An implementation of OpenID Connect for Python, on top of OAuthlib.

Oidclib defines a new server, OpenIDConnectServer, which replaces oauthlib's pre-configured server. Note that this server can only handle OIDC requests, i.e., it will fail with regular OAuth2 requests. A full-featured server is on the planning, though.

The current implementation tries to reuse all four basic endpoints defined in oauthlib.oauth2.rfc6749.endpoints, just creating a new server and new grant_types for the three OIDC workflows. Due to the unique requirements of OpenID Connect, a validator with some new methods is required.

This class extends oauthlib's AuthorizationCodeGrant, rewriting just one method, validate_authorization_request. It follows the OpenID Connect Core Spec. Right now it lacks validation of non-REQUIRED params, but this will be done soon.

We did not see the need to rewrite other methods, since they're already generic enough or just delegate to the validator.

This class extends oaudhlib's ImplicitGrant, and only rewrites validate_token_request and create_token_response. Like the previous class, it only handles the REQUIRED parts of the spec, for now.

A custom validator had to be created due to some new implementation-specific behavior of OIDC requests. The methods are documented on oidc.validator. Some methods are new, and some are just being reimplemented to document they now have an extended role.

The oidlib's OIDCToken differs from oauthlib's BearerToken because it returns an id_token along with all other params. It also decides if access_token should be returned or not, based on requests' response_type.