RequestValidator Extensions¶
Four methods must be implemented in your validator subclass if you wish to support OpenID Connect:
-
class
oauthlib.oauth2.
RequestValidator
[source]¶ -
get_id_token
(token, token_handler, request)[source]¶ In the OpenID Connect workflows when an ID Token is requested this method is called. Subclasses should implement the construction, signing and optional encryption of the ID Token as described in the OpenID Connect spec.
In addition to the standard OAuth2 request properties, the request may also contain these OIDC specific properties which are useful to this method:
- nonce, if workflow is implicit or hybrid and it was provided
- claims, if provided to the original Authorization Code request
The token parameter is a dict which may contain an
access_token
entry, in which case the resulting ID Token should include a calculatedat_hash
claim.Similarly, when the request parameter has a
code
property defined, the ID Token should include a calculatedc_hash
claim.http://openid.net/specs/openid-connect-core-1_0.html (sections 3.1.3.6, 3.2.2.10, 3.3.2.11)
Parameters: - token – A Bearer token dict
- token_handler – the token handler (BearerToken class)
- request – the HTTP Request (oauthlib.common.Request)
Returns: The ID Token (a JWS signed JWT)
Ensure the logged in user has authorized silent OpenID authorization.
Silent OpenID authorization allows access tokens and id tokens to be granted to clients without any user prompt or interaction.
Parameters: request – The HTTP Request (oauthlib.common.Request) Return type: True or False - Method is used by:
- OpenIDConnectAuthCode
- OpenIDConnectImplicit
- OpenIDConnectHybrid
-
validate_silent_login
(request)[source]¶ Ensure session user has authorized silent OpenID login.
If no user is logged in or has not authorized silent login, this method should return False.
If the user is logged in but associated with multiple accounts and not selected which one to link to the token then this method should raise an oauthlib.oauth2.AccountSelectionRequired error.
Parameters: request – The HTTP Request (oauthlib.common.Request) Return type: True or False - Method is used by:
- OpenIDConnectAuthCode
- OpenIDConnectImplicit
- OpenIDConnectHybrid
-
validate_user_match
(id_token_hint, scopes, claims, request)[source]¶ Ensure client supplied user id hint matches session user.
If the sub claim or id_token_hint is supplied then the session user must match the given ID.
Parameters: - id_token_hint – User identifier string.
- scopes – List of OAuth 2 scopes and OpenID claims (strings).
- claims – OpenID Connect claims dict.
- request – The HTTP Request (oauthlib.common.Request)
Return type: True or False
- Method is used by:
- OpenIDConnectAuthCode
- OpenIDConnectImplicit
- OpenIDConnectHybrid
-