An implementation of OpenID Connect for Python, on top of OAuthlib.
Oidclib defines a new server, OpenIDConnectServer
, which replaces
oauthlib's pre-configured server. Note that this server can only handle
OIDC requests, i.e., it will fail with regular OAuth2 requests. A full-featured
server is on the planning, though.
The current implementation tries to reuse all four basic endpoints defined
in oauthlib.oauth2.rfc6749.endpoints
, just creating a new server and
new grant_types for the three OIDC workflows. Due to the unique requirements
of OpenID Connect, a validator with some new methods is required.
This class extends oauthlib's AuthorizationCodeGrant, rewriting
just one method, validate_authorization_request
. It follows the
OpenID Connect Core Spec. Right now it lacks validation
of non-REQUIRED params, but this will be done soon.
We did not see the need to rewrite other methods, since they're already generic enough or just delegate to the validator.
This class extends oaudhlib's ImplicitGrant, and only rewrites
validate_token_request
and create_token_response
. Like the previous
class, it only handles the REQUIRED parts of the spec, for now.
A custom validator had to be created due to some new implementation-specific
behavior of OIDC requests. The methods are documented on oidc.validator
. Some
methods are new, and some are just being reimplemented to document they now
have an extended role.
The oidlib's OIDCToken
differs from oauthlib's BearerToken
because
it returns an id_token along with all other params. It also decides if
access_token should be returned or not, based on requests' response_type.