- Development Integration
- /
- SDK
- /
- Python
- /
Authentication Module
- /
- OIDC Module
Update time: 2025-07-23 07:34:21
¶ GenAuth - Python SDK OIDC module
OpenID Connect, also known as OIDC, is an extension of OAuth 2.0, which mainly adds semantic user information fields.
¶ Initialization
Parameters when initializing AuthenticationClient:
app_id<str> Application ID, required.secret<str> Application key, required.app_host<str> Full application address, such as https://sample-app.genauth.ai, without the last slash '/'.redirect_uri<str> Business callback URL, required. For details, please see [Documentation](/guides/federation/oidc.html#Authorization Code Mode).protocol<str> Protocol type, optional values areoidc,oauth,saml,cas, fill inoidchere.token_endpoint_auth_method<str> Get token endpoint verification method, optional values areclient_secret_post,client_secret_basic,none, default isclient_secret_post.introspection_endpoint_auth_method<str> Verify token endpoint verification method, optional values areclient_secret_post,client_secret_basic,none, default isclient_secret_post.revocation_endpoint_auth_method<str> Withdraw token endpoint verification method, optional values areclient_secret_post,client_secret_basic,none, default isclient_secret_post.
¶ Example
from genauth.v2.authentication import AuthenticationClient, AuthenticationClientOptions
authentication_client = AuthenticationClient
options=AuthenticationClientOptions(
app_id='GEN_AUTH_APP_ID',
app_host='https://YOUR_DOMAIN.genauth.ai',
secret='GEN_AUTH_APP_SECRET',
protocol='oidc',
redirect_uri='http://localhost:3000',
token_endpoint_auth_method='client_secret_post',
introspection_endpoint_auth_method='client_secret_post',
revocation_endpoint_auth_method='client_secret_post'
))
¶ Generate a user login link for the OIDC protocol
def build_authorize_url(
self,
redirect_uri=None,
response_type=None,
response_mode=None,
state=None,
nonce=None,
scope=None,
code_challenge_method=None,
code_challenge=None,
):
pass
Generate a user login link for the OIDC protocol. Users can access the online login page of GenAuth through this link.
¶ Parameters
Parameters required to initiate authorization login. For details, see Using OIDC Authorization Code Mode.
scope<str> Requested permission items, optional, the default for the OIDC protocol isopenid profile email phone address, and the default for the OAuth 2.0 protocol isuser.nonce<str> Random string, optional, automatically generated by default.state<str> Random string, optional, automatically generated by default.response_mode<str> Response type, optional, optional values arequery,fragment,form_post; the default isquery, that is, code is sent to the callback address through browser redirection.response_type<str> Response type, optional, optional values arecode,code id_token token,code id_token,code id_token,code token,id_token token,id_token,none; the default iscode, authorization code mode.redirect_uri<str> Callback address, required, the default is the redirectUri parameter when the SDK is initialized.code_challenge<str> A string with a length greater than or equal to 43, sent to GenAuth as code_challenge.code_challenge_method<str> can be plain or S256, indicating the digest algorithm used when calculating code_challenge. Plain means no algorithm is used, and S256 means code_challenge is calculated using SHA256.
¶ Example
- Concatenate OIDC authorization code mode authorization link
from urllib.parse import urlparse, parse_qs
def test_oidc_build_authorize_url_authorization_code_mode(self):
authentication_client = AuthenticationClient(options=AuthenticationClientOptions(
app_id=os.getenv('GEN_AUTH_APP_ID'),
app_host=os.getenv('GEN_AUTH_APP_HOST'),
secret=os.getenv('GEN_AUTH_APP_SECRET'),
protocol=os.getenv('GEN_AUTH_APP_PROTOCOL'),
redirect_uri=os.getenv('GEN_AUTH_APP_REDIRECT_URI'),
token_endpoint_auth_method='client_secret_basic'
))
url = authentication_client.build_authorize_url(response_mode='form_post')
parsed_url = urlparse(url)
queries = parse_qs(parsed_url.query)
self.assertTrue(queries.get('nonce') is not None)
self.assertTrue(queries.get('state') is not None)
self.assertTrue(queries.get('scope') is not None)
self.assertTrue(queries.get('client_id')[0] == os.getenv('GEN_AUTH_APP_ID'))
self.assertTrue(queries.get('redirect_uri')[0] == os.getenv('GEN_AUTH_APP_REDIRECT_URI'))
self.assertTrue(queries.get('response_type')[0] == 'code')
self.assertTrue(queries.get('response_mode')[0] == 'form_post')
- Concatenate OIDC implicit mode authorization link
from urllib.parse import urlparse, parse_qs
def test_oidc_build_authorize_url_implicit_mode(self):
authentication_client = AuthenticationClient(options=AuthenticationClientOptions(
app_id=os.getenv('GEN_AUTH_APP_ID'),
app_host=os.getenv('GEN_AUTH_APP_HOST'),
secret=os.getenv('GEN_AUTH_APP_SECRET'),
protocol=os.getenv('GEN_AUTH_APP_PROTOCOL'),
redirect_uri=os.getenv('GEN_AUTH_APP_REDIRECT_URI'),
token_endpoint_auth_method='client_secret_basic'
))
url = authentication_client.build_authorize_url(response_type='id_token token')
parsed_url = urlparse(url)
queries = parse_qs(parsed_url.query)
self.assertTrue(queries.get('response_type')[0] == 'id_token token')
- Concatenate OIDC authorization link with refresh_token capability (scope contains
offline_access)
from urllib.parse import urlparse, parse_qs
def test_oidc_build_authorize_url_offline_access(self):
authentication_client = AuthenticationClient(options=AuthenticationClientOptions(
app_id=os.getenv('GEN_AUTH_APP_ID'),
app_host=os.getenv('GEN_AUTH_APP_HOST'),
secret=os.getenv('GEN_AUTH_APP_SECRET'),
protocol=os.getenv('GEN_AUTH_APP_PROTOCOL'),
redirect_uri=os.getenv('GEN_AUTH_APP_REDIRECT_URI'),
token_endpoint_auth_method='client_secret_basic'
))
url = authentication_client.build_authorize_url(scope='openid profile offline_access')
parsed_url = urlparse(url)
queries = parse_qs(parsed_url.query)
self.assertTrue(queries.get('prompt')[0] == 'consent')
- Concatenate OIDC authorization code + PKCE with refresh_token capability authorization link
from urllib.parse import urlparse, parse_qs
def test_oidc_build_authorize_url_pkce_s256(self):
authentication_client = AuthenticationClient(options=AuthenticationClientOptions(
app_id=os.getenv('GEN_AUTH_APP_ID'),
app_host=os.getenv('GEN_AUTH_APP_HOST'),
secret=os.getenv('GEN_AUTH_APP_SECRET'),
protocol=os.getenv('GEN_AUTH_APP_PROTOCOL'),
redirect_uri=os.getenv('GEN_AUTH_APP_REDIRECT_URI'),
token_endpoint_auth_method='client_secret_basic'
))
code_verifier = authentication_client.generate_code_challenge()
code_challenge = authentication_client.generate_code_challenge_digest(code_verifier)
url = authentication_client.build_authorize_url(
code_challenge=code_challenge,
code_challenge_method='S256'
)
parsed_url = urlparse(url)
queries = parse_qs(parsed_url.query)
self.assertTrue(queries.get('code_challenge')[0] == code_challenge)
self.assertTrue(queries.get('code_challenge_method')[0] == 'S256')
- Concatenate OIDC authorization code + PKCE with refresh_token capability authorization link
from urllib.parse import urlparse, parse_qs
def test_oidc_build_authorize_url_pkce_plain(self):
authentication_client = AuthenticationClient(options=AuthenticationClientOptions(
app_id=os.getenv('GEN_AUTH_APP_ID'),
app_host=os.getenv('GEN_AUTH_APP_HOST'),
secret=os.getenv('GEN_AUTH_APP_SECRET'),
protocol=os.getenv('GEN_AUTH_APP_PROTOCOL'),
redirect_uri=os.getenv('GEN_AUTH_APP_REDIRECT_URI'),
token_endpoint_auth_method='client_secret_basic'
))
code_verifier = authentication_client.generate_code_challenge()
code_challenge = authentication_client.generate_code_challenge_digest(code_verifier, method='plain')
url = authentication_client.build_authorize_url(
code_challenge=code_challenge,
code_challenge_method='plain',
scope='openid profile offline_access'
)
parsed_url = urlparse(url)
queries = parse_qs(parsed_url.query)
self.assertTrue(queries.get('code_challenge')[0] == code_challenge)
self.assertTrue(queries.get('code_challenge_method')[0] == 'plain')
self.assertTrue(queries.get('prompt')[0] == 'consent')
¶ Sample data
https://oidc1.genauth.ai/oidc/auth?nonce=5485323897342262&state=7400704296715694&scope=openid+profile+offline_access&client_id=5f17a529f64fb009b794a2ff&response_mode=query&redirect_uri=https%3A%2F%2Fbaidu.com&response_type=code&prompt=consent
¶ Code to Token
def get_access_token_by_code(self, code, code_verifier=None):
pass
Use the authorization code to get the user's Token information.
¶ Parameters
code<str> Authorization code Code. After the user successfully authenticates, GenAuth will send the authorization code Code to the callback address. For details, see Using OIDC Authorization Code Mode. Each Code can only be used once.code_verifier<str> The original value of the verification code, not the digest value. This parameter is required when initiating PKCE authorization login. For details, see Using OIDC Authorization Code + PKCE Mode.
¶ Example
Normal authorization code mode:
code = 'xxxx'
data = authentication_client.get_access_token_by_code(
code=code
)
PKCE + authorization code mode:
code = 'xxxx'
code_verifier = 'xxx'
data = authentication_client.get_access_token_by_code(
code=code,
code_verifier=code_verifier
)
¶ Sample data
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlRmTE90M0xibjhfYThwUk11ZXNzYW1xai1vM0RCQ3MxLW93SExRLVZNcVEifQ.eyJqdGkiOiJsdzg0NW5zdGcwS3EtMTlodVpQOHYiLCJzdWIiOiI1ZmY3MDFkODQ2YjkyMDNlMmY2YWM2ZjMiLCJpYXQiOjE2MTU4ODM1ODYsImV4cCI6MTYxNTg4NzE4Niwic2NvcGUiOiJlbWFpbCBvcGVuaWQgcHJvZmlsZSBwaG9uZSIsImlzcyI6Imh0dHBzOi8vb2lkYzEuYXV0aGluZy5jbi9vaWRjIiwiYXVkIjoiNWYxN2E1MjlmNjRmYjAwOWI3OTRhMmZmIn0.VvYKBcWcr8iIi1b37ugWQ9hsvog4_7EqDQyFqwhIuvM0NHlHH3Bhw83EQIKSNfbWV4nv3ihfeNGPLMzslbQr-wwjnWZTLMYl1bcn7IdVtD_kTN3Zz10MwF5td-VQ7UndU28wJ0HE1mo6E8QH93kYGckS5FSZXmCBa0M5H59Jec_a1MHI1MZrr_V9cZ9EfeF97V-PcqU8JVAwDZclCJ3mWY_Mb65RnMR9yEVqUZzJStmaXGMuRIzjkm2pklqt0CtQQJfzECXq_4USpwRXDiYLWILYPUCcO6hGxDjhMEd8IcxdG51TQP-w1UM6LyIRn61uSJvDsz8zg5dStDKyocypiA",
"expires_in": 3600,
"id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3QzQDEyMy5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInN1YiI6IjVmZjcwMWQ4NDZiOTIwM2UyZjZhYzZmMyIsImJpcnRoZGF0ZSI6bnVsbCwiZmFtaWx5X25hbWUiOm51bGwsImdlbmRlciI6IlUiLCJnaXZlbl9uYW1lIjpudWxsLCJsb2NhbGUiOm51bGwsIm1pZGRsZV9uYW1lIjpudWxsLCJuYW1lIjpudWxsLCJuaWNrbmFtZSI6bnVsbCwicGljdHVyZSI6Imh0dHBzOi8vZmlsZXMuYXV0aGluZy5jby9hdXRoaW5nLWNvbnNvbGUvZGVmYXVsdC11c2VyLWF2YXRhci5wbmciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOm51bGwsInByb2ZpbGUiOm51bGwsInVwZGF0ZWRfYXQiOiIyMDIxLTAzLTE1VDA1OjU0OjU0LjY4NVoiLCJ3ZWJzaXRlIjpudWxsLCJ6b25laW5mbyI6bnVsbCwicGhvbmVfbnVtYmVyIjpudWxsLCJwaG9uZV9udW1iZXJfdmVyaWZpZWQiOmZhbHNlLCJub25jZSI6IjcwVEU3eW9NVFEiLCJhdF9oYXNoIjoiUFNnOGw5eDRldGxmLXA4UDdjYnVoQSIsImlzcyI6Imh0dHBzOi8vb2lkYzEuYXV0aGluZy5jbi9vaWRjIiwiaXNzMiI6Imh0dHBzOi8vYmFpZHUuY29tIiwiYXVkIjoiNWYxN2E1MjlmNjRmYjAwOWI3OTRhMmZmIiwiZXhwIjoxNjE1ODg3MTg3LCJpYXQiOjE2MTU4ODM1ODh9.OlX-FP7znIEqx0YpnOQ8kxadMe1toHDj1KPVm0dbEVc",
"scope": "email openid profile phone",
"token_type": "Bearer"
}
Field explanation:
| Field name | Meaning |
|---|---|
| token_type | Token type, fixed value Bearer |
| scope | Authorization scope, authorized user permissions |
| id_token | Id token, GenAuth issued Id token |
| expires_in | Access token expiration time |
| access_token | Access token, GenAuth issued Access token |
¶ Token to User Information
def get_user_info_by_access_token(self, access_token):
pass
Use Access token to get user information.
¶ Parameters
access_token<str> Access token, the content of the Access token obtained by using the authorization code Code. For details, see Using OIDC Authorization Code Mode.
¶ Example
data = authentication_client.get_user_info_by_access_token("Access token");
¶ Example data
{
"address": {
"country": null,
"postal_code": null,
"region": null,
"formatted": null
},
"birthdate": null,
"family_name": null,
"gender": "U",
"given_name": null,
"locale": null,
"middle_name": null,
"name": null,
"nickname": null,
"picture": "https://files.authing.co/authing-console/default-user-avatar.png",
"preferred_username": null,
"profile": null,
"updated_at": "2021-03-03T06:17:14.485Z",
"website": null,
"zoneinfo": null,
"email": "test1@genauth.ai",
"email_verified": false,
"sub": "603f184cec4505e2868431fc", // Abbreviation of subject, which is the user ID
"phone_number": null,
"phone_number_verified": false
}
Field explanation:
| Field name | Translation |
|---|---|
| sub | Abbreviation of subject, unique identifier, usually user ID |
| name | Full name |
| given_name | First name |
| family_name | Last name |
| middle_name | Middle name |
| nickname | Nickname |
| preferred_username | Preferred name |
| profile | Basic information |
| picture | Avatar |
| website | Website link |
| email_verified | Whether the email is verified |
| gender | Gender |
| birthdate | Birthday |
| zoneinfo | Time zone |
| locale | Region |
| phone_number | Phone number |
| phone_number_verified | Verified phone number |
| address | Address object |
| address.formatted | Detailed address |
| address.street_address | Street address |
| address.locality | City |
| address.region | Province |
| address.postal_code | Postal code |
| address.country | Country |
| updated_at | Information updated at |
¶ Refresh Access Token
def get_new_access_token_by_refresh_token(self, refresh_token):
pass
Use Refresh token to get a new Access token.
¶ Parameters
refresh_token<str> Refresh token, can be obtained from the refresh_token in the return value of the AuthenticationClient.get_access_token_by_code method. For details, see Refresh Access token.
¶ Example
data = authentication_client.get_new_access_token_by_refresh_token('Refresh Token');
¶ Sample data
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlRmTE90M0xibjhfYThwUk11ZXNzYW1xai1vM0RCQ3MxLW93SExRLVZNcVEifQ.eyJqdGkiOiJZUHB4NUVEWGlQWVJvNUFQWXAzci0iLCJzdWIiOiI1ZmY3MDFkODQ2YjkyMDNlMmY2YWM2ZjMiLCJpYXQiOjE2MTQwOTE0OTksImV4cCI6MTYxNDA5NTA5OSwic2NvcGUiOiJvZmZsaW5lX2FjY2VzcyBwcm9maWxlIG9wZW5pZCIsImlzcyI6Imh0dHBzOi8vb2lkYzEuYXV0aGluZy5jbi9vaWRjIiwiYXVkIjoiNWYxN2E1MjlmNjRmYjAwOWI3OTRhMmZmIn0.ZN_SlfVg1oNMz7uAK-5K84dqqqmlZehmAPOLytOR9HnLHImKJ9VO5u1hRsAjGCob0kMUV5wVxQhX3EFks7FtMamiX2Jvn-NYh4V_5T6l3LFf4uoKF6AykAg483nG3EEENuGgQo15bBszsoCGqFnNmUd0T4Cgxx0zbxXPxMdp_dcE14KzmNz1w-Qg3yVeYmSTZFdcLtZA2BYnVEa7LYA2yA3DgawwAcRmrlyEfnvCO3uY2TcsTKEAfQ-QgVIGRWOfyUE5f-_X3TolliO1fXnwZBdxEKMXLGW5E2bPVcePyiV0upYbUnQ079UxBlEiWlgeW_rpkTPXDxHAgiE488gtlg",
"expires_in": 3600,
"id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI1ZmY3MDFkODQ2YjkyMDNlMmY2YWM2ZjMiLCJiaXJ0aGRhdGUiOm51bGwsImZhbWlseV9uYW1lIjpudWxsLCJnZW5kZXIiOiJVIiwiZ2l2ZW5fbmFtZSI6bnVsbCwibG9jYWxlIjpudWxsLCJtaWRkbGVfbmFtZSI6bnVsbCwibmFtZSI6bnVsbCwibmlja25hbWUiOm51bGwsInBpY3R1cmUiOiJodHRwczovL2ZpbGVzLmF1dGhpbmcuY28vYXV0aGluZy1jb25zb2xlL2RlZmF1bHQtdXNlci1hdmF0YXIucG5nIiwicHJlZmVycmVkX3VzZXJuYW1lIjpudWxsLCJwcm9maWxlIjpudWxsLCJ1cGRhdGVkX2F0IjoiMjAyMS0wMi0yM1QxNDo0NDoxOC4wODVaIiwid2Vic2l0ZSI6bnVsbCwiem9uZWluZm8iOm51bGwsImF0X2hhc2giOiIxaWRJSUxaWExpZkRscXJMY3ZNeV9BIiwiS0VZIjoiVkFMVUUiLCJhdWQiOiI1ZjE3YTUyOWY2NGZiMDA5Yjc5NGEyZmYiLCJleHAiOjE2MTQwOTUwOTgsImlhdCI6MTYxNDA5MTQ5OSwiaXNzIjoiaHR0cHM6Ly9vaWRjMS5hdXRoaW5nLmNuL29pZGMifQ._H59237sqpsY0OgyY_RM7CvuG6cFo1x03y-DBhd5hik",
"refresh_token": "3T49f4Y48szoMmwBXragjqLwQZC4QhgnsM5Oy2WfmU-",
"scope": "openid offline_access profile",
"token_type": "Bearer"
}
¶ Check the status of Access Token or Refresh token
def introspect_token(self, token):
pass
Check the status of Access token or Refresh token.
¶ Parameters
token<str> Access token or Refresh token, can be obtained from the access_token or refresh_token in the return value of the AuthenticationClient.get_access_token_by_code method. Note: refresh_token is only returned when the scope contains offline_access.
¶ Example
data = authentication_client.introspect_token('Refresh Token');
¶ Sample data
Token is valid:
{
"active": true,
"sub": "60097f4d5bc08f75da104d18", // Abbreviation of subject, which is the user ID
"client_id": "60097391b1358c17c5fb0f4e",
"exp": 1612445888,
"iat": 1611236288,
"iss": "https://core.littleimp.cn/oidc",
"jti": "TV4J0gAbe4KR4-8CtYcOa",
"scope": "openid profile email phone offline_access",
"token_type": "Bearer"
}
Token is invalid:
{
"active": false
}
The verification process fails and throws an error.
¶ Check the validity of Id Token or Access Token
def validate_token(self, id_token=None, access_token=None):
pass
Verify the ID token or Access Token through the online interface provided by GenAuth. A network request will be generated.
¶ Parameters
id_token<str> Access token or Refresh token, can be obtained from the id_token in the return value of the AuthenticationClient.get_access_token_by_code method.access_token<str> Access token, can be obtained from the access_token in the return value of the AuthenticationClient.get_access_token_by_code method.
¶ Example
- Check the validity of id_token
data = authentication_client.validate_token(
id_token='xxx'
)
- Check the validity of access_token
data = authentication_client.validate_token(
access_token='xxx'
)
¶ Sample data
id_token is valid:
{
"sub": "5f64afd1ad501364e3b43c1e", // Abbreviation of subject, which is the user ID
"birthdate": null,
"family_name": null,
"gender": "U",
"given_name": null,
"locale": null,
"middle_name": null,
"name": null,
"nickname": null,
"picture": "https://usercontents.genauth.ai/authing-avatar.png",
"preferred_username": "test1",
"profile": null,
"updated_at": "2020-09-27T06:06:29.853Z",
"website": null,
"zoneinfo": null,
"email": "test1@123.com",
"email_verified": false,
"phone_number": null,
"phone_number_verified": false,
"nonce": "CQsguqUdl7",
"at_hash": "10iOtwuTNtyQLzlNYXAHeg",
"aud": "5f17a529f64fb009b794a2ff",
"exp": 1601460494,
"iat": 1601456894,
"iss": "https://oidc1.genauth.ai/oidc"
}
Id token is invalid:
{ "code": 400, "message": "id_token format is incorrect" }
{ "code": 400, "message": "id_token is invalid" }
Access token is valid:
{
"jti": "K5TYewNhvdGBdHiRifMyW",
"sub": "5f64afd1ad501364e3b43c1e", // Abbreviation of subject, which is the user ID
"iat": 1601456894,
"exp": 1601460494,
"scope": "openid profile email phone",
"iss": "https://oidc1.genauth.ai/oidc",
"aud": "5f17a529f64fb009b794a2ff"
}
Access token is invalid:
{ "code": 400, "message": "access_token format is incorrect" }
{ "code": 400, "message": "access_token is invalid" }
¶ Revoke Access Token or Refresh token
def revoke_token(self, token):
pass
Revoke Access token or Refresh token. The holder of Access token or Refresh token can notify GenAuth that the token is no longer needed and hope that GenAuth will revoke it.
¶ Parameters
token<str> Access token or Refresh token, which can be obtained from access_token, refresh_token in the return value of get_access_token_by_code method. **Note: refresh_token will only be returned if offline_access is included in the scope. **
¶ Example
success = authentication_client.revoke_token(token='xxx')
¶ Sample data
Return true if the revocation is successful.
Throw an error if the revocation fails.
¶ Concatenate the logout URL
def build_logout_url(self, expert=None, redirect_uri=None, id_token=None):
pass
Concatenate the logout URL.
¶ Parameters
expert<boolean> Whether to enable expert mode, the default isfalse.redirect_uri<str> The redirect address after logout.id_token<str> The user's idToken.
¶ Example
Log out using the front-end universal logout link:
from genauth.v2.authentication import AuthenticationClient, AuthenticationClientOptions
authentication_client = AuthenticationClient
options=AuthenticationClientOptions(
app_id='GEN_AUTH_APP_ID',
app_host='https://YOUR_DOMAIN.genauth.ai',
redirect_uri='http://localhost:3000',
protocol='oidc'
))
# redirect_uri can be any value
url = authentication_client.build_logout_url(
redirect_uri='https://www.genauth.ai'
);
Use the OIDC protocol standard link to log out, you need to pass in the current user's Id token, and the logout callback address must be consistent with the configuration in the console:
from genauth.v2.authentication import AuthenticationClient, AuthenticationClientOptions
authentication_client = AuthenticationClient
options=AuthenticationClientOptions(
app_id='GEN_AUTH_APP_ID',
app_host='https://YOUR_DOMAIN.genauth.ai',
redirect_uri='http://localhost:3000',
protocol='oidc'
))
# redirect_uri here can be filled in arbitrarily
url = authentication_client.build_logout_url(
expert=True,
id_token='The idToken of the user to be logged out',
redirect_uri='http://localhost:3000'
);
¶ Get Access Token in Client Credentials mode
def get_access_token_by_client_credentials(self, scope, access_key, access_secret):
pass
Use programming access account to get an Access Token with permission.
¶ Parameters
scope<str> Permission item, a space-separated string, each item represents a permission. For details, see Machine-to-Machine (M2M) Authorization.access_key,Programming access account AccessKey.access_secret,Programming access account SecretKey.
¶ Example
from genauth.v2.authentication import AuthenticationClient, AuthenticationClientOptions
authentication_client = AuthenticationClient
options=AuthenticationClientOptions(
app_id='GEN_AUTH_APP_ID',
app_host='https://YOUR_DOMAIN.genauth.ai',
secret='GEN_AUTH_APP_SECRET',
redirect_uri='http://localhost:3000',
protocol='oidc'
))
res = authentication_client.get_access_token_by_client_credentials(
scope='email openid profile phone',
access_key='Programming access account AK',
access_secret='Programming access account SK'
)
¶ Sample data
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlRmTE90M0xibjhfYThwUk11ZXNzYW1xai1vM0RCQ3MxLW93SExRLVZNcVEifQ.eyJqdGkiOiJsdzg0NW5zdGcwS3EtMTlodVpQOHYiLCJzdWIiOiI1ZmY3MDFkODQ2YjkyMDNlMmY2YWM2ZjMiLCJpYXQiOjE2MTU4ODM1ODYsImV4cCI6MTYxNTg4NzE4Niwic2NvcGUiOiJlbWFpbCBvcGVuaWQgcHJvZmlsZSBwaG9uZSIsImlzcyI6Imh0dHBzOi8vb2lkYzEuYXV0aGluZy5jbi9vaWRjIiwiYXVkIjoiNWYxN2E1MjlmNjRmYjAwOWI3OTRhMmZmIn0.VvYKBcWcr8iIi1b37ugWQ9hsvog4_7EqDQyFqwhIuvM0NHlHH3Bhw83EQIKSNfbWV4nv3ihfeNGPLMzslbQr-wwjnWZTLMYl1bcn7IdVtD_kTN3Zz10MwF5td-VQ7UndU28wJ0HE1mo6E8QH93kYGckS5FSZXmCBa0M5H59Jec_a1MHI1MZrr_V9cZ9EfeF97V-PcqU8JVAwDZclCJ3mWY_Mb65RnMR9yEVqUZzJStmaXGMuRIzjkm2pklqt0CtQQJfzECXq_4USpwRXDiYLWILYPUCcO6hGxDjhMEd8IcxdG51TQP-w1UM6LyIRn61uSJvDsz8zg5dStDKyocypiA",
"expires_in": 3600,
"scope": "email openid profile phone",
"token_type": "Bearer"
}
¶ Generate PKCE code challenge
def generate_code_challenge(self, length=43):
pass
Generate a PKCE code challenge (at least 43 characters).
¶ Parameters
None
¶ Example
code_challenge = authentication_client.generate_code_challenge()
¶ Sample data
VrpGRU_3FQ5au1TqCvzeh1nTij7HkcnpP1qWzJMGX_Y
¶ Generate PKCE code challenge digest value
def generate_code_challenge_digest(self, code_challenge, method=None):
pass
Generate a PKCE code challenge digest value.
¶ Parameters
code_challenge,The original value of the code_challenge to be generated, a random string of at least 43 characters.method,Can be plain, S256, indicating the hash algorithm used when calculating code_challenge, plain means to return the code_challenge as is without any algorithm, S256 means to use SHA256 to calculate the code_challenge hash.
¶ Example
# Generate a code_challenge
code_challenge = authentication_client.generate_code_challenge()
# Calculate the SHA256 hash of code_challenge
code_challenge_digest = authentication_client.generate_code_challenge_digest(
code_challenge=code_challenge,
method='S256'
)
¶ Sample data
Bu6RP796BBiAwGwdUpHpKfhmQqahszBcGep8qT31XOy