. |
required |
device_code |
str | DeviceAuthorizationResponse
|
a |
required |
interval |
int | None
|
The pooling interval to use. This overrides the one in |
None
|
slow_down_interval |
int
|
Number of seconds to add to the pooling interval when the AS returns a slow-down request. |
5
|
requests_kwargs |
dict[str, Any] | None
|
Additional parameters for the underlying calls to requests.request. |
None
|
**token_kwargs |
Any
|
Additional parameters for the token request. |
{}
|
auth=("client_id", "client_secret") ) pool_job = DeviceAuthorizationPoolingJob(client=client, device_code="my_device_code")
1 |
|
Source code in requests_oauth2client/device_authorization.py
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
|
token_request()
¶
Implement the Device Code token request.
This actually calls [OAuth2Client.device_code(device_code)] on client
.
Returns:
Type | Description |
---|---|
BearerToken
|
Source code in requests_oauth2client/device_authorization.py
111 112 113 114 115 116 117 118 119 120 |
|
DeviceAuthorizationResponse
¶
Represent a response returned by the device Authorization Endpoint.
All parameters are those returned by the AS as response to a Device Authorization Request.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
device_code |
str
|
the |
required |
user_code |
str
|
the |
required |
verification_uri |
str
|
the |
required |
verification_uri_complete |
str | None
|
the |
None
|
expires_at |
datetime | None
|
the expiration date for the device_code.
Also accepts an |
None
|
interval |
int | None
|
the pooling |
None
|
**kwargs |
Any
|
additional parameters as returned by the AS. |
{}
|
Source code in requests_oauth2client/device_authorization.py
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
|
is_expired(leeway=0)
¶
Check if the device_code
within this response is expired.
Returns:
Type | Description |
---|---|
bool | None
|
|
bool | None
|
no |
Source code in requests_oauth2client/device_authorization.py
56 57 58 59 60 61 62 63 64 65 66 |
|
AccessDenied
¶
Bases: EndpointError
Raised when the Authorization Server returns error = access_denied
.
Source code in requests_oauth2client/exceptions.py
97 98 |
|
AccountSelectionRequired
¶
Bases: InteractionRequired
Raised when the Authorization Endpoint returns error = account_selection_required
.
Source code in requests_oauth2client/exceptions.py
172 173 |
|
AuthorizationPending
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = authorization_pending
.
Source code in requests_oauth2client/exceptions.py
125 126 |
|
AuthorizationResponseError
¶
Bases: Exception
Base class for error responses returned by the Authorization endpoint.
An AuthorizationResponseError
contains the error message, description and uri that are
returned by the AS.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
error |
str
|
the |
required |
description |
str | None
|
the |
None
|
uri |
str | None
|
the |
None
|
Source code in requests_oauth2client/exceptions.py
145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 |
|
BackChannelAuthenticationError
¶
Bases: EndpointError
Base class for errors returned by the BackChannel Authentication endpoint.
Source code in requests_oauth2client/exceptions.py
269 270 |
|
ConsentRequired
¶
Bases: InteractionRequired
Raised when the Authorization Endpoint returns error = consent_required
.
Source code in requests_oauth2client/exceptions.py
180 181 |
|
DeviceAuthorizationError
¶
Bases: EndpointError
Base class for Device Authorization Endpoint errors.
Source code in requests_oauth2client/exceptions.py
121 122 |
|
EndpointError
¶
Bases: OAuth2Error
Base class for exceptions raised from backend endpoint errors.
This contains the error message, description and uri that are returned by the AS in the OAuth 2.0 standardised way.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the raw requests.PreparedResponse containing the error. |
required |
error |
str
|
the |
required |
description |
str | None
|
the |
None
|
uri |
str | None
|
the |
None
|
Source code in requests_oauth2client/exceptions.py
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
|
ExpiredAccessToken
¶
Bases: RuntimeError
Raised when an expired access token is used.
Source code in requests_oauth2client/exceptions.py
61 62 |
|
ExpiredIdToken
¶
Bases: InvalidIdToken
Raised when the returned ID Token is expired.
Source code in requests_oauth2client/exceptions.py
265 266 |
|
ExpiredToken
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = expired_token
.
Source code in requests_oauth2client/exceptions.py
133 134 |
|
InteractionRequired
¶
Bases: AuthorizationResponseError
Raised when the Authorization Endpoint returns error = interaction_required
.
Source code in requests_oauth2client/exceptions.py
164 165 |
|
IntrospectionError
¶
Bases: EndpointError
Base class for Introspection Endpoint errors.
Source code in requests_oauth2client/exceptions.py
113 114 |
|
InvalidAuthResponse
¶
Bases: Exception
Raised when the Authorization Endpoint returns an invalid response.
Source code in requests_oauth2client/exceptions.py
184 185 |
|
InvalidBackChannelAuthenticationResponse
¶
Bases: OAuth2Error
Raised when the BackChannel Authentication endpoint returns a non-standard response.
Source code in requests_oauth2client/exceptions.py
273 274 |
|
InvalidClient
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = invalid_client
.
Source code in requests_oauth2client/exceptions.py
81 82 |
|
InvalidDeviceAuthorizationResponse
¶
Bases: OAuth2Error
Raised when the Device Authorization Endpoint returns a non-standard error response.
Source code in requests_oauth2client/exceptions.py
137 138 |
|
InvalidGrant
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = invalid_grant
.
Source code in requests_oauth2client/exceptions.py
93 94 |
|
InvalidIdToken
¶
Bases: InvalidJwt
Raised when trying to validate an invalid ID Token value.
Source code in requests_oauth2client/exceptions.py
141 142 |
|
InvalidPushedAuthorizationResponse
¶
Bases: OAuth2Error
Raised when the Pushed Authorization Endpoint returns an error.
Source code in requests_oauth2client/exceptions.py
277 278 |
|
InvalidRequest
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = invalid_request
.
Source code in requests_oauth2client/exceptions.py
77 78 |
|
InvalidScope
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = invalid_scope
.
Source code in requests_oauth2client/exceptions.py
85 86 |
|
InvalidTarget
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = invalid_target
.
Source code in requests_oauth2client/exceptions.py
89 90 |
|
InvalidTokenResponse
¶
Bases: OAuth2Error
Raised when the Token Endpoint returns a non-standard response.
Source code in requests_oauth2client/exceptions.py
57 58 |
|
LoginRequired
¶
Bases: InteractionRequired
Raised when the Authorization Endpoint returns error = login_required
.
Source code in requests_oauth2client/exceptions.py
168 169 |
|
MismatchingAcr
¶
Bases: InvalidIdToken
Raised when the returned ID Token doesn't contain one of the requested ACR Values.
This happens when the authorization request includes an acr_values
parameter but the returned
ID Token includes a different value.
Source code in requests_oauth2client/exceptions.py
244 245 246 247 248 249 250 |
|
MismatchingAudience
¶
Bases: InvalidIdToken
Raised when the ID Token audience does not include the requesting Client ID.
Source code in requests_oauth2client/exceptions.py
253 254 |
|
MismatchingAzp
¶
Bases: InvalidIdToken
Raised when the ID Token Authorized Presenter (azp) claim is not the Client ID.
Source code in requests_oauth2client/exceptions.py
257 258 |
|
MismatchingIdTokenAlg
¶
Bases: InvalidIdToken
Raised when the returned ID Token is signed with an unexpected alg.
Source code in requests_oauth2client/exceptions.py
261 262 |
|
MismatchingIssuer
¶
Bases: InvalidAuthResponse
Raised on mismatching iss
value.
This happens when the Authorization Endpoints returns an 'iss' that doesn't match the expected value.
Source code in requests_oauth2client/exceptions.py
226 227 228 229 230 231 232 |
|
MismatchingNonce
¶
Bases: InvalidIdToken
Raised on mismatching nonce
value in an ID Token.
This happens when the authorization request includes a nonce
but the returned ID Token include
a different value.
Source code in requests_oauth2client/exceptions.py
235 236 237 238 239 240 241 |
|
MismatchingState
¶
Bases: InvalidAuthResponse
Raised on mismatching state
value.
This happens when the Authorization Endpoints returns a 'state' parameter that doesn't match the value passed in the Authorization Request.
Source code in requests_oauth2client/exceptions.py
217 218 219 220 221 222 223 |
|
MissingAuthCode
¶
Bases: InvalidAuthResponse
Raised when the Authorization Endpoint does not return the mandatory code
.
This happens when the Authorization Endpoint does not return an error, but does not return an
authorization code
either.
Source code in requests_oauth2client/exceptions.py
188 189 190 191 192 193 194 |
|
MissingIdToken
¶
Bases: InvalidAuthResponse
Raised when the Authorization Endpoint does not return a mandatory ID Token.
This happens when the Authorization Endpoint does not return an error, but does not return an ID Token either.
Source code in requests_oauth2client/exceptions.py
208 209 210 211 212 213 214 |
|
MissingIssuer
¶
Bases: InvalidAuthResponse
Raised when the Authorization Endpoint does not return an iss
parameter as expected.
The Authorization Server advertises its support with a flag
authorization_response_iss_parameter_supported
in its discovery document. If it is set to
true
, it must include an iss
parameter in its authorization responses, containing its issuer
identifier.
Source code in requests_oauth2client/exceptions.py
197 198 199 200 201 202 203 204 205 |
|
OAuth2Error
¶
Bases: Exception
Base class for Exceptions raised when a backend endpoint returns an error.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the HTTP response containing the error |
required |
Source code in requests_oauth2client/exceptions.py
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
|
request: requests.PreparedRequest
property
¶
The request leading to the error.
RevocationError
¶
Bases: EndpointError
Base class for Revocation Endpoint errors.
Source code in requests_oauth2client/exceptions.py
105 106 |
|
ServerError
¶
Bases: EndpointError
Raised when the token endpoint returns error = server_error
.
Source code in requests_oauth2client/exceptions.py
69 70 |
|
SessionSelectionRequired
¶
Bases: InteractionRequired
Raised when the Authorization Endpoint returns error = session_selection_required
.
Source code in requests_oauth2client/exceptions.py
176 177 |
|
SlowDown
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = slow_down
.
Source code in requests_oauth2client/exceptions.py
129 130 |
|
TokenEndpointError
¶
Bases: EndpointError
Base class for errors that are specific to the token endpoint.
Source code in requests_oauth2client/exceptions.py
73 74 |
|
UnauthorizedClient
¶
Bases: EndpointError
Raised when the Authorization Server returns error = unauthorized_client
.
Source code in requests_oauth2client/exceptions.py
101 102 |
|
UnknownIntrospectionError
¶
Bases: OAuth2Error
Raised when the Introspection Endpoint returns a non-standard error.
Source code in requests_oauth2client/exceptions.py
117 118 |
|
UnknownTokenEndpointError
¶
Bases: EndpointError
Raised when an otherwise unknown error is returned by the token endpoint.
Source code in requests_oauth2client/exceptions.py
65 66 |
|
UnsupportedTokenType
¶
Bases: RevocationError
Raised when the Revocation endpoint returns error = unsupported_token_type
.
Source code in requests_oauth2client/exceptions.py
109 110 |
|
TokenEndpointPoolingJob
¶
Bases: ABC
Base class for Token Endpoint pooling jobs.
This is used for decoupled flows like CIBA or Device Authorization.
This class must be subclassed to implement actual BackChannel flows. This needs an
OAuth2Client that will be used to pool the token
endpoint. The initial pooling interval
is configurable.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
the OAuth2Client that will be used to pool the token endpoint. |
required |
interval |
int | None
|
initial pooling interval, in seconds. If |
None
|
slow_down_interval |
int
|
when a SlowDown is received, this number of seconds will be added to the pooling interval. |
5
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the underlying calls to requests.request |
None
|
**token_kwargs |
Any
|
additional parameters for the token request |
{}
|
Source code in requests_oauth2client/pooling.py
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 |
|
token_request()
abstractmethod
¶
Abstract method for the token endpoint call.
This must be implemented by subclasses. This method must Must raise
AuthorizationPending to retry after
the pooling interval, or SlowDown to increase
the pooling interval by slow_down_interval
seconds.
Returns:
Type | Description |
---|---|
BearerToken
|
Source code in requests_oauth2client/pooling.py
77 78 79 80 81 82 83 84 85 86 87 88 89 90 |
|
BearerToken
¶
Bases: AccessToken
Represents a Bearer Token as returned by a Token Endpoint.
This is a wrapper around a Bearer Token and associated parameters, such as expiration date and refresh token, as returned by an OAuth 2.x or OIDC 1.0 Token Endpoint.
All parameters are as returned by a Token Endpoint. The token expiration date can be passed as
datetime in the expires_at
parameter, or an expires_in
parameter, as number of seconds in
the future, can be passed instead.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
access_token |
str
|
an |
required |
expires_at |
datetime | None
|
an expiration date. This method also accepts an |
None
|
scope |
str | None
|
a |
None
|
refresh_token |
str | None
|
a |
None
|
token_type |
str
|
a |
TOKEN_TYPE
|
id_token |
str | bytes | IdToken | JweCompact | None
|
an |
None
|
**kwargs |
Any
|
additional parameters as returned by the AS, if any. |
{}
|
Source code in requests_oauth2client/tokens.py
103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 |
|
expires_in: int | None
property
¶
Number of seconds until expiration.
is_expired(leeway=0)
¶
Check if the access token is expired.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
leeway |
int
|
If the token expires in the next given number of seconds, then consider it expired already. |
0
|
Returns:
Type | Description |
---|---|
bool | None
|
One of: |
bool | None
|
|
bool | None
|
|
bool | None
|
|
Source code in requests_oauth2client/tokens.py
173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 |
|
authorization_header()
¶
Return the appropriate Authorization Header value for this token.
The value is formatted correctly according to RFC6750.
Returns:
Type | Description |
---|---|
str
|
the value to use in an HTTP Authorization Header |
Source code in requests_oauth2client/tokens.py
192 193 194 195 196 197 198 199 200 201 |
|
validate_id_token(client, azr)
¶
Validate that a token response is valid, and return the ID Token.
This will validate the id_token as described in OIDC 1.0 $3.1.3.7.
If the ID Token is encrypted, this decrypts it and returns the clear-text ID Token.
Source code in requests_oauth2client/tokens.py
203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 |
|
as_dict()
¶
Return a dict of parameters.
That is suitable for serialization or to init another BearerToken.
Source code in requests_oauth2client/tokens.py
362 363 364 365 366 367 368 369 370 371 372 |
|
BearerTokenSerializer
¶
A helper class to serialize Token Response returned by an AS.
This may be used to store BearerTokens in session or cookies.
It needs a dumper
and a loader
functions that will respectively serialize and deserialize
BearerTokens. Default implementations are provided with use gzip and base64url on the serialized
JSON representation.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
dumper |
Callable[[BearerToken], str] | None
|
a function to serialize a token into a |
None
|
loader |
Callable[[str], BearerToken] | None
|
a function to deserialize a serialized token representation. |
None
|
Source code in requests_oauth2client/tokens.py
397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 |
|
default_dumper(token)
staticmethod
¶
Serialize a token as JSON, then compress with deflate, then encodes as base64url.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token |
BearerToken
|
the |
required |
Returns:
Type | Description |
---|---|
str
|
the serialized value |
Source code in requests_oauth2client/tokens.py
420 421 422 423 424 425 426 427 428 429 430 431 |
|
default_loader(serialized, token_class=BearerToken)
¶
Deserialize a BearerToken.
This does the opposite operations than default_dumper
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
serialized |
str
|
the serialized token |
required |
token_class |
type[BearerToken]
|
class to use to deserialize the Token |
BearerToken
|
Returns:
Type | Description |
---|---|
BearerToken
|
a BearerToken |
Source code in requests_oauth2client/tokens.py
433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 |
|
dumps(token)
¶
Serialize and compress a given token for easier storage.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token |
BearerToken
|
a BearerToken to serialize |
required |
Returns:
Type | Description |
---|---|
str
|
the serialized token, as a str |
Source code in requests_oauth2client/tokens.py
452 453 454 455 456 457 458 459 460 461 462 |
|
loads(serialized)
¶
Deserialize a serialized token.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
serialized |
str
|
the serialized token |
required |
Returns:
Type | Description |
---|---|
BearerToken
|
the deserialized token |
Source code in requests_oauth2client/tokens.py
464 465 466 467 468 469 470 471 472 473 474 |
|
IdToken
¶
Bases: SignedJwt
Represent an ID Token.
An ID Token is actually a Signed JWT. If the ID Token is encrypted, it must be decoded beforehand.
Source code in requests_oauth2client/tokens.py
46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
|
auth_time: datetime
property
¶
The last user authentication time.
hash_method(key, alg=None)
classmethod
¶
Returns a callable that generates valid OIDC hashes, such as at_hash, c_hash, s_hash.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
key |
Jwk
|
the ID token signature verification public key |
required |
alg |
str | None
|
the ID token signature algorithm |
None
|
Returns:
Type | Description |
---|---|
Callable[[str], str]
|
a callable that takes a string as input and produces a valid hash as a str output |
Source code in requests_oauth2client/tokens.py
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
|
oauth2_discovery_document_url(issuer)
¶
Construct the standardised OAuth 2.0 discovery document url for a given issuer
.
Based an issuer
identifier, returns the standardised URL where the OAuth20 server metadata can
be retrieved.
The returned URL is built as specified in RFC8414.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
issuer |
str
|
an OAuth20 Authentication Server |
required |
Returns:
Type | Description |
---|---|
str
|
the standardised discovery document URL. Note that no attempt to fetch this document is |
str
|
made. |
Source code in requests_oauth2client/discovery.py
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
|
oidc_discovery_document_url(issuer)
¶
Construct the OIDC discovery document url for a given issuer
.
Given an issuer
identifier, return the standardised URL where the OIDC discovery document can
be retrieved.
The returned URL is biuilt as specified in OpenID Connect Discovery 1.0.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
issuer |
str
|
an OIDC Authentication Server |
required |
Returns:
Type | Description |
---|---|
str
|
the standardised discovery document URL. Note that no attempt to fetch this document is |
str
|
made. |
Source code in requests_oauth2client/discovery.py
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
|
well_known_uri(origin, name, *, at_root=True)
¶
Return the location of a well-known document on an origin url.
See RFC8615 and OIDC Discovery.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
origin |
str
|
origin to use to build the well-known uri. |
required |
name |
str
|
document name to use to build the well-known uri. |
required |
at_root |
bool
|
if |
True
|
Returns:
Type | Description |
---|---|
str
|
the well-know uri, relative to origin, where the well-known document named |
str
|
found. |
Source code in requests_oauth2client/discovery.py
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
|
api_client
¶
ApiClient
main module.
ApiClient
¶
A Wrapper around requests.Session with extra features for REST API calls.
Additional features compared to using a requests.Session directly:
- You must set a root url at creation time, which then allows passing relative urls at request time.
- It may also raise exceptions instead of returning error responses.
- You can also pass additional kwargs at init time, which will be used to configure the Session, instead of setting them later.
- for parameters passed as
json
,params
ordata
, values that areNone
can be automatically discarded from the request - boolean values in
data
orparams
fields can be serialized to values that are suitable for the target API, like"true"
or"false"
, or"1"
/"0"
, instead of the default values"True"
or"False"
.
base_url
will serve as root for relative urls passed to
ApiClient.request(),
ApiClient.get(), etc.
An HTTPError
will be raised everytime an API call returns an error code (>= 400), unless
you set raise_for_status
to False
. Additional parameters passed at init time, including
auth
will be used to configure the Session.
Usage
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
|
Parameters:
Name | Type | Description | Default |
---|---|---|---|
base_url |
str
|
the base api url, that is the root for all the target API endpoints. |
required |
auth |
AuthBase | None
|
the requests.auth.AuthBase to use as authentication handler. |
None
|
timeout |
int | None
|
the default timeout, in seconds, to use for each request from this |
60
|
raise_for_status |
bool
|
if |
True
|
none_fields |
Literal['include', 'exclude', 'empty']
|
what to do with parameters with value
|
'exclude'
|
bool_fields |
tuple[Any, Any] | None
|
a tuple of (true_value, false_value). Fields from |
('true', 'false')
|
session |
Session | None
|
a preconfigured |
None
|
**session_kwargs |
Any
|
additional kwargs to configure the underlying |
{}
|
Source code in requests_oauth2client/api_client.py
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 |
|
request(method, url=None, *, params=None, data=None, headers=None, cookies=None, files=None, auth=None, timeout=None, allow_redirects=False, proxies=None, hooks=None, stream=None, verify=None, cert=None, json=None, raise_for_status=None, none_fields=None, bool_fields=None)
¶
Overridden request
method with extra features.
Features added compared to plain request():
- takes a relative path instead of a full url, which will be appended to the base_url
- it can raise an exception when the API returns a non-success status code
- allow_redirects is False by default (since API usually don't use redirects)
data
orjson
fields with valueNone
can either be included or excluded from the request- boolean fields can be serialized to
'true'
or'false'
instead of'True'
and'False'
Parameters:
Name | Type | Description | Default |
---|---|---|---|
method |
str
|
the HTTP method to use |
required |
url |
None | str | bytes | Iterable[str | bytes | int]
|
the url where the request will be sent to. Can be a path, as str ; that path will be joined to the configured API url. Can also be an iterable of path segments, that will be joined to the root url. |
None
|
raise_for_status |
bool | None
|
like the parameter of the same name from |
None
|
none_fields |
Literal['include', 'exclude', 'empty'] | None
|
like the parameter of the same name from |
None
|
bool_fields |
tuple[Any, Any] | None
|
like the parameter of the same name from |
None
|
Returns:
Type | Description |
---|---|
Response
|
a requests.Response as returned by requests |
Source code in requests_oauth2client/api_client.py
120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 |
|
to_absolute_url(relative_url=None)
¶
Convert a relative url to an absolute url.
Given a relative_url
, return the matching absolute url, based on the base_url
that is
configured for this API.
The result of this method is different from a standard urljoin()
, because a relative_url
that starts with a "/" will not override the path from the base url. You can also pass an
iterable of path parts as relative url, which will be properly joined with "/". Those parts
may be str
(which will be urlencoded) or bytes
(which will be decoded as UTF-8 first) or
any other type (which will be converted to str
first, using the str() function
). See the
table below for example results which would exhibit most cases:
base_url | relative_url | result_url |
---|---|---|
"https://myhost.com/root" | "/path" | "https://myhost.com/root/path" |
"https://myhost.com/root" | "/path" | "https://myhost.com/root/path" |
"https://myhost.com/root" | b"/path" | "https://myhost.com/root/path" |
"https://myhost.com/root" | "path" | "https://myhost.com/root/path" |
"https://myhost.com/root" | None | "https://myhost.com/root" |
"https://myhost.com/root" | ("user", 1, "resource") | "https://myhost.com/root/user/1/resource" |
"https://myhost.com/root" | "https://otherhost.org/foo" | ValueError |
Parameters:
Name | Type | Description | Default |
---|---|---|---|
relative_url |
None | str | bytes | Iterable[str | bytes | int]
|
a relative url |
None
|
Returns:
Type | Description |
---|---|
str
|
the resulting absolute url |
Source code in requests_oauth2client/api_client.py
256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 |
|
get(url=None, raise_for_status=None, **kwargs)
¶
Send a GET request. Return a Response object.
The passed url
may be relative to the url passed at initialization time. It takes the same
parameters as ApiClient.request().
Parameters:
Name | Type | Description | Default |
---|---|---|---|
url |
None | str | bytes | Iterable[str | bytes | int]
|
a url where the request will be sent. |
None
|
raise_for_status |
bool | None
|
overrides the |
None
|
**kwargs |
Any
|
Optional arguments that request() takes. |
{}
|
Returns:
Type | Description |
---|---|
Response
|
a Response object. |
Raises:
Type | Description |
---|---|
HTTPError
|
if |
Source code in requests_oauth2client/api_client.py
322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 |
|
post(url=None, raise_for_status=None, **kwargs)
¶
Send a POST request. Return a Response object.
The passed url
may be relative to the url passed at initialization time. It takes the same
parameters as ApiClient.request().
Parameters:
Name | Type | Description | Default |
---|---|---|---|
url |
str | bytes | Iterable[str | bytes] | None
|
an url where the request will be sent. |
None
|
raise_for_status |
bool | None
|
overrides the |
None
|
**kwargs |
Any
|
Optional arguments that |
{}
|
Returns:
Type | Description |
---|---|
Response
|
a Response object. |
Raises:
Type | Description |
---|---|
HTTPError
|
if |
Source code in requests_oauth2client/api_client.py
347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 |
|
patch(url=None, raise_for_status=None, **kwargs)
¶
Send a PATCH request. Return a Response object.
The passed url
may be relative to the url passed at initialization time. It takes the same
parameters as ApiClient.request().
Parameters:
Name | Type | Description | Default |
---|---|---|---|
url |
str | bytes | Iterable[str | bytes] | None
|
an url where the request will be sent. |
None
|
raise_for_status |
bool | None
|
overrides the |
None
|
**kwargs |
Any
|
Optional arguments that |
{}
|
Returns:
Type | Description |
---|---|
Response
|
a Response object. |
Raises:
Type | Description |
---|---|
HTTPError
|
if |
Source code in requests_oauth2client/api_client.py
372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 |
|
put(url=None, raise_for_status=None, **kwargs)
¶
Send a PUT request. Return a Response object.
The passed url
may be relative to the url passed at initialization time. It takes the same
parameters as ApiClient.request().
Parameters:
Name | Type | Description | Default |
---|---|---|---|
url |
str | bytes | Iterable[str | bytes] | None
|
a url where the request will be sent. |
None
|
raise_for_status |
bool | None
|
overrides the |
None
|
**kwargs |
Any
|
additional kwargs for |
{}
|
Returns:
Type | Description |
---|---|
Response
|
a Response object. |
Raises:
Type | Description |
---|---|
HTTPError
|
if |
Source code in requests_oauth2client/api_client.py
397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 |
|
delete(url=None, raise_for_status=None, **kwargs)
¶
Send a DELETE request. Return a Response object.
The passed url
may be relative to the url passed at initialization time. It takes the same
parameters as ApiClient.request().
Parameters:
Name | Type | Description | Default |
---|---|---|---|
url |
str | bytes | Iterable[str | bytes] | None
|
a url where the request will be sent. |
None
|
raise_for_status |
bool | None
|
overrides the |
None
|
**kwargs |
Any
|
additional kwargs for |
{}
|
Returns:
Type | Description |
---|---|
Response
|
a Response object. |
Raises:
Type | Description |
---|---|
HTTPError
|
if |
Source code in requests_oauth2client/api_client.py
422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 |
|
auth
¶
This module contains requests
-compatible Auth Handlers that implement OAuth 2.0.
BearerAuth
¶
Bases: AuthBase
An Auth Handler that includes a Bearer Token in API calls, as defined in RFC6750$2.1.
As a prerequisite to using this AuthBase
, you have to obtain an access token manually.
You most likely don't want to do that by yourself, but instead use an instance of
OAuth2Client to do that for you.
See the others Auth Handlers in this module, which will automatically obtain
access tokens from an OAuth 2.x server.
Usage
1 2 |
|
The HTTP request will look like:
1 2 3 |
|
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token |
str | BearerToken | None
|
a BearerToken or a string
to use as token for this Auth Handler. If |
None
|
Source code in requests_oauth2client/auth.py
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
|
token: BearerToken | None
property
writable
¶
Return the [BearerToken] that is used for authorization against the API.
Returns:
Type | Description |
---|---|
BearerToken | None
|
the configured BearerToken used with this |
BearerToken | None
|
AuthHandler. |
BaseOAuth2RenewableTokenAuth
¶
Bases: BearerAuth
Base class for BearerToken-based Auth Handlers, with an obtainable or renewable token.
In addition to adding a properly formatted Authorization
header, this will obtain a new token
once the current token is expired. Expiration is detected based on the expires_in
hint
returned by the AS. A configurable leeway
, in number of seconds, will make sure that a new
token is obtained some seconds before the actual expiration is reached. This may help in
situations where the client, AS and RS have slightly offset clocks.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
an OAuth2Client |
required |
token |
None | BearerToken | str
|
an initial Access Token, if you have one already. In most cases, leave |
None
|
leeway |
int
|
expiration leeway, in number of seconds |
20
|
token_kwargs |
Any
|
additional kwargs to include in token requests |
{}
|
Source code in requests_oauth2client/auth.py
103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 |
|
renew_token()
¶
Obtain a new Bearer Token.
Subclasses should implement this.
Source code in requests_oauth2client/auth.py
139 140 141 142 143 144 145 |
|
forget_token()
¶
Forget the current token, forcing a renewal on the next HTTP request.
Source code in requests_oauth2client/auth.py
147 148 149 |
|
OAuth2ClientCredentialsAuth
¶
Bases: BaseOAuth2RenewableTokenAuth
An Auth Handler for the Client Credentials grant.
This requests AuthBase automatically gets Access Tokens from an OAuth 2.0 Token Endpoint with the Client Credentials grant, and will get a new one once the current one is expired.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
the OAuth2Client to use to obtain Access Tokens. |
required |
**token_kwargs |
Any
|
extra kw parameters to pass to the Token Endpoint. May include |
{}
|
Usage
1 2 3 |
|
Source code in requests_oauth2client/auth.py
152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 |
|
renew_token()
¶
Obtain a new token for use within this Auth Handler.
Source code in requests_oauth2client/auth.py
172 173 174 175 |
|
OAuth2AccessTokenAuth
¶
Bases: BaseOAuth2RenewableTokenAuth
Authentication Handler for OAuth 2.0 Access Tokens and (optional) Refresh Tokens.
This Requests Auth handler implementation uses an access token as Bearer token, and can automatically refresh it when expired, if a refresh token is available.
Token can be a simple str
containing a raw access token value, or a
BearerToken that can contain a refresh_token. If a
refresh_token and an expiration date are available, this Auth Handler will automatically refresh
the access token once it is expired.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
the OAuth2Client to use to refresh tokens. |
required |
token |
None | BearerToken | str
|
a access token that has been previously obtained |
None
|
**token_kwargs |
Any
|
additional kwargs to pass to the token endpoint |
{}
|
Usage
```python client = OAuth2Client(token_endpoint="https://my.as.local/token", auth=("client_id", "client_secret")) token = BearerToken( access_token="access_token", expires_in=600, refresh_token="refresh_token" ) # obtain a BearerToken any way you see fit, including a refresh token oauth2at_auth = OAuth2ClientCredentialsAuth(client, token, scope="my_scope") resp = requests.post("https://my.api.local/resource", auth=oauth2at_auth) ````
Source code in requests_oauth2client/auth.py
178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 |
|
renew_token()
¶
Obtain a new token, using the Refresh Token, if available.
Source code in requests_oauth2client/auth.py
206 207 208 209 210 |
|
OAuth2AuthorizationCodeAuth
¶
Bases: OAuth2AccessTokenAuth
Authentication handler for the Authorization Code grant.
This Requests Auth handler implementation exchanges an Authorization Code for an access token, then automatically refreshes it once it is expired.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
the OAuth2Client to use to obtain Access Tokens. |
required |
code |
str | AuthorizationResponse
|
an Authorization Code that has been obtained from the AS. |
required |
**token_kwargs |
Any
|
additional kwargs to pass to the token endpoint |
{}
|
Usage
```python client = OAuth2Client(token_endpoint="https://my.as.local/token", auth=("client_id", "client_secret")) code = "my_code" # you must obtain this code yourself resp = requests.post("https://my.api.local/resource", auth=OAuth2AuthorizationCodeAuth(client, code)) ````
Source code in requests_oauth2client/auth.py
213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 |
|
exchange_code_for_token()
¶
Obtain the initial access token with the authorization_code grant.
Source code in requests_oauth2client/auth.py
262 263 264 265 266 |
|
OAuth2ResourceOwnerPasswordAuth
¶
Bases: BaseOAuth2RenewableTokenAuth
Authentication Handler for the Resource Owner Password Flow.
This Requests Auth handler implementation exchanges the user credentials for an Access Token, then automatically obtains a new one once it is expired.
Note that this flow is considered deprecated, and the Authorization Code flow should be used whenever possible. Among other bad things, ROPC does not support SSO nor MFA and depends on the user typing its credentials directly inside the application instead of on a dedicated login page, which makes it totally insecure for 3rd party apps.
It needs the username and password and an OAuth2Client to be able to get a token from the AS Token Endpoint just before the first request using this Auth Handler is being sent.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
the OAuth2Client to use to obtain Access Tokens |
required |
username |
str
|
the username |
required |
password |
str
|
the user password |
required |
leeway |
int
|
an amount of time, in seconds |
20
|
**token_kwargs |
Any
|
additional kwargs to pass to the token endpoint |
{}
|
Source code in requests_oauth2client/auth.py
269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 |
|
renew_token()
¶
Exchange the user credentials for an Access Token.
Source code in requests_oauth2client/auth.py
306 307 308 309 310 311 312 313 |
|
OAuth2DeviceCodeAuth
¶
Bases: OAuth2AccessTokenAuth
Authentication Handler for the Device Code Flow.
This Requests Auth handler implementation exchanges a Device Code for an Access Token, then automatically refreshes it once it is expired.
It needs a Device Code and an OAuth2Client to be able to get a token from the AS Token Endpoint just before the first request using this Auth Handler is being sent.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
the OAuth2Client to use to obtain Access Tokens. |
required |
device_code |
str | DeviceAuthorizationResponse
|
a Device Code obtained from the AS. |
required |
interval |
int
|
the interval to use to pool the Token Endpoint, in seconds. |
5
|
expires_in |
int
|
the lifetime of the token, in seconds. |
360
|
**token_kwargs |
Any
|
additional kwargs to pass to the token endpoint. |
{}
|
Usage
```python client = OAuth2Client(token_endpoint="https://my.as.local/token", auth=("client_id", "client_secret")) device_code = client.device_authorization() auth = OAuth2DeviceCodeAuth(client, device_code) resp = requests.post("https://my.api.local/resource", auth=auth) ````
Source code in requests_oauth2client/auth.py
316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 |
|
exchange_device_code_for_token()
¶
Exchange the Device Code for an access token.
This will poll the Token Endpoint until the user finishes the authorization process.
Source code in requests_oauth2client/auth.py
374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 |
|
authorization_request
¶
Classes and utilities related to Authorization Requests and Responses.
PkceUtils
¶
Contains helper methods for PKCE, as described in RFC7636.
See RFC7636.
Source code in requests_oauth2client/authorization_request.py
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
|
code_verifier_re = re.compile('^[a-zA-Z0-9_\\-~.]{43,128}$')
class-attribute
instance-attribute
¶
A regex that matches valid code verifiers.
generate_code_verifier()
classmethod
¶
Generate a valid code_verifier
.
Returns:
Type | Description |
---|---|
str
|
a |
Source code in requests_oauth2client/authorization_request.py
40 41 42 43 44 45 46 47 48 |
|
derive_challenge(verifier, method='S256')
classmethod
¶
Derive the code_challenge
from a given code_verifier
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
verifier |
str | bytes
|
a code verifier |
required |
method |
str
|
the method to use for deriving the challenge. Accepts 'S256' or 'plain'. |
'S256'
|
Returns:
Type | Description |
---|---|
str
|
a |
Source code in requests_oauth2client/authorization_request.py
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
|
generate_code_verifier_and_challenge(method='S256')
classmethod
¶
Generate a valid code_verifier
and derive its code_challenge
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
method |
str
|
the method to use for deriving the challenge. Accepts 'S256' or 'plain'. |
'S256'
|
Returns:
Type | Description |
---|---|
tuple[str, str]
|
a |
Source code in requests_oauth2client/authorization_request.py
80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
|
validate_code_verifier(verifier, challenge, method='S256')
classmethod
¶
Validate a code_verifier
against a code_challenge
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
verifier |
str
|
the |
required |
challenge |
str
|
the |
required |
method |
str
|
the method to use for deriving the challenge. Accepts 'S256' or 'plain'. |
'S256'
|
Returns:
Type | Description |
---|---|
bool
|
|
Source code in requests_oauth2client/authorization_request.py
95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
|
CodeChallengeMethods
¶
Bases: str
, Enum
PKCE Code Challenge Methods.
Source code in requests_oauth2client/authorization_request.py
111 112 113 114 115 |
|
AuthorizationResponse
¶
Represent a successful Authorization Response.
An Authorization Response is the redirection initiated by the AS to the client's redirection
endpoint (redirect_uri) after an Authorization Request. This Response is typically created with
a call to AuthorizationRequest.validate_callback()
once the call to the client Redirection
Endpoint is made. AuthorizationResponse contains the following, all accessible as attributes:
- all the parameters that have been returned by the AS, most notably the
code
, and optional parameters such asstate
. - the redirect_uri that was used for the Authorization Request
- the code_verifier matching the code_challenge that was used for the Authorization Request
Parameters redirect_uri
and code_verifier
must be those from the matching
AuthorizationRequest
. All other parameters including code
and state
must be those
extracted from the Authorization Response parameters.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
code |
str
|
the authorization code returned by the AS |
required |
redirect_uri |
str | None
|
the redirect_uri that was passed as parameter in the AuthorizationRequest |
None
|
code_verifier |
str | None
|
the code_verifier matching the code_challenge that was passed as parameter in the AuthorizationRequest |
None
|
state |
str | None
|
the state returned by the AS |
None
|
**kwargs |
str
|
other parameters as returned by the AS |
{}
|
Source code in requests_oauth2client/authorization_request.py
118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 |
|
AuthorizationRequest
¶
Represent an Authorization Request.
This class makes it easy to generate valid Authorization Request URI (possibly including a state, nonce, PKCE, and custom args), to store all parameters, and to validate an Authorization Response.
All parameters passed at init time will be included in the request query parameters as-is, excepted for a few parameters which have a special behaviour:
state
: if...
(default), a randomstate
parameter will be generated for you. You may pass your ownstate
asstr
, or set it toNone
so that thestate
parameter will not be included in the request. You may access that state in thestate
attribute from this request.nonce
: if...
(default) andscope
includes 'openid', a randomnonce
will be generated and included in the request. You may access thatnonce
in thenonce
attribute from this request.code_verifier
: ifNone
, andcode_challenge_method
is'S256'
or'plain'
, a validcode_challenge
andcode_verifier
for PKCE will be automatically generated, and thecode_challenge
will be included in the request. You may pass your owncode_verifier
as astr
parameter, in which case the appropriatecode_challenge
will be included in the request, according to thecode_challenge_method
.authorization_response_iss_parameter_supported
andissuer
: those are used for Server Issuer Identification. Ifìssuer
is set and an issuer is included in the Authorization Response, then the consistency between those 2 values will be checked when usingvalidate_callback()
. If issuer is not included in the response, andauthorization_response_iss_parameter_supported
isFalse
(default), then no issuer check is performed. Setauthorization_response_iss_parameter_supported
toTrue
to enforce server identification: if no issuer is included in the Authorization Response, then an error will be raised instead.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
authorization_endpoint |
str
|
the uri for the authorization endpoint. |
required |
client_id |
str
|
the client_id to include in the request. |
required |
redirect_uri |
str | None
|
the redirect_uri to include in the request. This is required in OAuth 2.0 and optional
in OAuth 2.1. Pass |
None
|
scope |
None | str | Iterable[str]
|
the scope to include in the request, as an iterable of |
'openid'
|
response_type |
str
|
the response type to include in the request. |
'code'
|
state |
str | ellipsis | None
|
the state to include in the request, or |
...
|
nonce |
str | ellipsis | None
|
the nonce to include in the request, or |
...
|
code_verifier |
str | None
|
the code verifier to include in the request.
If left as |
None
|
code_challenge_method |
str | None
|
the method to use to derive the |
'S256'
|
acr_values |
str | Iterable[str] | None
|
requested Authentication Context Class Reference values. |
None
|
issuer |
str | None
|
Issuer Identifier value from the OAuth/OIDC Server, if using Server Issuer Identification. |
None
|
**kwargs |
Any
|
extra parameters to include in the request, as-is. |
{}
|
Source code in requests_oauth2client/authorization_request.py
201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 |
|
args: dict[str, Any]
property
¶
Return a dict with all the query parameters from this AuthorizationRequest.
Returns:
Type | Description |
---|---|
dict[str, Any]
|
a dict of parameters |
furl: furl
property
¶
Return the Authorization Request URI, as a furl
.
uri: str
property
¶
Return the Authorization Request URI, as a str
.
generate_state()
classmethod
¶
Generate a random state
parameter.
Source code in requests_oauth2client/authorization_request.py
279 280 281 282 |
|
generate_nonce()
classmethod
¶
Generate a random nonce
.
Source code in requests_oauth2client/authorization_request.py
284 285 286 287 |
|
as_dict()
¶
Return the full argument dict.
This can be used to serialize this request and/or to initialize a similar request.
Source code in requests_oauth2client/authorization_request.py
371 372 373 374 375 376 377 378 379 380 |
|
validate_callback(response)
¶
Validate an Authorization Response against this Request.
Validate a given Authorization Response URI against this Authorization Request, and return an AuthorizationResponse.
This includes matching the state
parameter, checking for returned errors, and extracting
the returned code
and other parameters.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
str
|
the Authorization Response URI. This can be the full URL, or just the query parameters (still encoded as x-www-form-urlencoded). |
required |
Returns:
Type | Description |
---|---|
AuthorizationResponse
|
the extracted code, if all checks are successful |
Raises:
Type | Description |
---|---|
MismatchingIssuer
|
if the 'iss' received from the response does not match the expected value. |
MismatchingState
|
if the response |
OAuth2Error
|
if the response includes an error. |
MissingAuthCode
|
if the response does not contain a |
NotImplementedError
|
if response_type anything else than 'code'. |
Source code in requests_oauth2client/authorization_request.py
397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 |
|
sign_request_jwt(jwk, alg=None, lifetime=None)
¶
Sign the request
object that matches this Authorization Request parameters.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
jwk |
Jwk | dict[str, Any]
|
the JWK to use to sign the request |
required |
alg |
str | None
|
the alg to use to sign the request, if the provided |
None
|
lifetime |
int | None
|
an optional number of seconds of validity for the signed request.
If present, |
None
|
Returns:
Type | Description |
---|---|
SignedJwt
|
a |
Source code in requests_oauth2client/authorization_request.py
463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 |
|
sign(jwk, alg=None, lifetime=None, **kwargs)
¶
Sign this Authorization Request and return a new one.
This replaces all parameters with a signed request
JWT.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
jwk |
Jwk | dict[str, Any]
|
the JWK to use to sign the request |
required |
alg |
str | None
|
the alg to use to sign the request, if the provided |
None
|
lifetime |
int | None
|
lifetime of the resulting Jwt (used to calculate the 'exp' claim). By default, don't use an 'exp' claim. |
None
|
kwargs |
Any
|
additional query parameters to include in the signed authorization request |
{}
|
Returns:
Type | Description |
---|---|
RequestParameterAuthorizationRequest
|
the signed Authorization Request |
Source code in requests_oauth2client/authorization_request.py
491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 |
|
sign_and_encrypt_request_jwt(sign_jwk, enc_jwk, sign_alg=None, enc_alg=None, enc='A128CBC-HS256', lifetime=None)
¶
Sign and encrypt a request
object for this Authorization Request.
The signed request
will contain the same parameters as this AuthorizationRequest.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
sign_jwk |
Jwk | dict[str, Any]
|
the JWK to use to sign the request |
required |
enc_jwk |
Jwk | dict[str, Any]
|
the JWK to use to encrypt the request |
required |
sign_alg |
str | None
|
the alg to use to sign the request, if |
None
|
enc_alg |
str | None
|
the alg to use to encrypt the request, if |
None
|
enc |
str
|
the encoding to use to encrypt the request. |
'A128CBC-HS256'
|
lifetime |
int | None
|
lifetime of the resulting Jwt (used to calculate the 'exp' claim). By default, do not include an 'exp' claim. |
None
|
Returns:
Type | Description |
---|---|
JweCompact
|
the signed and encrypted request object, as a |
Source code in requests_oauth2client/authorization_request.py
522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 |
|
sign_and_encrypt(sign_jwk, enc_jwk, sign_alg=None, enc_alg=None, enc='A128CBC-HS256', lifetime=None)
¶
Sign and encrypt the current Authorization Request.
This replaces all parameters with a matching request
object.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
sign_jwk |
Jwk | dict[str, Any]
|
the JWK to use to sign the request |
required |
enc_jwk |
Jwk | dict[str, Any]
|
the JWK to use to encrypt the request |
required |
sign_alg |
str | None
|
the alg to use to sign the request, if |
None
|
enc_alg |
str | None
|
the alg to use to encrypt the request, if |
None
|
enc |
str
|
the encoding to use to encrypt the request. |
'A128CBC-HS256'
|
lifetime |
int | None
|
lifetime of the resulting Jwt (used to calculate the 'exp' claim). By default, do not include an 'exp' claim. |
None
|
Returns:
Type | Description |
---|---|
RequestParameterAuthorizationRequest
|
a |
Source code in requests_oauth2client/authorization_request.py
561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 |
|
on_response_error(response)
¶
Error handler for Authorization Response errors.
Triggered by validate_callback() if the response uri contains an error.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
str
|
the Authorization Response URI. This can be the full URL, or just the query parameters. |
required |
Returns:
Type | Description |
---|---|
AuthorizationResponse
|
may return a default code that will be returned by |
AuthorizationResponse
|
will most likely raise exceptions instead. |
Source code in requests_oauth2client/authorization_request.py
601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 |
|
RequestParameterAuthorizationRequest
¶
Represent an Authorization Request that includes a request
JWT.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
authorization_endpoint |
str
|
the Authorization Endpoint uri |
required |
client_id |
str
|
the client_id |
required |
request |
str
|
the request JWT |
required |
expires_at |
datetime | None
|
the expiration date for this request |
None
|
kwargs |
Any
|
extra parameters to include in the request |
{}
|
Source code in requests_oauth2client/authorization_request.py
645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 |
|
RequestUriParameterAuthorizationRequest
¶
Represent an Authorization Request that includes a request_uri
parameter.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
authorization_endpoint |
str
|
the Authorization Endpoint uri |
required |
client_id |
str
|
the client_id |
required |
request_uri |
str
|
the request_uri |
required |
expires_at |
datetime | None
|
the expiration date for this request |
None
|
kwargs |
Any
|
extra parameters to include in the request |
{}
|
Source code in requests_oauth2client/authorization_request.py
708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 |
|
AuthorizationRequestSerializer
¶
(De)Serializer for AuthorizationRequest
instances.
You might need to store pending authorization requests in session, either server-side or client- side. This class is here to help you do that.
Source code in requests_oauth2client/authorization_request.py
766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 |
|
default_dumper(azr)
staticmethod
¶
Provide a default dumper implementation.
Serialize an AuthorizationRequest as JSON, then compress with deflate, then encodes as base64url.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
azr |
AuthorizationRequest
|
the |
required |
Returns:
Type | Description |
---|---|
str
|
the serialized value |
Source code in requests_oauth2client/authorization_request.py
782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 |
|
default_loader(serialized, azr_class=AuthorizationRequest)
staticmethod
¶
Provide a default deserializer implementation.
This does the opposite operations than default_dumper
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
serialized |
str
|
the serialized AuthorizationRequest |
required |
azr_class |
type[AuthorizationRequest]
|
the class to deserialize the Authorization Request to |
AuthorizationRequest
|
Returns:
Type | Description |
---|---|
AuthorizationRequest
|
an AuthorizationRequest |
Source code in requests_oauth2client/authorization_request.py
801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 |
|
dumps(azr)
¶
Serialize and compress a given AuthorizationRequest for easier storage.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
azr |
AuthorizationRequest
|
an AuthorizationRequest to serialize |
required |
Returns:
Type | Description |
---|---|
str
|
the serialized AuthorizationRequest, as a str |
Source code in requests_oauth2client/authorization_request.py
820 821 822 823 824 825 826 827 828 829 830 |
|
loads(serialized)
¶
Deserialize a serialized AuthorizationRequest.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
serialized |
str
|
the serialized AuthorizationRequest |
required |
Returns:
Type | Description |
---|---|
AuthorizationRequest
|
the deserialized AuthorizationRequest |
Source code in requests_oauth2client/authorization_request.py
832 833 834 835 836 837 838 839 840 841 842 |
|
backchannel_authentication
¶
Implementation of CIBA.
CIBA stands for Client Initiated BackChannel Authentication and is standardised by the OpenID Fundation. https://openid.net/specs/openid-client-initiated-backchannel- authentication-core-1_0.html.
BackChannelAuthenticationResponse
¶
Represent a BackChannel Authentication Response.
This contains all the parameters that are returned by the AS as a result of a BackChannel
Authentication Request, such as auth_req_id
(required), and the optional expires_at
,
interval
, and/or any custom parameters.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
auth_req_id |
str
|
the |
required |
expires_at |
datetime | None
|
the date when the |
None
|
interval |
int | None
|
the Token Endpoint pooling interval, in seconds, as returned by the AS. |
20
|
**kwargs |
Any
|
any additional custom parameters as returned by the AS. |
{}
|
Source code in requests_oauth2client/backchannel_authentication.py
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
|
is_expired(leeway=0)
¶
Return True
if the auth_req_id
within this response is expired.
Expiration is evaluated at the time of the call. If there is no "expires_at" hint (which is
derived from the expires_in
hint returned by the AS BackChannel Authentication endpoint),
this will return None
.
Returns:
Type | Description |
---|---|
bool | None
|
|
bool | None
|
no |
Source code in requests_oauth2client/backchannel_authentication.py
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
|
BackChannelAuthenticationPoolingJob
¶
Bases: TokenEndpointPoolingJob
A pooling job for the BackChannel Authentication flow.
This will poll the Token Endpoint until the user finishes with its authentication.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
an OAuth2Client that will be used to pool the token endpoint. |
required |
auth_req_id |
str | BackChannelAuthenticationResponse
|
an |
required |
interval |
int | None
|
The pooling interval to use. This overrides the one in |
None
|
slow_down_interval |
int
|
Number of seconds to add to the pooling interval when the AS returns a slow down request. |
5
|
requests_kwargs |
dict[str, Any] | None
|
Additional parameters for the underlying calls to requests.request. |
None
|
**token_kwargs |
Any
|
Additional parameters for the token request. |
{}
|
auth=("client_id", "client_secret") ) pool_job = BackChannelAuthenticationPoolingJob( client=client, auth_req_id="my_auth_req_id" )
1 |
|
Source code in requests_oauth2client/backchannel_authentication.py
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 |
|
token_request()
¶
Implement the CIBA token request.
This actually calls [OAuth2Client.ciba(auth_req_id)] on client
.
Returns:
Type | Description |
---|---|
BearerToken
|
Source code in requests_oauth2client/backchannel_authentication.py
136 137 138 139 140 141 142 143 144 145 |
|
client
¶
This module contains the OAuth2Client
class.
OAuth2Client
¶
An OAuth 2.x Client, that can send requests to an OAuth 2.x Authorization Server.
OAuth2Client
is able to obtain tokens from the Token Endpoint using any of the standardised
Grant Types, and to communicate with the various backend endpoints like the Revocation,
Introspection, and UserInfo Endpoint.
To init an OAuth2Client, you only need the url to the Token Endpoint and the Credentials (a client_id and one of a secret or private_key) that will be used to authenticate to that endpoint. Other endpoint urls, such as the Authorization Endpoint, Revocation Endpoint, etc. can be passed as parameter as well if you intend to use them.
This class is not intended to help with the end-user authentication or any request that goes in
a browser. For authentication requests, see
AuthorizationRequest. You
may use the method authorization_request()
to generate AuthorizationRequest
s with the
preconfigured authorization_endpoint
, client_id
and `redirect_uri' from this client.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token_endpoint |
str
|
the Token Endpoint URI where this client will get access tokens |
required |
auth |
AuthBase | tuple[str, str] | tuple[str, Jwk] | tuple[str, dict[str, Any]] | str | None
|
the authentication handler to use for client authentication on the token endpoint. Can be:
|
None
|
client_id |
str | None
|
client ID (use either this or |
None
|
client_secret |
str | None
|
client secret (use either this or |
None
|
private_key |
Jwk | dict[str, Any] | None
|
private_key to use for client authentication (use either this or |
None
|
revocation_endpoint |
str | None
|
the Revocation Endpoint URI to use for revoking tokens |
None
|
introspection_endpoint |
str | None
|
the Introspection Endpoint URI to use to get info about tokens |
None
|
userinfo_endpoint |
str | None
|
the Userinfo Endpoint URI to use to get information about the user |
None
|
authorization_endpoint |
str | None
|
the Authorization Endpoint URI, used for initializing Authorization Requests |
None
|
redirect_uri |
str | None
|
the redirect_uri for this client |
None
|
backchannel_authentication_endpoint |
str | None
|
the BackChannel Authentication URI |
None
|
device_authorization_endpoint |
str | None
|
the Device Authorization Endpoint URI to use to authorize devices |
None
|
jwks_uri |
str | None
|
the JWKS URI to use to obtain the AS public keys |
None
|
code_challenge_method |
str
|
challenge method to use for PKCE (should always be 'S256') |
'S256'
|
session |
Session | None
|
a requests Session to use when sending HTTP requests. Useful if some extra parameters such as proxy or client certificate must be used to connect to the AS. |
None
|
testing |
bool
|
if |
False
|
**extra_metadata |
Any
|
additional metadata for this client, unused by this class, but may be
used by subclasses. Those will be accessible with the |
{}
|
Usage
1 2 3 4 5 6 7 8 9 10 11 |
|
Source code in requests_oauth2client/client.py
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 |
|
client_id: str
property
¶
Client ID.
client_secret: str | None
property
¶
Client Secret.
client_jwks: JwkSet
property
¶
A JwkSet
containing the public keys for this client.
Keys are:
- the public key for client assertion signature verification (if using private_key_jwt)
- the ID Token encryption key
validate_endpoint_uri(attribute, uri)
¶
Validate that an endpoint URI is suitable for use.
If you need to disable some checks (for AS testing purposes only!), provide a different method here.
Source code in requests_oauth2client/client.py
255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 |
|
validate_issuer_uri(attribute, uri)
¶
Validate that an Issuer identifier is suitable for use.
This is the same check as an endpoint URI, but the path may be (and usually is) empty.
Source code in requests_oauth2client/client.py
279 280 281 282 283 284 285 286 287 288 289 290 291 292 |
|
token_request(data, timeout=10, **requests_kwargs)
¶
Send a request to the token endpoint.
Authentication will be added automatically based on the defined auth
for this client.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
data |
dict[str, Any]
|
parameters to send to the token endpoint. Items with a |
required |
timeout |
int
|
a timeout value for the call |
10
|
**requests_kwargs |
Any
|
additional parameters for requests.post() |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
the token endpoint response, as |
BearerToken
|
|
Source code in requests_oauth2client/client.py
369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 |
|
parse_token_response(response)
¶
Parse a Response returned by the Token Endpoint.
Invoked by token_request to parse
responses returned by the Token Endpoint. Those responses contain an access_token
and
additional attributes.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the Response returned by the Token Endpoint. |
required |
Returns:
Type | Description |
---|---|
BearerToken
|
a |
BearerToken
|
contents. |
Source code in requests_oauth2client/client.py
400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 |
|
on_token_error(response)
¶
Error handler for token_request()
.
Invoked by token_request when the Token Endpoint returns an error.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the Response returned by the Token Endpoint. |
required |
Returns:
Type | Description |
---|---|
BearerToken
|
nothing, and raises an exception instead. But a subclass may return a |
BearerToken
|
|
BearerToken
|
behaviour if needed. |
Source code in requests_oauth2client/client.py
425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 |
|
client_credentials(scope=None, *, requests_kwargs=None, **token_kwargs)
¶
Send a request to the token endpoint using the client_credentials
grant.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
scope |
str | Iterable[str] | None
|
the scope to send with the request. Can be a str, or an iterable of str.
to pass that way include |
None
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the call to requests |
None
|
**token_kwargs |
Any
|
additional parameters for the token endpoint, alongside |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a TokenResponse |
Source code in requests_oauth2client/client.py
451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 |
|
authorization_code(code, *, validate=True, requests_kwargs=None, **token_kwargs)
¶
Send a request to the token endpoint with the authorization_code
grant.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
code |
str | AuthorizationResponse
|
an authorization code or an |
required |
validate |
bool
|
if |
True
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the call to requests |
None
|
**token_kwargs |
Any
|
additional parameters for the token endpoint, alongside |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 |
|
refresh_token(refresh_token, requests_kwargs=None, **token_kwargs)
¶
Send a request to the token endpoint with the refresh_token
grant.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
refresh_token |
str | BearerToken
|
a refresh_token, as a string, or as a |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the call to |
None
|
**token_kwargs |
Any
|
additional parameters for the token endpoint,
alongside |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 |
|
device_code(device_code, requests_kwargs=None, **token_kwargs)
¶
Send a request to the token endpoint using the Device Code grant.
The grant_type is urn:ietf:params:oauth:grant-type:device_code
. This needs a Device Code,
or a DeviceAuthorizationResponse
as parameter.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
device_code |
str | DeviceAuthorizationResponse
|
a device code, or a |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the call to requests |
None
|
**token_kwargs |
Any
|
additional parameters for the token endpoint, alongside |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 |
|
ciba(auth_req_id, requests_kwargs=None, **token_kwargs)
¶
Send a CIBA request to the Token Endpoint.
A CIBA request is a Token Request using the urn:openid:params:grant-type:ciba
grant.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
auth_req_id |
str | BackChannelAuthenticationResponse
|
an authentication request ID, as returned by the AS |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the call to requests |
None
|
**token_kwargs |
Any
|
additional parameters for the token endpoint, alongside |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 |
|
token_exchange(subject_token, subject_token_type=None, actor_token=None, actor_token_type=None, requested_token_type=None, requests_kwargs=None, **token_kwargs)
¶
Send a Token Exchange request.
A Token Exchange request is actually a request to the Token Endpoint with a grant_type
urn:ietf:params:oauth:grant-type:token-exchange
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
subject_token |
str | BearerToken | IdToken
|
the subject token to exchange for a new token. |
required |
subject_token_type |
str | None
|
a token type identifier for the subject_token, mandatory if it cannot be guessed based
on |
None
|
actor_token |
None | str | BearerToken | IdToken
|
the actor token to include in the request, if any. |
None
|
actor_token_type |
str | None
|
a token type identifier for the actor_token, mandatory if it cannot be guessed based
on |
None
|
requested_token_type |
str | None
|
a token type identifier for the requested token. |
None
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters to pass to the underlying |
None
|
**token_kwargs |
Any
|
additional parameters to include in the request body. |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 |
|
jwt_bearer(assertion, requests_kwargs=None, **token_kwargs)
¶
Send a request using a JWT as authorization grant.
This is defined in (RFC7523 $2.1)[https://www.rfc-editor.org/rfc/rfc7523.html#section-2.1).
Parameters:
Name | Type | Description | Default |
---|---|---|---|
assertion |
Jwt | str
|
a JWT (as an instance of |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters to pass to the underlying |
None
|
**token_kwargs |
Any
|
additional parameters to include in the request body. |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 |
|
resource_owner_password(username, password, requests_kwargs=None, **token_kwargs)
¶
Send a request using the Resource Owner Password Grant.
This Grant Type is deprecated and should only be used when there is no other choice.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
username |
str
|
the resource owner user name |
required |
password |
str
|
the resource owner password |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters to pass to the underlying |
None
|
**token_kwargs |
Any
|
additional parameters to include in the request body. |
{}
|
Returns:
Type | Description |
---|---|
BearerToken
|
a |
Source code in requests_oauth2client/client.py
700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 |
|
authorization_request(*, scope='openid', response_type='code', redirect_uri=None, state=..., nonce=..., code_verifier=None, **kwargs)
¶
Generate an Authorization Request for this client.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
scope |
None | str | Iterable[str]
|
the |
'openid'
|
response_type |
str
|
the |
'code'
|
redirect_uri |
str | None
|
the |
None
|
state |
str | ellipsis | None
|
the |
...
|
nonce |
str | ellipsis | None
|
a |
...
|
code_verifier |
str | None
|
the PKCE |
None
|
**kwargs |
Any
|
additional parameters to include in the auth request |
{}
|
Returns:
Type | Description |
---|---|
AuthorizationRequest
|
an AuthorizationRequest with the supplied parameters |
Source code in requests_oauth2client/client.py
731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 |
|
pushed_authorization_request(authorization_request, requests_kwargs=None)
¶
Send a Pushed Authorization Request.
This sends a request to the Pushed Authorization Request Endpoint, and returns a
RequestUriParameterAuthorizationRequest
initialized with the AS response.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
authorization_request |
AuthorizationRequest
|
the authorization request to send |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters for |
None
|
Returns:
Type | Description |
---|---|
RequestUriParameterAuthorizationRequest
|
the |
Source code in requests_oauth2client/client.py
787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 |
|
parse_pushed_authorization_response(response)
¶
Parse the response obtained by pushed_authorization_request()
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the |
required |
Returns:
Type | Description |
---|---|
RequestUriParameterAuthorizationRequest
|
a RequestUriParameterAuthorizationRequest instance |
Source code in requests_oauth2client/client.py
815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 |
|
on_pushed_authorization_request_error(response)
¶
Error Handler for Pushed Authorization Endpoint errors.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the HTTP response as returned by the AS PAR endpoint. |
required |
Returns:
Type | Description |
---|---|
RequestUriParameterAuthorizationRequest
|
a RequestUriParameterAuthorizationRequest, if the error is recoverable |
Raises:
Type | Description |
---|---|
EndpointError
|
a subclass of this error depending on the error returned by the AS |
InvalidPushedAuthorizationResponse
|
if the returned response is not following the |
specifications UnknownTokenEndpointError
|
for unknown/unhandled errors |
Source code in requests_oauth2client/client.py
838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 |
|
userinfo(access_token)
¶
Call the UserInfo endpoint.
This sends a request to the UserInfo endpoint, with the specified access_token, and returns the parsed result.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
access_token |
BearerToken | str
|
the access token to use |
required |
Returns:
Type | Description |
---|---|
Any
|
the Response returned by the userinfo endpoint. |
Source code in requests_oauth2client/client.py
866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 |
|
parse_userinfo_response(resp)
¶
Parse the response obtained by userinfo()
.
Invoked by userinfo() to parse the response from the UserInfo endpoint, this will extract and return its JSON content.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
resp |
Response
|
a Response returned from the UserInfo endpoint. |
required |
Returns:
Type | Description |
---|---|
Any
|
the parsed JSON content from this response. |
Source code in requests_oauth2client/client.py
886 887 888 889 890 891 892 893 894 895 896 897 898 899 |
|
on_userinfo_error(resp)
¶
Parse UserInfo error response.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
resp |
Response
|
a Response returned from the UserInfo endpoint. |
required |
Returns:
Type | Description |
---|---|
Any
|
nothing, raises exception instead. |
Source code in requests_oauth2client/client.py
901 902 903 904 905 906 907 908 909 910 911 |
|
get_token_type(token_type=None, token=None)
classmethod
¶
Get standardized token type identifiers.
Return a standardized token type identifier, based on a short token_type
hint and/or a
token value.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token_type |
str | None
|
a token_type hint, as |
None
|
token |
None | str | BearerToken | IdToken
|
a token value, as an instance of |
None
|
Returns:
Type | Description |
---|---|
str
|
the token_type as defined in the Token Exchange RFC8693. |
Source code in requests_oauth2client/client.py
913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 |
|
revoke_access_token(access_token, requests_kwargs=None, **revoke_kwargs)
¶
Send a request to the Revocation Endpoint to revoke an access token.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
access_token |
BearerToken | str
|
the access token to revoke |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the underlying requests.post() call |
None
|
**revoke_kwargs |
Any
|
additional parameters to pass to the revocation endpoint |
{}
|
Source code in requests_oauth2client/client.py
979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 |
|
revoke_refresh_token(refresh_token, requests_kwargs=None, **revoke_kwargs)
¶
Send a request to the Revocation Endpoint to revoke a refresh token.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
refresh_token |
str | BearerToken
|
the refresh token to revoke. |
required |
requests_kwargs |
dict[str, Any] | None
|
additional parameters to pass to the revocation endpoint. |
None
|
**revoke_kwargs |
Any
|
additional parameters to pass to the revocation endpoint. |
{}
|
Returns:
Type | Description |
---|---|
bool
|
|
bool
|
revocation endpoint. |
Source code in requests_oauth2client/client.py
1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 |
|
revoke_token(token, token_type_hint=None, requests_kwargs=None, **revoke_kwargs)
¶
Send a Token Revocation request.
By default, authentication will be the same than the one used for the Token Endpoint.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token |
str | BearerToken
|
the token to revoke. |
required |
token_type_hint |
str | None
|
a token_type_hint to send to the revocation endpoint. |
None
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters to the underling call to requests.post() |
None
|
**revoke_kwargs |
Any
|
additional parameters to send to the revocation endpoint. |
{}
|
Returns:
Type | Description |
---|---|
bool
|
|
bool
|
non-standardised error is returned. |
Source code in requests_oauth2client/client.py
1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 |
|
on_revocation_error(response)
¶
Error handler for revoke_token()
.
Invoked by revoke_token() when the revocation endpoint returns an error.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the Response as returned by the Revocation Endpoint |
required |
Returns:
Type | Description |
---|---|
bool
|
|
bool
|
revocation response. |
Source code in requests_oauth2client/client.py
1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 |
|
introspect_token(token, token_type_hint=None, requests_kwargs=None, **introspect_kwargs)
¶
Send a request to the Introspection Endpoint.
Parameter token
can be:
- a
str
- a
BearerToken
instance
You may pass any arbitrary token
and token_type_hint
values as str
. Those will
be included in the request, as-is.
If token
is a BearerToken
, then token_type_hint
must be either:
None
: the access_token will be instrospected and no token_type_hint will be included in the requestaccess_token
: same asNone
, but the token_type_hint will be included- or
refresh_token
: only available if a Refresh Token is present in the BearerToken.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token |
str | BearerToken
|
the token to instrospect |
required |
token_type_hint |
str | None
|
the |
None
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters to the underling call to requests.post() |
None
|
**introspect_kwargs |
Any
|
additional parameters to send to the introspection endpoint. |
{}
|
Returns:
Type | Description |
---|---|
Any
|
the response as returned by the Introspection Endpoint. |
Source code in requests_oauth2client/client.py
1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 |
|
parse_introspection_response(response)
¶
Parse Token Introspection Responses received by introspect_token()
.
Invoked by introspect_token() to parse the returned response. This decodes the JSON content if possible, otherwise it returns the response as a string.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the Response as returned by the Introspection Endpoint. |
required |
Returns:
Type | Description |
---|---|
Any
|
the decoded JSON content, or a |
Source code in requests_oauth2client/client.py
1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 |
|
on_introspection_error(response)
¶
Error handler for introspect_token()
.
Invoked by introspect_token() to parse the returned response in the case an error is returned.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the response as returned by the Introspection Endpoint. |
required |
Returns:
Type | Description |
---|---|
Any
|
usually raises exceptions. A subclass can return a default response instead. |
Source code in requests_oauth2client/client.py
1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 |
|
backchannel_authentication_request(scope='openid', *, client_notification_token=None, acr_values=None, login_hint_token=None, id_token_hint=None, login_hint=None, binding_message=None, user_code=None, requested_expiry=None, private_jwk=None, alg=None, requests_kwargs=None, **ciba_kwargs)
¶
Send a CIBA Authentication Request.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
scope |
None | str | Iterable[str]
|
the scope to include in the request. |
'openid'
|
client_notification_token |
str | None
|
the Client Notification Token to include in the request. |
None
|
acr_values |
None | str | Iterable[str]
|
the acr values to include in the request. |
None
|
login_hint_token |
str | None
|
the Login Hint Token to include in the request. |
None
|
id_token_hint |
str | None
|
the ID Token Hint to include in the request. |
None
|
login_hint |
str | None
|
the Login Hint to include in the request. |
None
|
binding_message |
str | None
|
the Binding Message to include in the request. |
None
|
user_code |
str | None
|
the User Code to include in the request |
None
|
requested_expiry |
int | None
|
the Requested Expiry, in seconds, to include in the request. |
None
|
private_jwk |
Jwk | dict[str, Any] | None
|
the JWK to use to sign the request (optional) |
None
|
alg |
str | None
|
the alg to use to sign the request, if the provided JWK does not include an "alg" parameter. |
None
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters for |
None
|
**ciba_kwargs |
Any
|
additional parameters to include in the request. |
{}
|
Returns:
Type | Description |
---|---|
BackChannelAuthenticationResponse
|
a BackChannelAuthenticationResponse as returned by AS |
Source code in requests_oauth2client/client.py
1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 |
|
parse_backchannel_authentication_response(response)
¶
Parse a response received by backchannel_authentication_request()
.
Invoked by backchannel_authentication_request() to parse the response returned by the BackChannel Authentication Endpoint.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the response returned by the BackChannel Authentication Endpoint. |
required |
Returns:
Type | Description |
---|---|
BackChannelAuthenticationResponse
|
a |
Source code in requests_oauth2client/client.py
1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 |
|
on_backchannel_authentication_error(response)
¶
Error handler for backchannel_authentication_request()
.
Invoked by backchannel_authentication_request() to parse the response returned by the BackChannel Authentication Endpoint, when it is an error.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the response returned by the BackChannel Authentication Endpoint. |
required |
Returns:
Type | Description |
---|---|
BackChannelAuthenticationResponse
|
usually raises an exception. But a subclass can return a default response instead. |
Source code in requests_oauth2client/client.py
1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 |
|
authorize_device(requests_kwargs=None, **data)
¶
Send a Device Authorization Request.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
**data |
Any
|
additional data to send to the Device Authorization Endpoint |
{}
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters for |
None
|
Returns:
Type | Description |
---|---|
DeviceAuthorizationResponse
|
a Device Authorization Response |
Source code in requests_oauth2client/client.py
1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 |
|
parse_device_authorization_response(response)
¶
Parse a Device Authorization Response received by authorize_device()
.
Invoked by authorize_device() to parse the response returned by the Device Authorization Endpoint.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the response returned by the Device Authorization Endpoint. |
required |
Returns:
Type | Description |
---|---|
DeviceAuthorizationResponse
|
a |
Source code in requests_oauth2client/client.py
1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 |
|
on_device_authorization_error(response)
¶
Error handler for authorize_device()
.
Invoked by authorize_device() to parse the response returned by the Device Authorization Endpoint, when that response is an error.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the response returned by the Device Authorization Endpoint. |
required |
Returns:
Type | Description |
---|---|
DeviceAuthorizationResponse
|
usually raises an Exception. But a subclass may return a default response instead. |
Source code in requests_oauth2client/client.py
1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 |
|
update_authorization_server_public_keys(requests_kwargs=None)
¶
Update the cached AS public keys by retrieving them from its jwks_uri
.
Public keys are returned by this method, as a jwskate.JwkSet
. They are also
available in attribute authorization_server_jwks
.
Returns:
Type | Description |
---|---|
JwkSet
|
the retrieved public keys |
Raises:
Type | Description |
---|---|
ValueError
|
if no |
Source code in requests_oauth2client/client.py
1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 |
|
from_discovery_endpoint(url=None, issuer=None, *, auth=None, client_id=None, client_secret=None, private_key=None, session=None, testing=False, **kwargs)
classmethod
¶
Initialise an OAuth2Client based on Authorization Server Metadata.
This will retrieve the standardised metadata document available at url
, and will extract
all Endpoint Uris from that document, will fetch the current public keys from its
jwks_uri
, then will initialise an OAuth2Client based on those endpoints.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
url |
str | None
|
the url where the server metadata will be retrieved |
None
|
auth |
AuthBase | tuple[str, str] | str | None
|
the authentication handler to use for client authentication |
None
|
client_id |
str | None
|
client ID |
None
|
client_secret |
str | None
|
client secret to use to authenticate the client |
None
|
private_key |
Jwk | dict[str, Any] | None
|
private key to sign client assertions |
None
|
session |
Session | None
|
a |
None
|
issuer |
str | None
|
if an issuer is given, check that it matches the one from the retrieved document |
None
|
testing |
bool
|
if True, don't try to validate the endpoint urls that are part of the document |
False
|
**kwargs |
Any
|
additional keyword parameters to pass to OAuth2Client |
{}
|
Returns:
Type | Description |
---|---|
OAuth2Client
|
an OAuth2Client with endpoint initialised based on the obtained metadata |
Raises:
Type | Description |
---|---|
ValueError
|
if neither |
HTTPError
|
if an error happens while fetching the documents |
Source code in requests_oauth2client/client.py
1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 |
|
from_discovery_document(discovery, issuer=None, *, auth=None, client_id=None, client_secret=None, private_key=None, authorization_server_jwks=None, session=None, https=True, testing=False, **kwargs)
classmethod
¶
Initialise an OAuth2Client, based on the server metadata from discovery
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
discovery |
dict[str, Any]
|
a dict of server metadata, in the same format as retrieved from a discovery endpoint. |
required |
issuer |
str | None
|
if an issuer is given, check that it matches the one mentioned in the document |
None
|
auth |
AuthBase | tuple[str, str] | str | None
|
the authentication handler to use for client authentication |
None
|
client_id |
str | None
|
client ID |
None
|
client_secret |
str | None
|
client secret to use to authenticate the client |
None
|
private_key |
Jwk | dict[str, Any] | None
|
private key to sign client assertions |
None
|
authorization_server_jwks |
JwkSet | dict[str, Any] | None
|
the current authorization server JWKS keys |
None
|
session |
Session | None
|
a requests Session to use to retrieve the document and initialise the client with |
None
|
https |
bool
|
(deprecated) if |
True
|
testing |
bool
|
if True, don't try to validate the endpoint urls that are part of the document |
False
|
**kwargs |
Any
|
additional args that will be passed to OAuth2Client |
{}
|
Returns:
Type | Description |
---|---|
OAuth2Client
|
an |
Source code in requests_oauth2client/client.py
1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 |
|
GrantType
¶
Bases: str
, Enum
An enum of standardized grant_type
values.
Source code in requests_oauth2client/client.py
1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 |
|
client_authentication
¶
This module implements OAuth 2.0 Client Authentication Methods.
An OAuth 2.0 Client must authenticate to the AS whenever it sends a request to the Token Endpoint, by including appropriate credentials. This module contains helper classes and methods that implement the standardized and commonly used Client Authentication Methods.
BaseClientAuthenticationMethod
¶
Bases: AuthBase
Base class for all Client Authentication methods. This extends [requests.auth.AuthBase].
This base class only checks that requests are suitable to add Client Authentication parameters to, and doesn't modify the request.
Source code in requests_oauth2client/client_authentication.py
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
|
ClientSecretBasic
¶
Bases: BaseClientAuthenticationMethod
Implement client_secret_basic
authentication.
With this method, the client sends its Client ID and Secret, in the Authorization header, with the "Basic" scheme, in each authenticated request to the AS.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client_id |
str
|
|
required |
client_secret |
str
|
|
required |
Source code in requests_oauth2client/client_authentication.py
59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
|
ClientSecretPost
¶
Bases: BaseClientAuthenticationMethod
Implement client_secret_post
client authentication method.
With this method, the client inserts its client_id and client_secret in each authenticated request to the AS.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client_id |
str
|
|
required |
client_secret |
str
|
|
required |
Source code in requests_oauth2client/client_authentication.py
94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 |
|
ClientAssertionAuthenticationMethod
¶
Bases: BaseClientAuthenticationMethod
Base class for assertion-based client authentication methods.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client_id |
str
|
the client_id to use |
required |
alg |
str
|
the alg to use to sign generated Client Assertions. |
required |
lifetime |
int
|
the lifetime to use for generated Client Assertions. |
required |
jti_gen |
Callable[[], str]
|
a function to generate JWT Token Ids ( |
required |
aud |
str | None
|
the audience value to use. If |
None
|
Source code in requests_oauth2client/client_authentication.py
132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 |
|
client_assertion(audience)
¶
Generate a Client Assertion for a specific audience.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
audience |
str
|
the audience to use for the |
required |
Returns:
Type | Description |
---|---|
str
|
a Client Assertion, as |
Source code in requests_oauth2client/client_authentication.py
158 159 160 161 162 163 164 165 166 167 168 |
|
ClientSecretJwt
¶
Bases: ClientAssertionAuthenticationMethod
Implement client_secret_jwt
client authentication method.
With this method, the client generates and signs a client assertion that is symmetrically
signed with its Client Secret. The assertion is then sent to the AS in a client_assertion
field with each authenticated request.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client_id |
str
|
the |
required |
client_secret |
str
|
the |
required |
alg |
str
|
the alg to use to sign generated Client Assertions. |
'HS256'
|
lifetime |
int
|
the lifetime to use for generated Client Assertions. |
60
|
jti_gen |
Callable[[], Any]
|
a function to generate JWT Token Ids ( |
lambda: uuid4()
|
aud |
str | None
|
the audience value to use. If |
None
|
Source code in requests_oauth2client/client_authentication.py
198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 |
|
client_assertion(audience)
¶
Generate a symmetrically signed Client Assertion.
Assertion is signed with the client_secret
as key and the alg
passed at init time.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
audience |
str
|
the audience to use for the generated Client Assertion. |
required |
Returns:
Type | Description |
---|---|
str
|
a Client Assertion, as |
Source code in requests_oauth2client/client_authentication.py
227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 |
|
PrivateKeyJwt
¶
Bases: ClientAssertionAuthenticationMethod
Implement private_key_jwt
client authentication method.
With this method, the client generates and sends a client_assertion, that is asymmetrically signed with a private key, on each direct request to the Authorization Server.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client_id |
str
|
the |
required |
private_jwk |
Jwk | dict[str, Any]
|
the private JWK to use to sign generated Client Assertions. |
required |
alg |
str
|
the alg to use to sign generated Client Assertions. |
RS256
|
lifetime |
int
|
the lifetime to use for generated Client Assertions. |
60
|
jti_gen |
Callable[[], Any]
|
a function to generate JWT Token Ids ( |
lambda: uuid4()
|
aud |
str | None
|
the audience value to use. If |
None
|
Source code in requests_oauth2client/client_authentication.py
260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 |
|
client_assertion(audience)
¶
Generate a Client Assertion, asymmetrically signed with private_jwk
as key.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
audience |
str
|
the audience to use for the generated Client Assertion. |
required |
Returns:
Type | Description |
---|---|
str
|
a Client Assertion. |
Source code in requests_oauth2client/client_authentication.py
304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 |
|
PublicApp
¶
Bases: BaseClientAuthenticationMethod
Implement the none
authentication method for public apps.
This scheme is used for Public Clients, which do not have any secret credentials. Those only send their client_id to the Authorization Server.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client_id |
str
|
the client_id to use. |
required |
Source code in requests_oauth2client/client_authentication.py
333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 |
|
client_auth_factory(auth, *, client_id=None, client_secret=None, private_key=None, default_auth_handler=ClientSecretPost)
¶
Initialize the appropriate Auth Handler based on the provided parameters.
This initializes a ClientAuthenticationMethod
subclass based on the provided parameters.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
auth |
AuthBase | tuple[str, str] | tuple[str, Jwk] | tuple[str, dict[str, Any]] | str | None
|
can be:
|
required |
client_id |
str | None
|
the Client ID to use for this client |
None
|
client_secret |
str | None
|
the Client Secret to use for this client, if any (for clients using an authentication method based on a secret) |
None
|
private_key |
Jwk | dict[str, Any] | None
|
the private key to use for private_key_jwt authentication method |
None
|
default_auth_handler |
type[ClientSecretPost] | type[ClientSecretBasic] | type[ClientSecretJwt]
|
if a client_id and client_secret are provided, initialize an
instance of this class with those 2 parameters.
You can choose between |
ClientSecretPost
|
Returns:
Type | Description |
---|---|
AuthBase
|
an Auth Handler that will manage client authentication to the AS Token Endpoint or other |
AuthBase
|
backend endpoints. |
Source code in requests_oauth2client/client_authentication.py
368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 |
|
device_authorization
¶
Implements the Device Authorization Flow as defined in RFC8628.
See RFC8628.
DeviceAuthorizationResponse
¶
Represent a response returned by the device Authorization Endpoint.
All parameters are those returned by the AS as response to a Device Authorization Request.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
device_code |
str
|
the |
required |
user_code |
str
|
the |
required |
verification_uri |
str
|
the |
required |
verification_uri_complete |
str | None
|
the |
None
|
expires_at |
datetime | None
|
the expiration date for the device_code.
Also accepts an |
None
|
interval |
int | None
|
the pooling |
None
|
**kwargs |
Any
|
additional parameters as returned by the AS. |
{}
|
Source code in requests_oauth2client/device_authorization.py
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
|
is_expired(leeway=0)
¶
Check if the device_code
within this response is expired.
Returns:
Type | Description |
---|---|
bool | None
|
|
bool | None
|
no |
Source code in requests_oauth2client/device_authorization.py
56 57 58 59 60 61 62 63 64 65 66 |
|
DeviceAuthorizationPoolingJob
¶
Bases: TokenEndpointPoolingJob
A Token Endpoint pooling job for the Device Authorization Flow.
This periodically checks if the user has finished with his authorization in a Device Authorization flow.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
an OAuth2Client that will be used to pool the token endpoint. |
required |
device_code |
str | DeviceAuthorizationResponse
|
a |
required |
interval |
int | None
|
The pooling interval to use. This overrides the one in |
None
|
slow_down_interval |
int
|
Number of seconds to add to the pooling interval when the AS returns a slow-down request. |
5
|
requests_kwargs |
dict[str, Any] | None
|
Additional parameters for the underlying calls to requests.request. |
None
|
**token_kwargs |
Any
|
Additional parameters for the token request. |
{}
|
auth=("client_id", "client_secret") ) pool_job = DeviceAuthorizationPoolingJob(client=client, device_code="my_device_code")
1 |
|
Source code in requests_oauth2client/device_authorization.py
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
|
token_request()
¶
Implement the Device Code token request.
This actually calls [OAuth2Client.device_code(device_code)] on client
.
Returns:
Type | Description |
---|---|
BearerToken
|
Source code in requests_oauth2client/device_authorization.py
111 112 113 114 115 116 117 118 119 120 |
|
discovery
¶
Implements Metadata discovery documents URLS.
This is as defined in RFC8615 and OpenID Connect Discovery 1.0.
well_known_uri(origin, name, *, at_root=True)
¶
Return the location of a well-known document on an origin url.
See RFC8615 and OIDC Discovery.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
origin |
str
|
origin to use to build the well-known uri. |
required |
name |
str
|
document name to use to build the well-known uri. |
required |
at_root |
bool
|
if |
True
|
Returns:
Type | Description |
---|---|
str
|
the well-know uri, relative to origin, where the well-known document named |
str
|
found. |
Source code in requests_oauth2client/discovery.py
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
|
oidc_discovery_document_url(issuer)
¶
Construct the OIDC discovery document url for a given issuer
.
Given an issuer
identifier, return the standardised URL where the OIDC discovery document can
be retrieved.
The returned URL is biuilt as specified in OpenID Connect Discovery 1.0.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
issuer |
str
|
an OIDC Authentication Server |
required |
Returns:
Type | Description |
---|---|
str
|
the standardised discovery document URL. Note that no attempt to fetch this document is |
str
|
made. |
Source code in requests_oauth2client/discovery.py
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
|
oauth2_discovery_document_url(issuer)
¶
Construct the standardised OAuth 2.0 discovery document url for a given issuer
.
Based an issuer
identifier, returns the standardised URL where the OAuth20 server metadata can
be retrieved.
The returned URL is built as specified in RFC8414.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
issuer |
str
|
an OAuth20 Authentication Server |
required |
Returns:
Type | Description |
---|---|
str
|
the standardised discovery document URL. Note that no attempt to fetch this document is |
str
|
made. |
Source code in requests_oauth2client/discovery.py
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
|
exceptions
¶
This module contains all exception classes from requests_oauth2client
.
OAuth2Error
¶
Bases: Exception
Base class for Exceptions raised when a backend endpoint returns an error.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the HTTP response containing the error |
required |
Source code in requests_oauth2client/exceptions.py
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
|
request: requests.PreparedRequest
property
¶
The request leading to the error.
EndpointError
¶
Bases: OAuth2Error
Base class for exceptions raised from backend endpoint errors.
This contains the error message, description and uri that are returned by the AS in the OAuth 2.0 standardised way.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
response |
Response
|
the raw requests.PreparedResponse containing the error. |
required |
error |
str
|
the |
required |
description |
str | None
|
the |
None
|
uri |
str | None
|
the |
None
|
Source code in requests_oauth2client/exceptions.py
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
|
InvalidTokenResponse
¶
Bases: OAuth2Error
Raised when the Token Endpoint returns a non-standard response.
Source code in requests_oauth2client/exceptions.py
57 58 |
|
ExpiredAccessToken
¶
Bases: RuntimeError
Raised when an expired access token is used.
Source code in requests_oauth2client/exceptions.py
61 62 |
|
UnknownTokenEndpointError
¶
Bases: EndpointError
Raised when an otherwise unknown error is returned by the token endpoint.
Source code in requests_oauth2client/exceptions.py
65 66 |
|
ServerError
¶
Bases: EndpointError
Raised when the token endpoint returns error = server_error
.
Source code in requests_oauth2client/exceptions.py
69 70 |
|
TokenEndpointError
¶
Bases: EndpointError
Base class for errors that are specific to the token endpoint.
Source code in requests_oauth2client/exceptions.py
73 74 |
|
InvalidRequest
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = invalid_request
.
Source code in requests_oauth2client/exceptions.py
77 78 |
|
InvalidClient
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = invalid_client
.
Source code in requests_oauth2client/exceptions.py
81 82 |
|
InvalidScope
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = invalid_scope
.
Source code in requests_oauth2client/exceptions.py
85 86 |
|
InvalidTarget
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = invalid_target
.
Source code in requests_oauth2client/exceptions.py
89 90 |
|
InvalidGrant
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = invalid_grant
.
Source code in requests_oauth2client/exceptions.py
93 94 |
|
AccessDenied
¶
Bases: EndpointError
Raised when the Authorization Server returns error = access_denied
.
Source code in requests_oauth2client/exceptions.py
97 98 |
|
UnauthorizedClient
¶
Bases: EndpointError
Raised when the Authorization Server returns error = unauthorized_client
.
Source code in requests_oauth2client/exceptions.py
101 102 |
|
RevocationError
¶
Bases: EndpointError
Base class for Revocation Endpoint errors.
Source code in requests_oauth2client/exceptions.py
105 106 |
|
UnsupportedTokenType
¶
Bases: RevocationError
Raised when the Revocation endpoint returns error = unsupported_token_type
.
Source code in requests_oauth2client/exceptions.py
109 110 |
|
IntrospectionError
¶
Bases: EndpointError
Base class for Introspection Endpoint errors.
Source code in requests_oauth2client/exceptions.py
113 114 |
|
UnknownIntrospectionError
¶
Bases: OAuth2Error
Raised when the Introspection Endpoint returns a non-standard error.
Source code in requests_oauth2client/exceptions.py
117 118 |
|
DeviceAuthorizationError
¶
Bases: EndpointError
Base class for Device Authorization Endpoint errors.
Source code in requests_oauth2client/exceptions.py
121 122 |
|
AuthorizationPending
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = authorization_pending
.
Source code in requests_oauth2client/exceptions.py
125 126 |
|
SlowDown
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = slow_down
.
Source code in requests_oauth2client/exceptions.py
129 130 |
|
ExpiredToken
¶
Bases: TokenEndpointError
Raised when the Token Endpoint returns error = expired_token
.
Source code in requests_oauth2client/exceptions.py
133 134 |
|
InvalidDeviceAuthorizationResponse
¶
Bases: OAuth2Error
Raised when the Device Authorization Endpoint returns a non-standard error response.
Source code in requests_oauth2client/exceptions.py
137 138 |
|
InvalidIdToken
¶
Bases: InvalidJwt
Raised when trying to validate an invalid ID Token value.
Source code in requests_oauth2client/exceptions.py
141 142 |
|
AuthorizationResponseError
¶
Bases: Exception
Base class for error responses returned by the Authorization endpoint.
An AuthorizationResponseError
contains the error message, description and uri that are
returned by the AS.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
error |
str
|
the |
required |
description |
str | None
|
the |
None
|
uri |
str | None
|
the |
None
|
Source code in requests_oauth2client/exceptions.py
145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 |
|
InteractionRequired
¶
Bases: AuthorizationResponseError
Raised when the Authorization Endpoint returns error = interaction_required
.
Source code in requests_oauth2client/exceptions.py
164 165 |
|
LoginRequired
¶
Bases: InteractionRequired
Raised when the Authorization Endpoint returns error = login_required
.
Source code in requests_oauth2client/exceptions.py
168 169 |
|
AccountSelectionRequired
¶
Bases: InteractionRequired
Raised when the Authorization Endpoint returns error = account_selection_required
.
Source code in requests_oauth2client/exceptions.py
172 173 |
|
SessionSelectionRequired
¶
Bases: InteractionRequired
Raised when the Authorization Endpoint returns error = session_selection_required
.
Source code in requests_oauth2client/exceptions.py
176 177 |
|
ConsentRequired
¶
Bases: InteractionRequired
Raised when the Authorization Endpoint returns error = consent_required
.
Source code in requests_oauth2client/exceptions.py
180 181 |
|
InvalidAuthResponse
¶
Bases: Exception
Raised when the Authorization Endpoint returns an invalid response.
Source code in requests_oauth2client/exceptions.py
184 185 |
|
MissingAuthCode
¶
Bases: InvalidAuthResponse
Raised when the Authorization Endpoint does not return the mandatory code
.
This happens when the Authorization Endpoint does not return an error, but does not return an
authorization code
either.
Source code in requests_oauth2client/exceptions.py
188 189 190 191 192 193 194 |
|
MissingIssuer
¶
Bases: InvalidAuthResponse
Raised when the Authorization Endpoint does not return an iss
parameter as expected.
The Authorization Server advertises its support with a flag
authorization_response_iss_parameter_supported
in its discovery document. If it is set to
true
, it must include an iss
parameter in its authorization responses, containing its issuer
identifier.
Source code in requests_oauth2client/exceptions.py
197 198 199 200 201 202 203 204 205 |
|
MissingIdToken
¶
Bases: InvalidAuthResponse
Raised when the Authorization Endpoint does not return a mandatory ID Token.
This happens when the Authorization Endpoint does not return an error, but does not return an ID Token either.
Source code in requests_oauth2client/exceptions.py
208 209 210 211 212 213 214 |
|
MismatchingState
¶
Bases: InvalidAuthResponse
Raised on mismatching state
value.
This happens when the Authorization Endpoints returns a 'state' parameter that doesn't match the value passed in the Authorization Request.
Source code in requests_oauth2client/exceptions.py
217 218 219 220 221 222 223 |
|
MismatchingIssuer
¶
Bases: InvalidAuthResponse
Raised on mismatching iss
value.
This happens when the Authorization Endpoints returns an 'iss' that doesn't match the expected value.
Source code in requests_oauth2client/exceptions.py
226 227 228 229 230 231 232 |
|
MismatchingNonce
¶
Bases: InvalidIdToken
Raised on mismatching nonce
value in an ID Token.
This happens when the authorization request includes a nonce
but the returned ID Token include
a different value.
Source code in requests_oauth2client/exceptions.py
235 236 237 238 239 240 241 |
|
MismatchingAcr
¶
Bases: InvalidIdToken
Raised when the returned ID Token doesn't contain one of the requested ACR Values.
This happens when the authorization request includes an acr_values
parameter but the returned
ID Token includes a different value.
Source code in requests_oauth2client/exceptions.py
244 245 246 247 248 249 250 |
|
MismatchingAudience
¶
Bases: InvalidIdToken
Raised when the ID Token audience does not include the requesting Client ID.
Source code in requests_oauth2client/exceptions.py
253 254 |
|
MismatchingAzp
¶
Bases: InvalidIdToken
Raised when the ID Token Authorized Presenter (azp) claim is not the Client ID.
Source code in requests_oauth2client/exceptions.py
257 258 |
|
MismatchingIdTokenAlg
¶
Bases: InvalidIdToken
Raised when the returned ID Token is signed with an unexpected alg.
Source code in requests_oauth2client/exceptions.py
261 262 |
|
ExpiredIdToken
¶
Bases: InvalidIdToken
Raised when the returned ID Token is expired.
Source code in requests_oauth2client/exceptions.py
265 266 |
|
BackChannelAuthenticationError
¶
Bases: EndpointError
Base class for errors returned by the BackChannel Authentication endpoint.
Source code in requests_oauth2client/exceptions.py
269 270 |
|
InvalidBackChannelAuthenticationResponse
¶
Bases: OAuth2Error
Raised when the BackChannel Authentication endpoint returns a non-standard response.
Source code in requests_oauth2client/exceptions.py
273 274 |
|
InvalidPushedAuthorizationResponse
¶
Bases: OAuth2Error
Raised when the Pushed Authorization Endpoint returns an error.
Source code in requests_oauth2client/exceptions.py
277 278 |
|
flask
¶
This module contains helper classes for the Flask Framework.
See Flask framework.
FlaskOAuth2ClientCredentialsAuth
¶
Bases: FlaskSessionAuthMixin
, OAuth2ClientCredentialsAuth
A requests
Auth handler for CC grant that stores its token in Flask session.
It will automatically get Access Tokens from an OAuth 2.x AS with the Client Credentials grant
(and can get a new one once the first one is expired), and stores the retrieved token,
serialized in Flask session
, so that each user has a different access token.
Source code in requests_oauth2client/flask/auth.py
67 68 69 70 71 72 73 74 |
|
auth
¶
Helper classes for the Flask framework.
FlaskSessionAuthMixin
¶
A Mixin for auth handlers to store their tokens in Flask session.
Storing tokens in Flask session does ensure that each user of a Flask application has a different access token, and that tokens used for backend API access will be persisted between multiple requests to the front-end Flask app.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
session_key |
str
|
the key that will be used to store the access token in session. |
required |
serializer |
BearerTokenSerializer | None
|
the serializer that will be used to store the access token in session. |
None
|
Source code in requests_oauth2client/flask/auth.py
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
|
token: BearerToken | None
property
writable
¶
Return the Access Token stored in session.
Returns:
Type | Description |
---|---|
BearerToken | None
|
The current |
FlaskOAuth2ClientCredentialsAuth
¶
Bases: FlaskSessionAuthMixin
, OAuth2ClientCredentialsAuth
A requests
Auth handler for CC grant that stores its token in Flask session.
It will automatically get Access Tokens from an OAuth 2.x AS with the Client Credentials grant
(and can get a new one once the first one is expired), and stores the retrieved token,
serialized in Flask session
, so that each user has a different access token.
Source code in requests_oauth2client/flask/auth.py
67 68 69 70 71 72 73 74 |
|
pooling
¶
Contains base classes for pooling jobs.
TokenEndpointPoolingJob
¶
Bases: ABC
Base class for Token Endpoint pooling jobs.
This is used for decoupled flows like CIBA or Device Authorization.
This class must be subclassed to implement actual BackChannel flows. This needs an
OAuth2Client that will be used to pool the token
endpoint. The initial pooling interval
is configurable.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
client |
OAuth2Client
|
the OAuth2Client that will be used to pool the token endpoint. |
required |
interval |
int | None
|
initial pooling interval, in seconds. If |
None
|
slow_down_interval |
int
|
when a SlowDown is received, this number of seconds will be added to the pooling interval. |
5
|
requests_kwargs |
dict[str, Any] | None
|
additional parameters for the underlying calls to requests.request |
None
|
**token_kwargs |
Any
|
additional parameters for the token request |
{}
|
Source code in requests_oauth2client/pooling.py
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 |
|
token_request()
abstractmethod
¶
Abstract method for the token endpoint call.
This must be implemented by subclasses. This method must Must raise
AuthorizationPending to retry after
the pooling interval, or SlowDown to increase
the pooling interval by slow_down_interval
seconds.
Returns:
Type | Description |
---|---|
BearerToken
|
Source code in requests_oauth2client/pooling.py
77 78 79 80 81 82 83 84 85 86 87 88 89 90 |
|
tokens
¶
This module contains classes that represent Tokens used in OAuth2.0 / OIDC.
TokenType
¶
Bases: str
, Enum
An enum of standardised token_type
values.
Source code in requests_oauth2client/tokens.py
32 33 34 35 36 37 |
|
AccessTokenType
¶
Bases: str
, Enum
An enum of standardised access_token
types.
Source code in requests_oauth2client/tokens.py
40 41 42 43 |
|
IdToken
¶
Bases: SignedJwt
Represent an ID Token.
An ID Token is actually a Signed JWT. If the ID Token is encrypted, it must be decoded beforehand.
Source code in requests_oauth2client/tokens.py
46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
|
auth_time: datetime
property
¶
The last user authentication time.
hash_method(key, alg=None)
classmethod
¶
Returns a callable that generates valid OIDC hashes, such as at_hash, c_hash, s_hash.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
key |
Jwk
|
the ID token signature verification public key |
required |
alg |
str | None
|
the ID token signature algorithm |
None
|
Returns:
Type | Description |
---|---|
Callable[[str], str]
|
a callable that takes a string as input and produces a valid hash as a str output |
Source code in requests_oauth2client/tokens.py
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
|
AccessToken
¶
Base class for Access Tokens.
Source code in requests_oauth2client/tokens.py
97 98 99 100 |
|
BearerToken
¶
Bases: AccessToken
Represents a Bearer Token as returned by a Token Endpoint.
This is a wrapper around a Bearer Token and associated parameters, such as expiration date and refresh token, as returned by an OAuth 2.x or OIDC 1.0 Token Endpoint.
All parameters are as returned by a Token Endpoint. The token expiration date can be passed as
datetime in the expires_at
parameter, or an expires_in
parameter, as number of seconds in
the future, can be passed instead.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
access_token |
str
|
an |
required |
expires_at |
datetime | None
|
an expiration date. This method also accepts an |
None
|
scope |
str | None
|
a |
None
|
refresh_token |
str | None
|
a |
None
|
token_type |
str
|
a |
TOKEN_TYPE
|
id_token |
str | bytes | IdToken | JweCompact | None
|
an |
None
|
**kwargs |
Any
|
additional parameters as returned by the AS, if any. |
{}
|
Source code in requests_oauth2client/tokens.py
103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 |
|
expires_in: int | None
property
¶
Number of seconds until expiration.
is_expired(leeway=0)
¶
Check if the access token is expired.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
leeway |
int
|
If the token expires in the next given number of seconds, then consider it expired already. |
0
|
Returns:
Type | Description |
---|---|
bool | None
|
One of: |
bool | None
|
|
bool | None
|
|
bool | None
|
|
Source code in requests_oauth2client/tokens.py
173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 |
|
authorization_header()
¶
Return the appropriate Authorization Header value for this token.
The value is formatted correctly according to RFC6750.
Returns:
Type | Description |
---|---|
str
|
the value to use in an HTTP Authorization Header |
Source code in requests_oauth2client/tokens.py
192 193 194 195 196 197 198 199 200 201 |
|
validate_id_token(client, azr)
¶
Validate that a token response is valid, and return the ID Token.
This will validate the id_token as described in OIDC 1.0 $3.1.3.7.
If the ID Token is encrypted, this decrypts it and returns the clear-text ID Token.
Source code in requests_oauth2client/tokens.py
203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 |
|
as_dict()
¶
Return a dict of parameters.
That is suitable for serialization or to init another BearerToken.
Source code in requests_oauth2client/tokens.py
362 363 364 365 366 367 368 369 370 371 372 |
|
BearerTokenSerializer
¶
A helper class to serialize Token Response returned by an AS.
This may be used to store BearerTokens in session or cookies.
It needs a dumper
and a loader
functions that will respectively serialize and deserialize
BearerTokens. Default implementations are provided with use gzip and base64url on the serialized
JSON representation.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
dumper |
Callable[[BearerToken], str] | None
|
a function to serialize a token into a |
None
|
loader |
Callable[[str], BearerToken] | None
|
a function to deserialize a serialized token representation. |
None
|
Source code in requests_oauth2client/tokens.py
397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 |
|
default_dumper(token)
staticmethod
¶
Serialize a token as JSON, then compress with deflate, then encodes as base64url.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token |
BearerToken
|
the |
required |
Returns:
Type | Description |
---|---|
str
|
the serialized value |
Source code in requests_oauth2client/tokens.py
420 421 422 423 424 425 426 427 428 429 430 431 |
|
default_loader(serialized, token_class=BearerToken)
¶
Deserialize a BearerToken.
This does the opposite operations than default_dumper
.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
serialized |
str
|
the serialized token |
required |
token_class |
type[BearerToken]
|
class to use to deserialize the Token |
BearerToken
|
Returns:
Type | Description |
---|---|
BearerToken
|
a BearerToken |
Source code in requests_oauth2client/tokens.py
433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 |
|
dumps(token)
¶
Serialize and compress a given token for easier storage.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
token |
BearerToken
|
a BearerToken to serialize |
required |
Returns:
Type | Description |
---|---|
str
|
the serialized token, as a str |
Source code in requests_oauth2client/tokens.py
452 453 454 455 456 457 458 459 460 461 462 |
|
loads(serialized)
¶
Deserialize a serialized token.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
serialized |
str
|
the serialized token |
required |
Returns:
Type | Description |
---|---|
BearerToken
|
the deserialized token |
Source code in requests_oauth2client/tokens.py
464 465 466 467 468 469 470 471 472 473 474 |
|
DPoPToken
¶
Bases: AccessToken
Represents a DPoP Token.
Source code in requests_oauth2client/tokens.py
477 478 |
|
vendor_specific
¶
Vendor-specific utilities.
This module contains vendor-specific subclasses of [requests_oauth2client] classes, that make it easier to work with specific OAuth 2.x providers and/or fix compatibility issues.
Auth0
¶
Auth0-related utilities.
Source code in requests_oauth2client/vendor_specific/auth0.py
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 |
|
tenant(tenant)
classmethod
¶
Given a short tenant name, returns the full tenant FQDN.
Source code in requests_oauth2client/vendor_specific/auth0.py
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
|
client(tenant, auth=None, *, client_id=None, client_secret=None, private_jwk=None, session=None, **kwargs)
classmethod
¶
Initialise an OAuth2Client for an Auth0 tenant.
Source code in requests_oauth2client/vendor_specific/auth0.py
42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
|
management_api_client(tenant, auth=None, *, client_id=None, client_secret=None, private_jwk=None, session=None, **kwargs)
classmethod
¶
Initialize a client for the Auth0 Management API.
See Auth0 Management API v2. You must provide the target tenant name and the credentials for a client that is allowed access to the Management API.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
tenant |
str
|
the tenant name. Same definition as for Auth0.client |
required |
auth |
AuthBase | tuple[str, str] | tuple[str, Jwk] | tuple[str, dict[str, Any]] | str | None
|
client credentials. Same definition as for OAuth2Client |
None
|
client_id |
str | None
|
the Client ID. Same definition as for OAuth2Client |
None
|
client_secret |
str | None
|
the Client Secret. Same definition as for OAuth2Client |
None
|
private_jwk |
Any | None
|
the private key to use for client authentication. Same definition as for OAuth2Client |
None
|
session |
Session | None
|
requests session. Same definition as for OAuth2Client |
None
|
**kwargs |
Any
|
additional kwargs to pass to the ApiClient base class |
{}
|
Usage
1 2 3 4 |
|
Source code in requests_oauth2client/vendor_specific/auth0.py
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 |
|
Ping
¶
Ping Identity related utilities.
Source code in requests_oauth2client/vendor_specific/ping.py
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
|
client(issuer, auth=None, client_id=None, client_secret=None, private_jwk=None, session=None)
classmethod
¶
Initialize an OAuth2Client for PingFederate.
This will configure all endpoints with PingID specific urls, without using the metadata.
Excepted for avoiding a round-trip to get the metadata url, this does not provide any advantage
over using OAuth2Client.from_discovery_endpoint(issuer="https://myissuer.domain.tld")
.
Source code in requests_oauth2client/vendor_specific/ping.py
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
|
auth0
¶
Implements subclasses for Auth0.
Auth0
¶
Auth0-related utilities.
Source code in requests_oauth2client/vendor_specific/auth0.py
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 |
|
tenant(tenant)
classmethod
¶
Given a short tenant name, returns the full tenant FQDN.
Source code in requests_oauth2client/vendor_specific/auth0.py
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
|
client(tenant, auth=None, *, client_id=None, client_secret=None, private_jwk=None, session=None, **kwargs)
classmethod
¶
Initialise an OAuth2Client for an Auth0 tenant.
Source code in requests_oauth2client/vendor_specific/auth0.py
42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
|
management_api_client(tenant, auth=None, *, client_id=None, client_secret=None, private_jwk=None, session=None, **kwargs)
classmethod
¶
Initialize a client for the Auth0 Management API.
See Auth0 Management API v2. You must provide the target tenant name and the credentials for a client that is allowed access to the Management API.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
tenant |
str
|
the tenant name. Same definition as for Auth0.client |
required |
auth |
AuthBase | tuple[str, str] | tuple[str, Jwk] | tuple[str, dict[str, Any]] | str | None
|
client credentials. Same definition as for OAuth2Client |
None
|
client_id |
str | None
|
the Client ID. Same definition as for OAuth2Client |
None
|
client_secret |
str | None
|
the Client Secret. Same definition as for OAuth2Client |
None
|
private_jwk |
Any | None
|
the private key to use for client authentication. Same definition as for OAuth2Client |
None
|
session |
Session | None
|
requests session. Same definition as for OAuth2Client |
None
|
**kwargs |
Any
|
additional kwargs to pass to the ApiClient base class |
{}
|
Usage
1 2 3 4 |
|
Source code in requests_oauth2client/vendor_specific/auth0.py
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 |
|
ping
¶
PingID specific client.
Ping
¶
Ping Identity related utilities.
Source code in requests_oauth2client/vendor_specific/ping.py
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
|
client(issuer, auth=None, client_id=None, client_secret=None, private_jwk=None, session=None)
classmethod
¶
Initialize an OAuth2Client for PingFederate.
This will configure all endpoints with PingID specific urls, without using the metadata.
Excepted for avoiding a round-trip to get the metadata url, this does not provide any advantage
over using OAuth2Client.from_discovery_endpoint(issuer="https://myissuer.domain.tld")
.
Source code in requests_oauth2client/vendor_specific/ping.py
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
|