OpenID Class

Properties Methods Events Configuration Settings Errors

The OpenID class is used to verify the identify of a user as well as get basic profile information.

Syntax

class ipworksauth.OpenID

Remarks

The OpenID class implements an OpenID Connect 1.0 relying party (client) capable of authenticating a user and retrieving user information. OpenID Connect 1.0 is a simple identity layer on top of OAuth 2.0 and re-uses much of the functionality and concepts defined by OAuth 2.0.

To begin using the class you will first need to register your application with the service you want to use. During this process you should obtain a client_id and client_secret. The following sections discuss the typical steps to verify the identify of a user and obtain profile information.

Get the Discovery Document

Many OpenID providers provide information via a Discovery Document. The Discovery Document defines information such as the endpoint URLs for authentication, tokens, and user information requests. In addition details about the allowed parameters such as supported authorization scopes are defined in this document. The document at a URL which can be fetched and parsed by calling the get_discovery_doc method.

The discovery document URL is typically published by an OpenID provider and must be known before calling this method. The format of the URL is standardized and typically takes the form:

https://www.youropenidserver.com/.well-known/openid-configuration

Call get_discovery_doc before calling get_authorization to populate the class properties with information required to complete the authorization. The retrieved information includes endpoint URLs as well as the OpenID public certificates used to verify the signature on the ID token. After calling this method the following properties are populated:

The above values may be stored, and later populated from the stored values, to avoid the requirement of calling get_discovery_doc on subsequent authorization requests.

The following discovery document fields are populated after get_discovery_doc returns:

To access values not automatically parsed by the class the XPath configuration setting may be set to retrieve a specific value. Alternatively the RawJSON setting returns the entire JSON document which may be parsed separately.

Note: Calling get_discovery_doc is not mandatory. If server information was stored from a previous call or is otherwise known ahead of time the following properties may be set in place of calling get_discovery_doc:

Examples of the above points:

openid.GetDiscoveryDoc("https://accounts.google.com/.well-known/openid-configuration");
// ... or ...
openid.ServerAuthURL = "https://accounts.google.com/o/oauth2/v2/auth";
openid.ServerTokenURL = "https://oauth2.googleapis.com/token";
openid.ServerUserInfoURL = "https://openidconnect.googleapis.com/v1/userinfo";
openid.SignerCertURL = "https://www.googleapis.com/oauth2/v3/certs";
// ... or ...
string rawjson = openid.Config("RawJSON");

Get Authorization

Before calling get_authorization the class may be configured for one of several flows defined by the grant_type property. These flows determine which information is returned by the authorization server and which information (if any) is returned by the token server.

Possible values for grant_type are:

0 (Authorization Code - Default)
1 (Implicit)
2 (Hybrid)

When using 0 (Authorization Code Flow - Default) an authorization code is returned from the server_auth_url and the class automatically contacts the server_token_url exchanges the authorization code for an ID token and access token.

When using 1 (Implicit Flow) the server_auth_url returns an ID token and access token directly. This is only recommended for implementations that are in-browser as this potentially exposes the tokens to the end-user and user agent itself.

When using 2 (Hybrid Flow) an authorization code and potentially one or more tokens are returned by the server_auth_url. The class will automatically contact the server_token_url to exchange the authorization code for an ID token and access token.

When grant_type and any other optional settings are set as desired, call get_authorization.

get_authorization performs several operations automatically depending on the value of client_profile. Please see the introduction section for the OpenID class for a detailed overview of the typical scenarios.

After authorization is complete user_details will be populated with the claims parsed from the ID token. This method also returns an authorization string. The authorization string grants access to additional resources as requested via the authorization_scope property. If access to another resource was requested the access token returned here may be set in the Authorization property of any other class (or passed as the value of the HTTP Authorization header).

get_user_info may be called after calling this method.

The following properties are applicable when calling this method:

client_id (required)
client_secret (required)
server_auth_url (required - populated by get_discovery_doc.)
server_token_url (required - populated by get_discovery_doc.)
signer_cert_url (conditional - populated by get_discovery_doc. Required if signer_cert is not set.)
signer_cert (conditional - required if signer_cert_url is not set.)
authorization_scope
client_profile
grant_type
params
refresh_token
return_url
state
timeout
Display
Prompt
IDTokenHint
LoginHint
ResponseType

For the default Authorization Code flow GetAuthorization could work like this:

openid.ClientId = "client id";
openid.ClientSecret = "client secret";
openid.AuthorizationScope += " profile email"; // default value is 'openid'
openid.State = "application state";
string authToken = openid.GetAuthorization();

Get User Info

When get_authorization returns the user_details property is populated with information about the user as returned in the ID token from the authorization server. An additional operation, get_user_info may optionally be called to query the server_user_info_url for information about the user.

Before calling get_user_info method a successful call to get_authorization must be made. The access token returned by get_authorization is used by the OpenID provider at server_user_info_url to identify the user for which claims are being retrieved.

When this method is called the class requests the claims about the user from the server_user_info_url. The resulting claims are available in the UserDetail* properties.

Note: The get_user_info method will populate the UserDetail* properties with the claims returned in the ID token during the authorization process. This method may not need to be called in order to access the desired claims about the user.

openid.GetUserInfo();
// ... use the user info in the remainder of your application ...

Client Profile Notes

The client_profile defines the environment in which the class is being used, and controls how the class behaves in order to best suit that environment. Choose the profile that is closest to the runtime environment.

The following client types are currently supported by the class:

Application (desktop application)
WebServer (server side application such as a web site)
Device (an application without browser access such as a game console)
Mobile (phone or tablet application)
Browser (javascript application)
JWT (server to server authentication using a JWT bearer token such as Google service account authentication)

Application Client Type

The application client type is applicable to applications that are run by the user directly. For instance a windows form application would use the application client type. To authorize your application (client) using the application client type follow the steps below.

First, set client_profile to cfApplication. This defines the client type the class will use. Set the client_id, client_secret, server_auth_url, and server_token_url to the values you obtained when registering your application.

Next, call get_authorization to begin the authorization process. When get_authorization is called the class will build the URL to which the user will be directed and fire the on_launch_browser event. The class will then launch the browser using the command and URL shown in the on_launch_browser event.

The user will authenticate to the service, and then be redirected back to an embedded web server that was automatically started when get_authorization was called. At this time the on_return_url event will fire. This event provides an opportunity to provide a custom response to your user that they will see in their browser.

The class will then automatically exchange the grant that was returned by the authorization server for the access token using the HTTP endpoint specified in server_token_url.

The authorization is now complete and the get_authorization method will return the authorization string. To use the authorization string with any of our classs simply pass this value to the Authorization property before making the request.

A simple example is shown below.

component.ClientId = "MyId";
component.ClientSecret = "MyPassword";
component.ServerAuthURL = "https://accounts.google.com/o/oauth2/auth";
component.ServerTokenURL = "https://accounts.google.com/o/oauth2/token";
HTTP.Authorization = component.GetAuthorization();
HTTP.Get("https://www.googleapis.com/oauth2/v1/userinfo");

WebServer Client Type

The WebServer client type is applicable to applications that are run on the server side where the user uses the application from a web browser. To authorize your application (client) using this client type follow the steps below.

First, set client_profile to cfWebServer. This defines the client type the component will use. Set the client_id, client_secret, server_auth_url, and server_token_url to the values you obtained when registering your application. Set return_url to the page on your site that will be the endpoint the user is redirected back to after authentication.

Next, call get_authorization_url. This will return a URL to which the user should be redirected. Redirect the user to this URL.

After the user authenticates and is returned to the page on your site specified by return_url, parse the "code" query string parameter from the incoming request. Set authorization_code to this value.

Call get_authorization to exchange the code specified in authorization_code for a token from the server specified by server_token_url. get_authorization returns the authorization string. To use the authorization string with any of our components simply pass this value to the Authorization property before making the request.

For additional details for less common profile types please see client_profile.

Property List

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.


access_token	The access token returned by the authorization server.
authorization_code	The authorization code that is exchanged for an access token.
authorization_scope	The authorization scope used during authorization.
client_id	The id of the client assigned when registering the application.
client_profile	The type of client that is requesting authorization.
client_secret	The secret value for the client assigned when registering the application.
connected	Shows whether the class is connected.
cookie_count	The number of records in the Cookie arrays.
cookie_domain	The domain of a received cookie.
cookie_expiration	This property contains an expiration time for the cookie (if provided by the server).
cookie_name	The name of the cookie.
cookie_path	This property contains a path name to limit the cookie to (if provided by the server).
cookie_secure	This property contains the security flag of the received cookie.
cookie_value	This property contains the value of the cookie.
discovery_doc_details_authorization_url	This property holds the server authorization endpoint URL.
discovery_doc_details_claims_param_supported	This property indicates whether the claims request parameter is supported by the Open ID provider.
discovery_doc_details_issuer	This property holds the issuer identifier of the OpenID provider.
discovery_doc_details_registration_url	This property holds the dynamic client registration URL.
discovery_doc_details_service_docs_url	This property contains the URL of the human-readable service documentation.
discovery_doc_details_signer_cert_url	This property holds the URL of the JSON Web Key Set used to verify signatures on values returned by the OpenID provider.
discovery_doc_details_supported_claims	This property holds a comma separated list of claims that are supported by the OpenID provider.
discovery_doc_details_supported_displays	This property holds a comma separated list of display values that are supported by the OpenID provider.
discovery_doc_details_supported_grant_types	This property holds a comma separated list of grant types supported by the OpenID provider.
discovery_doc_details_supported_response_types	This property hold a comma separated list of response types supported by the OpenID provider.
discovery_doc_details_supported_scopes	This property hold a comma separated list of scopes that are supported by the OpenID provider.
discovery_doc_details_token_url	This property holds the token endpoint URL.
discovery_doc_details_user_info_url	This property holds the user info endpoint URL.
firewall_auto_detect	This property tells the class whether or not to automatically detect and use firewall system settings, if available.
firewall_type	This property determines the type of firewall to connect through.
firewall_host	This property contains the name or IP address of firewall (optional).
firewall_password	This property contains a password if authentication is to be used when connecting through the firewall.
firewall_port	This property contains the TCP port for the firewall Host .
firewall_user	This property contains a user name if authentication is to be used connecting through a firewall.
follow_redirects	Determines what happens when the server issues a redirect.
grant_type	The grant type defining the authentication flow.
idle	The current status of the class.
local_host	The name of the local host or user-assigned IP interface through which connections are initiated or accepted.
other_headers	Other headers as determined by the user (optional).
param_count	The number of records in the Param arrays.
param_name	This property contains the name of the parameter to be used in the request or returned in the response.
param_value	This property contains the value of the parameter to be used in the request or returned in the response.
proxy_auth_scheme	This property is used to tell the class which type of authorization to perform when connecting to the proxy.
proxy_auto_detect	This property tells the class whether or not to automatically detect and use proxy system settings, if available.
proxy_password	This property contains a password if authentication is to be used for the proxy.
proxy_port	This property contains the TCP port for the proxy Server (default 80).
proxy_server	If a proxy Server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified.
proxy_ssl	This property determines when to use SSL for the connection to the proxy.
proxy_user	This property contains a user name, if authentication is to be used for the proxy.
refresh_token	Specifies the refresh token received from or sent to the authorization server.
return_url	The URL where the user (browser) returns after authenticating.
server_auth_url	The URL of the authorization server.
server_token_url	The URL used to obtain the access token.
server_user_info_url	The URL of the OpenID provider's user info endpoint.
signer_cert_encoded	The certificate (PEM/base64 encoded).
signer_cert_store	The name of the certificate store for the client certificate.
signer_cert_store_password	If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store.
signer_cert_store_type	The type of certificate store for this certificate.
signer_cert_subject	The subject of the certificate used for client authentication.
signer_cert_url	The URL of the OpenID provider's signing certificate.
ssl_accept_server_cert_encoded	The certificate (PEM/base64 encoded).
ssl_cert_encoded	The certificate (PEM/base64 encoded).
ssl_cert_store	The name of the certificate store for the client certificate.
ssl_cert_store_password	If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store.
ssl_cert_store_type	The type of certificate store for this certificate.
ssl_cert_subject	The subject of the certificate used for client authentication.
ssl_server_cert_encoded	The certificate (PEM/base64 encoded).
state	Opaque value used to maintain state between the request and response.
timeout	A timeout for the class.
transferred_data	The contents of the last response from the server.
transferred_headers	The full set of headers as received from the server.
user_details_addr_country	This property holds the country name portion of the user's address.
user_details_addr_formatted	This property holds the full mailing address of the user, formatted for display or use on a mailing label.
user_details_addr_locality	This property holds the city or locality portion of the user's address.
user_details_addr_postal_code	This property holds the zip code or postal code portion of the user's address.
user_details_addr_region	This property holds the state, province, prefecture, or region portion of the user's address.
user_details_addr_street_addr	This property holds the street address portion of the user's address.
user_details_audiences	This property contains a comma separated list of audiences for which the user information is intended.
user_details_birthday	This property contains the user's birthday.
user_details_email	This property contains the user's preferred email address.
user_details_email_verified	This property indicates whether the user's email address has been verified.
user_details_first_name	This property holds the first name of the user.
user_details_gender	This property holds the user's gender.
user_details_issuer	This property contains the identifier of the issuer who issued the ID token.
user_details_last_name	This property holds the last name of the user.
user_details_locale	This property holds the end user's locale.
user_details_middle_name	This property holds the middle name of the user.
user_details_name	This property contains the user's full name in displayable form including all name parts.
user_details_nickname	This property holds the casual name of the user.
user_details_phone_number	This property holds the user's phone number.
user_details_phone_number_verified	This property indicates whether the user's phone number has been verified.
user_details_picture_url	This property holds the URL of the user's profile picture.
user_details_preferred_username	This property holds the shorthand name by which the end-user wishes to be referred.
user_details_profile_url	This property holds the URL of the user's profile page.
user_details_subject	This property holds the subject identifier of the token.
user_details_token_auth_time	This property holds the time when authentication occurred.
user_details_token_exp_time	This property holds the expiration time of the token.
user_details_token_issued_at	This property holds the time when the token was issued.
user_details_updated_at	This property holds the time when the user's information was last updated.
user_details_website	This property holds the URL of the user's website.
user_details_zone_info	This property holds the user's time zone.
web_server_port	The local port on which the embedded web server listens.
web_server_ssl_cert_store	The name of the certificate store for the client certificate.
web_server_ssl_cert_store_password	If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store.
web_server_ssl_cert_store_type	The type of certificate store for this certificate.
web_server_ssl_cert_subject	The subject of the certificate used for client authentication.
web_server_ssl_enabled	Whether the web server requires SSL connections.

Method List

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.


add_cookie	Adds a cookie and the corresponding value to the outgoing request headers.
add_param	Adds a name-value pair to the query string parameters of outgoing request.
config	Sets or retrieves a configuration setting.
do_events	Processes events from the internal message queue.
get_authorization	Gets the authorization string required to access the protected resource.
get_authorization_url	Builds and returns the URL to which the user should be re-directed for authorization.
get_discovery_doc	Gets the OpenID Discovery Document.
get_user_info	Retrieves claims about the user.
interrupt	Interrupt the current method.
reset	Reset the class.
start_web_server	Starts the embedded web server.
stop_web_server	Stops the embedded web server.

Event List

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.


on_connected	Fired immediately after a connection completes (or fails).
on_connection_status	Fired to indicate changes in connection state.
on_disconnected	Fired when a connection is closed.
on_end_transfer	Fired when a document finishes transferring.
on_error	Information about errors during data delivery.
on_header	Fired every time a header line comes in.
on_launch_browser	Fires before launching a browser with the authorization URL.
on_log	Fires once for each log message.
on_redirect	Fired when a redirection is received from the server.
on_return_url	Fires when the user is redirected to the embedded web server.
on_set_cookie	Fired for every cookie set by the server.
on_ssl_server_authentication	Fired after the server presents its certificate to the client.
on_ssl_status	Shows the progress of the secure connection.
on_start_transfer	Fired when a document starts transferring (after the headers).
on_status	Fired when the HTTP status line is received from the server.
on_transfer	Fired while a document transfers (delivers document).

Configuration Settings

The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.


Display	The requested display options to present to the end user.
IDToken	The raw ID token returned after authorization.
IDTokenHint	An ID token value to be used as a hint about the user's session.
LoginHint	The login hint sent to the authorization server.
Prompt	The requested conditions under which the authorization server prompts for login.
RawJSON	A JSON string holding the last response.
ResponseType	The value of the response_type request parameter.
XChildCount	The number of child elements of the current element.
XChildName[i]	The name of the child element.
XChildXText[i]	The inner text of the child element.
XElement	The name of the current element.
XParent	The parent of the current element.
XPath	Provides a way to point to a specific element in the returned XML or JSON response.
XSubTree	A snapshot of the current element in the document.
XText	The text of the current element.
AccessTokenExp	The lifetime of the access token.
AuthorizationTokenType	The type of access token returned.
AuthorizationURL	Specifies the URL used for authorization.
BrowserResponseTimeout	Specifies the amount of time to wait for a response from the browser.
CodeChallengeMethod	The code challenge method to use (if any).
DeviceGrantType	The grant type to be used when the ClientProfile is set to cfDevice.
DeviceUserCode	The device's user code when the ClientProfile is set to cfDevice.
FormVarCount	Specifies the number of additional form variables to include in the request.
FormVarName[i]	Specifies the form variable name at the specified index.
FormVarValue[i]	Specifies the form variable value at the specified index.
IncludeEmptyRedirectURI	Whether an empty redirect_uri parameter is included in requests.
JWTAudience	The JWT audience when the ClientProfile is set to cfJWT.
JWTCertStore	The name of the certificate store for the JWT signing certificate.
JWTCertStorePassword	The JWT signing certificate password.
JWTCertStoreType	The type of certificate store.
JWTCertSubject	The JWT signing certificate subject.
JWTIssuer	The JWT issuer when the ClientProfile is set to cfJWT.
JWTJSONKey	The file path of the JWT JSON Key, or a string containing its content.
JWTServiceProvider	The service provider to which authentication is being performed.
JWTSignatureAlgorithm	The signature algorithm used to sign the JWT.
JWTSubject	The subject field in the JWT.
JWTValidityTime	The amount of time in seconds for which the assertion in the JWT is valid.
Microsoft365AdminConsentError	The error message returned when the admin denies consent to the scopes.
Microsoft365AdminConsentErrorDesc	The error description returned when the admin denies consent to the scopes.
Microsoft365AdminConsentTenant	The tenant ID returned after the admin consents to the scopes.
Office365ServiceAPIVersion	The API version of the Office 365 service being discovered.
Office365ServiceCapability	The API capability of the Office 365 service being discovered.
Office365ServiceEndpoint	The Office 365 endpoint for the service that matches the criteria specified.
PollingInterval	The interval in seconds between polling requests when the device client type is used.
ReUseWebServer	Determines if the same server instance is used between requests.
TokenInfoFieldCount	The number of fields in the tokeninfo service response.
TokenInfoFieldName[i]	The name of the tokeninfo service response field.
TokenInfoFieldValue[i]	The value of the tokeninfo service response field.
TokenInfoURL	The URL of the tokeninfo service.
ValidateToken	Validates the specified access token with a tokeninfo service.
WebServerFailedResponse	The custom response that will be displayed to the user if authentication failed.
WebServerHost	The hostname used by the embedded web server displayed in the ReturnURL.
WebServerResponse	The custom response that will be displayed to the user.
AcceptEncoding	Used to tell the server which types of content encodings the client supports.
AllowHTTPCompression	This property enables HTTP compression for receiving data.
AllowHTTPFallback	Whether HTTP/2 connections are permitted to fallback to HTTP/1.1.
Append	Whether to append data to LocalFile.
Authorization	The Authorization string to be sent to the server.
BytesTransferred	Contains the number of bytes transferred in the response data.
ChunkSize	Specifies the chunk size in bytes when using chunked encoding.
CompressHTTPRequest	Set to true to compress the body of a PUT or POST request.
EncodeURL	If set to true the URL will be encoded by the class.
FollowRedirects	Determines what happens when the server issues a redirect.
GetOn302Redirect	If set to true the class will perform a GET on the new location.
HTTP2HeadersWithoutIndexing	HTTP2 headers that should not update the dynamic header table with incremental indexing.
HTTPVersion	The version of HTTP used by the class.
IfModifiedSince	A date determining the maximum age of the desired document.
KeepAlive	Determines whether the HTTP connection is closed after completion of the request.
KerberosSPN	The Service Principal Name for the Kerberos Domain Controller.
LogLevel	The level of detail that is logged.
MaxRedirectAttempts	Limits the number of redirects that are followed in a request.
NegotiatedHTTPVersion	The negotiated HTTP version.
OtherHeaders	Other headers as determined by the user (optional).
ProxyAuthorization	The authorization string to be sent to the proxy server.
ProxyAuthScheme	The authorization scheme to be used for the proxy.
ProxyPassword	A password if authentication is to be used for the proxy.
ProxyPort	Port for the proxy server (default 80).
ProxyServer	Name or IP address of a proxy server (optional).
ProxyUser	A user name if authentication is to be used for the proxy.
SentHeaders	The full set of headers as sent by the client.
StatusLine	The first line of the last response from the server.
TransferredData	The contents of the last response from the server.
TransferredDataLimit	The maximum number of incoming bytes to be stored by the class.
TransferredHeaders	The full set of headers as received from the server.
TransferredRequest	The full request as sent by the client.
UseChunkedEncoding	Enables or Disables HTTP chunked encoding for transfers.
UseIDNs	Whether to encode hostnames to internationalized domain names.
UsePlatformHTTPClient	Whether or not to use the platform HTTP client.
UserAgent	Information about the user agent (browser).
ConnectionTimeout	Sets a separate timeout value for establishing a connection.
FirewallAutoDetect	Tells the class whether or not to automatically detect and use firewall system settings, if available.
FirewallHost	Name or IP address of firewall (optional).
FirewallPassword	Password to be used if authentication is to be used when connecting through the firewall.
FirewallPort	The TCP port for the FirewallHost;.
FirewallType	Determines the type of firewall to connect through.
FirewallUser	A user name if authentication is to be used connecting through a firewall.
KeepAliveInterval	The retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received.
KeepAliveTime	The inactivity time in milliseconds before a TCP keep-alive packet is sent.
Linger	When set to True, connections are terminated gracefully.
LingerTime	Time in seconds to have the connection linger.
LocalHost	The name of the local host through which connections are initiated or accepted.
LocalPort	The port in the local host where the class binds.
MaxLineLength	The maximum amount of data to accumulate when no EOL is found.
MaxTransferRate	The transfer rate limit in bytes per second.
ProxyExceptionsList	A semicolon separated list of hosts and IPs to bypass when using a proxy.
TCPKeepAlive	Determines whether or not the keep alive socket option is enabled.
TcpNoDelay	Whether or not to delay when sending packets.
UseIPv6	Whether to use IPv6.
AbsoluteTimeout	Determines whether timeouts are inactivity timeouts or absolute timeouts.
FirewallData	Used to send extra data to the firewall.
InBufferSize	The size in bytes of the incoming queue of the socket.
OutBufferSize	The size in bytes of the outgoing queue of the socket.
BuildInfo	Information about the product's build.
CodePage	The system code page used for Unicode to Multibyte translations.
LicenseInfo	Information about the current license.
ProcessIdleEvents	Whether the class uses its internal event loop to process events when the main thread is idle.
SelectWaitMillis	The length of time in milliseconds the class will wait when DoEvents is called if there are no events to process.
UseInternalSecurityAPI	Tells the class whether or not to use the system security libraries or an internal implementation.

IPWorks Auth 2020 Python Edition