oidc-discovery 0.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
File without changes
@@ -0,0 +1,69 @@
1
+ from abc import ABCMeta, abstractmethod
2
+ from typing import Literal
3
+
4
+ from httpx import AsyncClient, Client, HTTPStatusError, RequestError
5
+ from pydantic import ValidationError
6
+
7
+ from oidc_discovery.models import OIDCProviderMetadata
8
+
9
+ SUFFIX: Literal["/.well-known/openid-configuration"] = \
10
+ "/.well-known/openid-configuration"
11
+
12
+
13
+ class OIDCDiscoveryError(Exception): ...
14
+
15
+
16
+ class OIDCDiscovererInterface(metaclass=ABCMeta):
17
+ @abstractmethod
18
+ def __call__(self) -> OIDCProviderMetadata: ...
19
+
20
+
21
+ class OIDCDiscoverer(OIDCDiscovererInterface):
22
+ _client: Client
23
+ _issuer: str
24
+
25
+ def __init__(self, client: Client, issuer: str) -> None:
26
+ self._client = client
27
+ self._issuer = issuer
28
+
29
+ def __call__(self) -> OIDCProviderMetadata:
30
+ url = self._issuer + SUFFIX
31
+
32
+ try:
33
+ response = self._client.get(url)
34
+ response.raise_for_status()
35
+ return OIDCProviderMetadata.model_validate_json(response.text)
36
+ except (RequestError, HTTPStatusError) as e:
37
+ raise OIDCDiscoveryError from e
38
+ except ValidationError as e:
39
+ raise OIDCDiscoveryError(str(e)) from e
40
+ finally:
41
+ self._client.close()
42
+
43
+
44
+ class AsyncOIDCDiscovererInterface(metaclass=ABCMeta):
45
+ @abstractmethod
46
+ async def __call__(self) -> OIDCProviderMetadata: ...
47
+
48
+
49
+ class AsyncOIDCDiscoverer(AsyncOIDCDiscovererInterface):
50
+ _client: AsyncClient
51
+ _issuer: str
52
+
53
+ def __init__(self, client: AsyncClient, issuer: str) -> None:
54
+ self._client = client
55
+ self._issuer = issuer
56
+
57
+ async def __call__(self) -> OIDCProviderMetadata:
58
+ url = self._issuer + SUFFIX
59
+
60
+ try:
61
+ response = await self._client.get(url)
62
+ response.raise_for_status()
63
+ return OIDCProviderMetadata.model_validate_json(response.text)
64
+ except (RequestError, HTTPStatusError) as e:
65
+ raise OIDCDiscoveryError from e
66
+ except ValidationError as e:
67
+ raise OIDCDiscoveryError(str(e)) from e
68
+ finally:
69
+ await self._client.aclose()
@@ -0,0 +1,222 @@
1
+ from typing import Optional
2
+
3
+ from pydantic import AnyHttpUrl, BaseModel, StrictBool, StrictStr
4
+
5
+
6
+ class OIDCProviderMetadata(BaseModel):
7
+ """OpenID Providers have metadata describing their configuration. These OpenID
8
+ Provider Metadata values are used by OpenID Connect
9
+ Additional OpenID Provider Metadata parameters MAY also be used. Some are defined
10
+ by other specifications, such as OpenID Connect Session Management 1.0.
11
+
12
+ See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
13
+ """
14
+ model_config = {"extra": "allow"}
15
+
16
+ issuer: AnyHttpUrl
17
+ """REQUIRED. URL using the https scheme with no query or fragment components that
18
+ the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see
19
+ Section 2), this value MUST be identical to the issuer value returned by WebFinger.
20
+ This also MUST be identical to the iss Claim value in ID Tokens issued from this
21
+ Issuer."""
22
+
23
+ authorization_endpoint: AnyHttpUrl
24
+ """REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core].
25
+ This URL MUST use the https scheme and MAY contain port, path, and query parameter
26
+ components."""
27
+
28
+ token_endpoint: Optional[AnyHttpUrl] = None
29
+ """URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless
30
+ only the Implicit Flow is used. This URL MUST use the https scheme and MAY contain
31
+ port, path, and query parameter components. """
32
+
33
+ userinfo_endpoint: Optional[AnyHttpUrl] = None
34
+ """RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL MUST use
35
+ the https scheme and MAY contain port, path, and query parameter components. """
36
+
37
+ jwks_uri: AnyHttpUrl
38
+ """REQUIRED. URL of the OP's JWK Set [JWK] document, which MUST use the https
39
+ scheme. This contains the signing key(s) the RP uses to validate signatures from
40
+ the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used
41
+ by RPs to encrypt requests to the Server. When both signing and encryption keys are
42
+ made available, a use (public key use) parameter value is REQUIRED for all keys in
43
+ the referenced JWK Set to indicate each key's intended usage. Although some
44
+ algorithms allow the same key to be used for both signatures and encryption, doing
45
+ so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to
46
+ provide X.509 representations of keys provided. When used, the bare key values MUST
47
+ still be present and MUST match those in the certificate. The JWK Set MUST NOT
48
+ contain private or symmetric key values."""
49
+
50
+ registration_endpoint: Optional[AnyHttpUrl] = None
51
+ """RECOMMENDED. URL of the OP's Dynamic Client Registration Endpoint
52
+ [OpenID.Registration], which MUST use the https scheme."""
53
+
54
+ scopes_supported: Optional[list[StrictStr]] = None
55
+ """RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope
56
+ values that this server supports. The server MUST support the openid scope value.
57
+ Servers MAY choose not to advertise some supported scope values even when this
58
+ parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if
59
+ supported."""
60
+
61
+ response_types_supported: list[StrictStr]
62
+ """REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values
63
+ that this OP supports. Dynamic OpenID Providers MUST support the code, id_token,
64
+ and the id_token token Response Type values."""
65
+
66
+ response_modes_supported: Optional[list[StrictStr]] = None
67
+ """OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode values
68
+ that this OP supports, as specified in OAuth 2.0 Multiple Response Type Encoding
69
+ Practices [OAuth.Responses]. If omitted, the default for Dynamic OpenID Providers
70
+ is ["query", "fragment"]."""
71
+
72
+ grant_types_supported: Optional[list[StrictStr]] = None
73
+ """OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that
74
+ this OP supports. Dynamic OpenID Providers MUST support the authorization_code and
75
+ implicit Grant Type values and MAY support other Grant Types. If omitted, the
76
+ default value is ["authorization_code", "implicit"]."""
77
+
78
+ acr_values_supported: Optional[list[StrictStr]] = None
79
+ """OPTIONAL. JSON array containing a list of the Authentication Context Class
80
+ References that this OP supports."""
81
+
82
+ subject_types_supported: list[StrictStr]
83
+ """REQUIRED. JSON array containing a list of the Subject Identifier types that this
84
+ OP supports. Valid types include pairwise and public."""
85
+
86
+ id_token_signing_alg_values_supported: list[StrictStr]
87
+ """REQUIRED. JSON array containing a list of the JWS signing algorithms
88
+ (alg values) supported by the OP for the ID Token to encode the Claims in a JWT
89
+ [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported but
90
+ MUST NOT be used unless the Response Type used returns no ID Token from the
91
+ Authorization Endpoint (such as when using the Authorization Code Flow)."""
92
+
93
+ id_token_encryption_alg_values_supported: Optional[list[StrictStr]] = None
94
+ """OPTIONAL. JSON array containing a list of the JWE encryption algorithms
95
+ (alg values) supported by the OP for the ID Token to encode the Claims in a JWT
96
+ [JWT]."""
97
+
98
+ id_token_encryption_enc_values_supported: Optional[list[StrictStr]] = None
99
+ """OPTIONAL. JSON array containing a list of the JWE encryption algorithms
100
+ (enc values) supported by the OP for the ID Token to encode the Claims in a JWT
101
+ [JWT]."""
102
+
103
+ userinfo_signing_alg_values_supported: Optional[list[StrictStr]] = None
104
+ """OPTIONAL. JSON array containing a list of the JWS [JWS] signing algorithms
105
+ (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT
106
+ [JWT]. The value none MAY be included."""
107
+
108
+ userinfo_encryption_alg_values_supported: Optional[list[StrictStr]] = None
109
+ """OPTIONAL. JSON array containing a list of the JWE [JWE] encryption algorithms
110
+ (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT
111
+ [JWT]."""
112
+
113
+ userinfo_encryption_enc_values_supported: Optional[list[StrictStr]] = None
114
+ """OPTIONAL. JSON array containing a list of the JWE encryption algorithms
115
+ (enc values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT
116
+ [JWT]. """
117
+
118
+ request_object_signing_alg_values_supported: Optional[list[StrictStr]] = None
119
+ """OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values)
120
+ supported by the OP for Request Objects, which are described in Section 6.1 of
121
+ OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when the
122
+ Request Object is passed by value (using the request parameter) and when it is
123
+ passed by reference (using the request_uri parameter). Servers SHOULD support none
124
+ and RS256."""
125
+
126
+ request_object_encryption_alg_values_supported: Optional[list[StrictStr]] = None
127
+ """OPTIONAL. JSON array containing a list of the JWE encryption algorithms
128
+ (alg values) supported by the OP for Request Objects. These algorithms are used
129
+ both when the Request Object is passed by value and when it is passed by
130
+ reference."""
131
+
132
+ request_object_encryption_enc_values_supported: Optional[list[StrictStr]] = None
133
+ """OPTIONAL. JSON array containing a list of the JWE encryption algorithms
134
+ (enc values) supported by the OP for Request Objects. These algorithms are used
135
+ both when the Request Object is passed by value and when it is passed by
136
+ reference."""
137
+
138
+ token_endpoint_auth_methods_supported: Optional[list[StrictStr]] = None
139
+ """OPTIONAL. JSON array containing a list of Client Authentication methods
140
+ supported by this Token Endpoint. The options are client_secret_post,
141
+ client_secret_basic, client_secret_jwt, and private_key_jwt, as described in
142
+ Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods
143
+ MAY be defined by extensions. If omitted, the default is client_secret_basic -- the
144
+ HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0
145
+ [RFC6749]."""
146
+
147
+ token_endpoint_auth_signing_alg_values_supported: Optional[list[StrictStr]] = None
148
+ """OPTIONAL. JSON array containing a list of the JWS signing algorithms
149
+ (alg values) supported by the Token Endpoint for the signature on the JWT [JWT]
150
+ used to authenticate the Client at the Token Endpoint for the private_key_jwt and
151
+ client_secret_jwt authentication methods. Servers SHOULD support RS256. The value
152
+ none MUST NOT be used."""
153
+
154
+ display_values_supported: Optional[list[StrictStr]] = None
155
+ """OPTIONAL. JSON array containing a list of the display parameter values that the
156
+ OpenID Provider supports. These values are described in Section 3.1.2.1 of OpenID
157
+ Connect Core 1.0 [OpenID.Core]."""
158
+
159
+ claim_types_supported: Optional[list[StrictStr]] = None
160
+ """OPTIONAL. JSON array containing a list of the Claim Types that the OpenID
161
+ Provider supports. These Claim Types are described in Section 5.6 of OpenID Connect
162
+ Core 1.0 [OpenID.Core]. Values defined by this specification are normal,
163
+ aggregated, and distributed. If omitted, the implementation supports only normal
164
+ Claims."""
165
+
166
+ claims_supported: Optional[list[StrictStr]] = None
167
+ """RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that
168
+ the OpenID Provider MAY be able to supply values for. Note that for privacy or
169
+ other reasons, this might not be an exhaustive list."""
170
+
171
+ service_documentation: Optional[AnyHttpUrl] = None
172
+ """OPTIONAL. URL of a page containing human-readable information that developers
173
+ might want or need to know when using the OpenID Provider. In particular, if the
174
+ OpenID Provider does not support Dynamic Client Registration, then information on
175
+ how to register Clients needs to be provided in this documentation."""
176
+
177
+ claims_locales_supported: Optional[list[StrictStr]] = None
178
+ """OPTIONAL. Languages and scripts supported for values in Claims being returned,
179
+ represented as a JSON array of BCP47 [RFC5646] language tag values. Not all
180
+ languages and scripts are necessarily supported for all Claim values."""
181
+
182
+ ui_locales_supported: Optional[list[StrictStr]] = None
183
+ """OPTIONAL. Languages and scripts supported for the user interface, represented as
184
+ a JSON array of BCP47 [RFC5646] language tag values."""
185
+
186
+ claims_parameter_supported: Optional[StrictBool] = None
187
+ """OPTIONAL. Boolean value specifying whether the OP supports use of the claims
188
+ parameter, with true indicating support. If omitted, the default value is false."""
189
+
190
+ request_parameter_supported: Optional[StrictBool] = None
191
+ """OPTIONAL. Boolean value specifying whether the OP supports use of the request
192
+ parameter, with true indicating support. If omitted, the default value is false."""
193
+
194
+ request_uri_parameter_supported: Optional[StrictBool] = None
195
+ """OPTIONAL. Boolean value specifying whether the OP supports use of the
196
+ request_uri parameter, with true indicating support. If omitted, the default value
197
+ is true."""
198
+
199
+ require_request_uri_registration: Optional[StrictBool] = None
200
+ """OPTIONAL. Boolean value specifying whether the OP requires any request_uri
201
+ values used to be pre-registered using the request_uris registration parameter.
202
+ Pre-registration is REQUIRED when the value is true. If omitted, the default value
203
+ is false."""
204
+
205
+ op_policy_uri: Optional[AnyHttpUrl] = None
206
+ """OPTIONAL. URL that the OpenID Provider provides to the person registering the
207
+ Client to read about the OP's requirements on how the Relying Party can use the
208
+ data provided by the OP. The registration process SHOULD display this URL to the
209
+ person registering the Client if it is given."""
210
+
211
+ op_tos_uri: Optional[AnyHttpUrl] = None
212
+ """OPTIONAL. URL that the OpenID Provider provides to the person registering the
213
+ Client to read about the OpenID Provider's terms of service. The registration
214
+ process SHOULD display this URL to the person registering the Client if it is
215
+ given."""
216
+
217
+ end_session_endpoint: Optional[AnyHttpUrl] = None
218
+ """https://openid.net/specs/openid-connect-rpinitiated-1_0.html#OPMetadata
219
+ REQUIRED. URL at the OP to which an RP can perform a redirect to request that the
220
+ End-User be logged out at the OP. This URL MUST use the https scheme and MAY
221
+ contain port, path, and query parameter components.
222
+ It is optional here, because OPs may or not may not support this specification."""
File without changes
@@ -0,0 +1,17 @@
1
+ Metadata-Version: 2.3
2
+ Name: oidc-discovery
3
+ Version: 0.1.0
4
+ Summary: Add your description here
5
+ Author: Youri Westerman
6
+ Author-email: Youri Westerman <y.westerman@amsterdam.nl>
7
+ Requires-Dist: httpx[http2]>=0.28.1
8
+ Requires-Dist: pydantic>=2.13.4
9
+ Requires-Python: >=3.11
10
+ Description-Content-Type: text/markdown
11
+
12
+ # OpenID Connect Discovery
13
+ Implementation of a client for
14
+ [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html)
15
+
16
+ Allowing one to retrieve the information required to communicate with OpenID connect core providers.
17
+ This does not support issuer discovery at this time.
@@ -0,0 +1,7 @@
1
+ oidc_discovery/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
2
+ oidc_discovery/clients.py,sha256=_K8sAuQrWmebvXvcUXmUBSfXTI34KqExYq7xSYkN1P0,2079
3
+ oidc_discovery/models.py,sha256=b9r2eFf0pVXIf81FaErdpil9feK3ylMqEBLZiNy6jaA,12652
4
+ oidc_discovery/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
5
+ oidc_discovery-0.1.0.dist-info/WHEEL,sha256=jK0lbM7sVtq70msNoYotEXYS3OJMDdns2CRgyjhimnE,81
6
+ oidc_discovery-0.1.0.dist-info/METADATA,sha256=o9RODWPb9j-2FFsdhqnFzkmXGSTcIReY1OMOWXLv5K0,606
7
+ oidc_discovery-0.1.0.dist-info/RECORD,,
@@ -0,0 +1,4 @@
1
+ Wheel-Version: 1.0
2
+ Generator: uv 0.11.25
3
+ Root-Is-Purelib: true
4
+ Tag: py3-none-any