0
# OpenID Connect
1
2
OpenID Connect identity layer implementation providing ID tokens, UserInfo endpoint, and authentication extensions to OAuth 2.0. Includes JWT token handling, claims processing, and user authentication flows.
3
4
## Capabilities
5
6
### OpenID Connect Server
7
8
Complete OpenID Connect server implementation extending OAuth 2.0 with identity features.
9
10
```python { .api }
11
class Server:
12
def __init__(self, request_validator, token_expires_in=None, token_generator=None, refresh_token_generator=None, **kwargs): ...
13
14
def create_userinfo_response(
15
self,
16
uri: str,
17
http_method: str = "GET",
18
body: str | None = None,
19
headers: dict[str, str] | None = None,
20
**kwargs,
21
) -> tuple[dict[str, str], str, int]:
22
"""Create UserInfo endpoint response with user claims."""
23
```
24
25
### UserInfo Endpoint
26
27
OpenID Connect UserInfo endpoint providing user claims based on access token scope.
28
29
```python { .api }
30
class UserInfoEndpoint:
31
def create_userinfo_response(
32
self,
33
uri: str,
34
http_method: str = "GET",
35
body: str | None = None,
36
headers: dict[str, str] | None = None,
37
**kwargs,
38
) -> tuple[dict[str, str], str, int]:
39
"""Create UserInfo response with user claims."""
40
```
41
42
### OpenID Connect Request Validator
43
44
Extended request validator with OpenID Connect specific validation methods.
45
46
```python { .api }
47
class RequestValidator: # Extends OAuth2 RequestValidator
48
def get_id_token(self, token: dict, token_handler, request) -> str:
49
"""Generate ID token for authenticated user."""
50
51
def validate_id_token(self, token: str, scopes: list[str], request) -> bool:
52
"""Validate ID token."""
53
54
def get_userinfo_claims(self, request) -> dict | str:
55
"""Get user claims for UserInfo endpoint."""
56
57
def validate_silent_authorization(self, request) -> bool:
58
"""Validate silent authorization request."""
59
60
def validate_silent_login(self, request) -> bool:
61
"""Validate silent login request."""
62
63
def validate_user_match(self, id_token_hint: str, scopes: list[str], claims: dict, request) -> bool:
64
"""Validate user matches ID token hint."""
65
66
def get_authorization_code_scopes(self, client_id: str, code: str, redirect_uri: str, request) -> list[str]:
67
"""Get scopes for authorization code."""
68
69
def get_authorization_code_nonce(self, client_id: str, code: str, redirect_uri: str, request) -> str:
70
"""Get nonce for authorization code."""
71
72
def finalize_id_token(self, id_token: str, token: dict, token_handler, request) -> str:
73
"""Finalize ID token before issuance."""
74
75
def refresh_id_token(self, request) -> bool:
76
"""Whether to refresh ID token on token refresh."""
77
```
78
79
## Usage Example
80
81
```python
82
from oauthlib.openid import RequestValidator, Server
83
84
class OpenIDRequestValidator(RequestValidator):
85
def get_id_token(self, token, token_handler, request):
86
user = get_user(request.user_id)
87
id_token_claims = {
88
'sub': str(user.id),
89
'name': user.full_name,
90
'email': user.email,
91
'email_verified': user.email_verified,
92
'picture': user.avatar_url,
93
'iss': 'https://your-server.com',
94
'aud': request.client_id,
95
'iat': int(time.time()),
96
'exp': int(time.time()) + 3600,
97
'nonce': getattr(request, 'nonce', None)
98
}
99
return create_jwt_token(id_token_claims)
100
101
def get_userinfo_claims(self, request):
102
user = get_user_from_token(request.access_token)
103
scopes = request.scopes
104
105
claims = {'sub': str(user.id)}
106
107
if 'profile' in scopes:
108
claims.update({
109
'name': user.full_name,
110
'given_name': user.first_name,
111
'family_name': user.last_name,
112
'picture': user.avatar_url
113
})
114
115
if 'email' in scopes:
116
claims.update({
117
'email': user.email,
118
'email_verified': user.email_verified
119
})
120
121
return claims
122
123
server = Server(OpenIDRequestValidator())
124
```