RequestValidator Extensions

Four methods must be implemented in your validator subclass if you wish to support OpenID Connect:

class oauthlib.oauth2.RequestValidator[source]
get_id_token(token, token_handler, request)[source]

In the OpenID Connect workflows when an ID Token is requested this method is called. Subclasses should implement the construction, signing and optional encryption of the ID Token as described in the OpenID Connect spec.

In addition to the standard OAuth2 request properties, the request may also contain these OIDC specific properties which are useful to this method:

  • nonce, if workflow is implicit or hybrid and it was provided
  • claims, if provided to the original Authorization Code request

The token parameter is a dict which may contain an access_token entry, in which case the resulting ID Token should include a calculated at_hash claim.

Similarly, when the request parameter has a code property defined, the ID Token should include a calculated c_hash claim.

http://openid.net/specs/openid-connect-core-1_0.html (sections 3.1.3.6, 3.2.2.10, 3.3.2.11)

Parameters:
  • token – A Bearer token dict
  • token_handler – the token handler (BearerToken class)
  • request – the HTTP Request (oauthlib.common.Request)
Returns:

The ID Token (a JWS signed JWT)
validate_silent_authorization(request)[source]

Ensure the logged in user has authorized silent OpenID authorization.

Silent OpenID authorization allows access tokens and id tokens to be granted to clients without any user prompt or interaction.

Parameters:request – The HTTP Request (oauthlib.common.Request)
Return type:True or False
Method is used by:
  • OpenIDConnectAuthCode
  • OpenIDConnectImplicit
  • OpenIDConnectHybrid
validate_silent_login(request)[source]

Ensure session user has authorized silent OpenID login.

If no user is logged in or has not authorized silent login, this method should return False.

If the user is logged in but associated with multiple accounts and not selected which one to link to the token then this method should raise an oauthlib.oauth2.AccountSelectionRequired error.

Parameters:request – The HTTP Request (oauthlib.common.Request)
Return type:True or False
Method is used by:
  • OpenIDConnectAuthCode
  • OpenIDConnectImplicit
  • OpenIDConnectHybrid
validate_user_match(id_token_hint, scopes, claims, request)[source]

Ensure client supplied user id hint matches session user.

If the sub claim or id_token_hint is supplied then the session user must match the given ID.

Parameters:
  • id_token_hint – User identifier string.
  • scopes – List of OAuth 2 scopes and OpenID claims (strings).
  • claims – OpenID Connect claims dict.
  • request – The HTTP Request (oauthlib.common.Request)
Return type:

True or False
Method is used by:
  • OpenIDConnectAuthCode
  • OpenIDConnectImplicit
  • OpenIDConnectHybrid