OpenID Class

Properties   Methods   Events   Config Settings   Errors  

The OpenID class is used to verify the identify of a user as well as get basic profile information.

Syntax

class ipworksauth.OpenID

Remarks

The OpenID class implements an OpenID Connect 1.0 relying party (client) capable of authenticating a user and retrieving user information. OpenID Connect 1.0 is a simple identity layer on top of OAuth 2.0 and re-uses much of the functionality and concepts defined by OAuth 2.0.

To begin using the class you will first need to register your application with the service you want to use. During this process you should obtain a client_id and client_secret. The following sections discuss the typical steps to verify the identify of a user and obtain profile information.

Get the Discovery Document

Many OpenID providers provide information via a Discovery Document. The Discovery Document defines information such as the endpoint URLs for authentication, tokens, and user information requests. In addition details about the allowed parameters such as supported authorization scopes are defined in this document. The document at a URL which can be fetched and parsed by calling the get_discovery_doc method.

The discovery document URL is typically published by an OpenID provider and must be known before calling this method. The format of the URL is standardized and typically takes the form:

https://www.youropenidserver.com/.well-known/openid-configuration

Call get_discovery_doc before calling get_authorization to populate the class properties with information required to complete the authorization. The retrieved information includes endpoint URLs as well as the OpenID public certificates used to verify the signature on the ID token. After calling this method the following properties are populated:

• server_auth_url
• server_token_url
• server_user_info_url
• signer_cert_url

The above values may be stored, and later populated from the stored values, to avoid the requirement of calling get_discovery_doc on subsequent authorization requests.

The following discovery document fields are populated after get_discovery_doc returns:

• discovery_doc_details_authorization_url
• discovery_doc_details_claims_param_supported
• discovery_doc_details_issuer
• discovery_doc_details_signer_cert_url
• discovery_doc_details_registration_url
• discovery_doc_details_service_docs_url
• discovery_doc_details_supported_claims
• discovery_doc_details_supported_displays
• discovery_doc_details_supported_grant_types
• discovery_doc_details_supported_response_types
• discovery_doc_details_supported_scopes
• discovery_doc_details_token_url
• discovery_doc_details_user_info_url

To access values not automatically parsed by the class the XPath configuration setting may be set to retrieve a specific value. Alternatively the RawJSON setting returns the entire JSON document which may be parsed separately.

Note: Calling get_discovery_doc is not mandatory. If server information was stored from a previous call or is otherwise known ahead of time the following properties may be set in place of calling get_discovery_doc:

• server_auth_url
• server_token_url
• server_user_info_url
• signer_cert_url or signer_cert

Examples of the above points: openid.GetDiscoveryDoc("https://accounts.google.com/.well-known/openid-configuration"); // ... or ... openid.ServerAuthURL = "https://accounts.google.com/o/oauth2/v2/auth"; openid.ServerTokenURL = "https://oauth2.googleapis.com/token"; openid.ServerUserInfoURL = "https://openidconnect.googleapis.com/v1/userinfo"; openid.SignerCertURL = "https://www.googleapis.com/oauth2/v3/certs"; // ... or ... string rawjson = openid.Config("RawJSON");

Get Authorization

Before calling get_authorization the class may be configured for one of several flows defined by the grant_type property. These flows determine which information is returned by the authorization server and which information (if any) is returned by the token server.

Possible values for grant_type are:

• 0 (Authorization Code - Default)
• 1 (Implicit)
• 2 (Hybrid)

When using 0 (Authorization Code Flow - Default) an authorization code is returned from the server_auth_url and the class automatically contacts the server_token_url exchanges the authorization code for an ID token and access token.

When using 1 (Implicit Flow) the server_auth_url returns an ID token and access token directly. This is only recommended for implementations that are in-browser as this potentially exposes the tokens to the end-user and user agent itself.

When using 2 (Hybrid Flow) an authorization code and potentially one or more tokens are returned by the server_auth_url. The class will automatically contact the server_token_url to exchange the authorization code for an ID token and access token.

When grant_type and any other optional settings are set as desired, call get_authorization.

get_authorization performs several operations automatically depending on the value of client_profile. Please see the introduction section for the OpenID class for a detailed overview of the typical scenarios.

After authorization is complete user_details will be populated with the claims parsed from the ID token. This method also returns an authorization string. The authorization string grants access to additional resources as requested via the authorization_scope property. If access to another resource was requested the access token returned here may be set in the Authorization property of any other class (or passed as the value of the HTTP Authorization header).

get_user_info may be called after calling this method.

The following properties are applicable when calling this method:

• client_id (required)
• client_secret (required)
• server_auth_url (required - populated by get_discovery_doc.)
• server_token_url (required - populated by get_discovery_doc.)
• signer_cert_url (conditional - populated by get_discovery_doc. Required if signer_cert is not set.)
• signer_cert (conditional - required if signer_cert_url is not set.)
• authorization_scope
• client_profile
• grant_type
• params
• refresh_token
• return_url
• state
• timeout
• Display
• Prompt
• IDTokenHint
• LoginHint
• ResponseType

For the default Authorization Code flow GetAuthorization could work like this: openid.ClientId = "client id"; openid.ClientSecret = "client secret"; openid.AuthorizationScope += " profile email"; // default value is 'openid' openid.State = "application state"; string authToken = openid.GetAuthorization();

Get User Info

When get_authorization returns the user_details property is populated with information about the user as returned in the ID token from the authorization server. An additional operation, get_user_info may optionally be called to query the server_user_info_url for information about the user.

Before calling get_user_info method a successful call to get_authorization must be made. The access token returned by get_authorization is used by the OpenID provider at server_user_info_url to identify the user for which claims are being retrieved.

When this method is called the class requests the claims about the user from the server_user_info_url. The resulting claims are available in the UserDetail* properties.

Note: The get_user_info method will populate the UserDetail* properties with the claims returned in the ID token during the authorization process. This method may not need to be called in order to access the desired claims about the user.

openid.GetUserInfo(); // ... use the user info in the remainder of your application ...

Client Profile Notes

The client_profile defines the environment in which the class is being used, and controls how the class behaves in order to best suit that environment. Choose the profile that is closest to the runtime environment.

The following client types are currently supported by the class:

• Application (desktop application)
• WebServer (server side application such as a web site)
• Device (an application without browser access such as a game console)
• Mobile (phone or tablet application)
• Browser (javascript application)
• JWT (server to server authentication using a JWT bearer token such as Google service account authentication)

Application Profile

The Application profile is applicable to applications that are run directly by the user. For instance, a Windows form application would use the Application profile. To authorize your application (client) using the Application profile, use the following steps:

First, set client_profile to ocpApplication. This defines the profile the class will use. Set the client_id, client_secret, server_auth_url, and server_token_url to the values you obtained when registering your application.

Second, call get_authorization to begin the authorization process. When get_authorization is called, the class will build the URL to which the user will be directed and fire the on_launch_browser event. The class will then launch the browser using the command and URL shown in the on_launch_browser event and await the response. The duration for which the class will wait for a response is defined by BrowserResponseTimeout.

Third, the user will interact with the browser to authenticate and grant access to the connecting application. The user will then be redirected back to an embedded web server that was automatically started when get_authorization was called. At this time, the on_return_url event will fire. This event provides an opportunity to provide a custom response to your user that they will see in their browser.

Fourth, the class will then automatically exchange the grant that was returned by the authorization server for the access token using the HTTP endpoint specified in server_token_url.

The authorization is now complete and the get_authorization method will return the authorization string. The authorization string can then be used with any of our components by simply setting the returned value to the authorization property before making a request.

The following is a simple example: component.ClientId = "CLIENT_ID"; component.ClientSecret = "CLIENT_ID"; component.ServerAuthURL = "https://accounts.google.com/o/oauth2/auth"; component.ServerTokenURL = "https://accounts.google.com/o/oauth2/token"; HTTP.Authorization = component.GetAuthorization(); HTTP.Get("https://www.googleapis.com/oauth2/v1/userinfo");

Web Profile

The Web profile is applicable to applications that are run on the server side when the user uses the application from a web browser. To authorize your application (client) using this profile, use the following steps:

First, set client_profile to ocpWeb. This defines the profile the component will use. Set the client_id, client_secret, server_auth_url, and server_token_url to the values you obtained when registering your application. Set return_url to the page on your site that will be the endpoint the user is redirected back to after authentication.

Second, call get_authorization_url. This will return a URL to which the user should be redirected. Redirect the user to this URL.

Third, after the user authenticates and is returned to the page on your site specified by return_url, parse the "code" query string parameter from the incoming request to get the authorization code from the authorization server. Then, set authorization_code property to the parsed value.

Fourth, after authorization_code is set, call get_authorization to exchange the code specified in authorization_code for a token from the server specified by server_token_url. get_authorization will then return the authorization string. The authorization string can be used with any of our components by simply setting the returned value to the authorization property before making a request.

For additional details for less common profile types please see client_profile.

Property List

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

Method List

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

Event List

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

Config Settings

The following is a list of config settings for the class with short descriptions. Click on the links for further details.

access_token Property

This property includes the access token returned by the authorization server.

Syntax

def get_access_token() -> str: ...
def set_access_token(value: str) -> None: ...

access_token = property(get_access_token, set_access_token)

Default Value

""

Remarks

This property will be populated with the access token returned by the authorization server after a call to get_authorization. This will be the raw access token, whereas the return value from the get_authorization method will also include the required data so that it can be passed directly to the Authorization property of other components or added as the value of the authorization header in another client implementation.

access_token_exp Property

This property includes the lifetime of the access token.

Syntax

def get_access_token_exp() -> int: ...

access_token_exp = property(get_access_token_exp, None)

Default Value

0

Remarks

This setting holds the lifetime of the access token in seconds. For instance the value 3600 indicates that the token will expire in one hour from the time it was generated.

This property is read-only.

authorization_code Property

This property includes the authorization code that is exchanged for an access token.

Syntax

def get_authorization_code() -> str: ...
def set_authorization_code(value: str) -> None: ...

authorization_code = property(get_authorization_code, set_authorization_code)

Default Value

""

Remarks

This property is used with the AuthorizationCode grant_type. When client_profile is set to ocpApplication (Application flow), this property will be informational only, as the get_authorization method will automatically exchange this code for a token with the authorization server specified in server_token_url.

When client_profile is set to ocpWeb (Web flow), this property needs to be set to the authorization code returned from the authorization server. Typically, this value is parsed when the service redirects the user back to your website. See client_profile for more information.

If this property is set before calling get_authorization, the class will not make a request to the authorization sever and instead will attempt to exchange the code with the authorization server for an access token.

authorization_scope Property

The authorization scope used during authorization.

Syntax

def get_authorization_scope() -> str: ...
def set_authorization_scope(value: str) -> None: ...

authorization_scope = property(get_authorization_scope, set_authorization_scope)

Default Value

"openid"

Remarks

This property specifies the authorization scopes sent in the authorization request. The value specified here must be a space separated list of scopes. For instance openid profile email.

The openid scope is always required to be present. The default value is openid.

After calling get_authorization this property will be updated with the scope sent in the response from the server and will indicate the scope that was actually granted.

client_id Property

This property includes the Id of the client assigned when registering the application.

Syntax

def get_client_id() -> str: ...
def set_client_id(value: str) -> None: ...

client_id = property(get_client_id, set_client_id)

Default Value

""

Remarks

This property holds the Id of the client that was assigned when initially registering the application with the authorization server. This value must be specified before calling get_authorization or get_authorization_url.

client_profile Property

This property includes the type of client that is requesting authorization.

Syntax

def get_client_profile() -> int: ...
def set_client_profile(value: int) -> None: ...

client_profile = property(get_client_profile, set_client_profile)

Default Value

0

Remarks

This defines the type of client that will be requesting authorization. Set this before calling get_authorization to inform the class to act accordingly. Possible values are as follows:

Application Profile

The Application profile is applicable to applications that are run directly by the user. For instance, a Windows form application would use the Application profile. To authorize your application (client) using the Application profile, use the following steps:

First, set client_profile to ocpApplication. This defines the profile the class will use. Set the client_id, client_secret, server_auth_url, and server_token_url to the values you obtained when registering your application.

Second, call get_authorization to begin the authorization process. When get_authorization is called, the class will build the URL to which the user will be directed and fire the on_launch_browser event. The class will then launch the browser using the command and URL shown in the on_launch_browser event and await the response. The duration for which the class will wait for a response is defined by BrowserResponseTimeout.

Third, the user will interact with the browser to authenticate and grant access to the connecting application. The user will then be redirected back to an embedded web server that was automatically started when get_authorization was called. At this time, the on_return_url event will fire. This event provides an opportunity to provide a custom response to your user that they will see in their browser.

Fourth, the class will then automatically exchange the grant that was returned by the authorization server for the access token using the HTTP endpoint specified in server_token_url.

The authorization is now complete and the get_authorization method will return the authorization string. The authorization string can then be used with any of our components by simply setting the returned value to the authorization property before making a request.

The following is a simple example: component.ClientId = "CLIENT_ID"; component.ClientSecret = "CLIENT_ID"; component.ServerAuthURL = "https://accounts.google.com/o/oauth2/auth"; component.ServerTokenURL = "https://accounts.google.com/o/oauth2/token"; HTTP.Authorization = component.GetAuthorization(); HTTP.Get("https://www.googleapis.com/oauth2/v1/userinfo");

Web Profile

The Web profile is applicable to applications that are run on the server side when the user uses the application from a web browser. To authorize your application (client) using this profile, use the following steps:

First, set client_profile to ocpWeb. This defines the profile the component will use. Set the client_id, client_secret, server_auth_url, and server_token_url to the values you obtained when registering your application. Set return_url to the page on your site that will be the endpoint the user is redirected back to after authentication.

Second, call get_authorization_url. This will return a URL to which the user should be redirected. Redirect the user to this URL.

Third, after the user authenticates and is returned to the page on your site specified by return_url, parse the "code" query string parameter from the incoming request to get the authorization code from the authorization server. Then, set authorization_code property to the parsed value.

Fourth, after authorization_code is set, call get_authorization to exchange the code specified in authorization_code for a token from the server specified by server_token_url. get_authorization will then return the authorization string. The authorization string can be used with any of our components by simply setting the returned value to the authorization property before making a request.

Device Profile

The Device profile is applicable to applications that are run on devices for which a web browser cannot be used. For example, a game console would use the Device profile. To authorize your application (client) using the device client profile use the following steps:

First, set client_profile to ocpDevice. This defines the profile the class will use. Set the client_id, client_secret, server_auth_url, and server_token_url to the values you obtained when registering your application. Do not set return_url.

Second, call get_authorization_url. The class will automatically make a request to server_auth_url to obtain a user code for the device. The get_authorization_url method will return the URL your user must visit from another device or computer that has web browser support. The get_authorization_url method will also populate DeviceUserCode. This device user code must be provided to the user. The user will enter the code at the URL returned by get_authorization_url.

Third, at this time, call get_authorization. The class will begin polling the server specified in server_token_url. The polling interval is specified (in seconds) by the PollingInterval setting.

Fourth, after the user has authenticated, the get_authorization method will return the authorization string. To use the authorization string with any of our components, simply pass this value to the authorization property before making the request.

Mobile Profile

The Mobile profile is applicable to applications that are run on devices for which a web browser can be used. For instance, a mobile phone or tablet would use the Mobile profile. The behavior when using this profile is very similar to the Application profile. The only difference between the Mobile and Application profiles is the way the browser is launched. When set to the Mobile profile, the on_launch_browser event will fire but the class will not attempt to launch the browser automatically. The browser must be launched manually from code. This behavior is the only difference between the Mobile and Application profiles. Please read the steps for the Application profile for a more detailed look at the process.

JWT Bearer Token (Server-to-Server) Profile

The JWT (JSON Web Token) Bearer Token profile is available for server-to-server authentication. For instance this may be used by web applications to access a Google service. In this case, the application will access data on behalf of the service account, not the end user. End-user interaction is not required.

First, specify authorization_scope server_token_url and JWTServiceProvider.

Second, specify JWT-specific values. The use of the JWT profile also requires additional configuration settings to be specified, including a certificate with private key used to sign the JWT. Either specify the JWTJSONKey configuration setting, which will parse the necessary information automatically, or manually specify the following configuration settings:

• JWTIssuer (required)
• JWTAudience (required)
• JWTCertStoreType (required)
• JWTCertStore (required)
• JWTCertStorePassword (required)
• JWTCertSubject (required)
• JWTSubject
• JWTValidityTime
• JWTSignatureAlgorithm

Example 1. Google: oauth.AuthorizationScope = "https://www.googleapis.com/auth/analytics"; oauth.ServerTokenURL = "https://www.googleapis.com/oauth2/v3/token"; oauth.ClientProfile = OauthClientProfiles.ocpJWT; oauth.Config("JWTServiceProvider=0"); oauth.Config("JWTIssuer=CLIENT_ID"); oauth.Config("JWTAudience=https://www.googleapis.com/oauth2/v3/token"); oauth.Config("JWTCertStoreType=2"); oauth.Config("JWTCertStore=C:\\MyCertificate.p12"); oauth.Config("JWTCertStorePassword=password"); oauth.Config("JWTCertSubject=*"); oauth.Config("JWTValidityTime=5400"); //in seconds string authStr = oauth.GetAuthorization();

Example 2. Microsoft: oauth.ClientId = "Client_Id"; oauth.ClientProfile = OauthClientProfiles.ocpJWT; oauth.AuthorizationScope = "https://graph.microsoft.com/.default"; oauth.ServerTokenURL = "https://login.microsoftonline.com/" + tenant_id + "/oauth2/V2.0/token"; oauth.Config("JWTServiceProvider=1"); oauth.Config("JWTIssuer=" + CLIENT_ID); oauth.Config("JWTSubject=" + CLIENT_ID); oauth.Config("JWTCertStoreType=2"); oauth.Config("JWTCertStore=C:\\MyCertificate.p12"); oauth.Config("JWTCertStorePassword=password"); oauth.Config("JWTCertSubject=*"); oauth.Config("JWTValidityTime=3600"); oauth.Config("JWTAudience=https://login.microsoftonline.com/"+ tenant_id + "/oauth2/V2.0/token"); string authStr = oauth.GetAuthorization();

client_secret Property

This property includes the secret value for the client assigned when registering the application.

Syntax

def get_client_secret() -> str: ...
def set_client_secret(value: str) -> None: ...

client_secret = property(get_client_secret, set_client_secret)

Default Value

""

Remarks

This property holds the secret of the client that was assigned when initially registering the application with the authorization server. This value must be specified before calling get_authorization or get_authorization_url.

connected Property

This shows whether the class is connected.

Syntax

def get_connected() -> bool: ...
def set_connected(value: bool) -> None: ...

connected = property(get_connected, set_connected)

Default Value

FALSE

Remarks

This property is used to determine whether or not the class is connected to the remote host.

Note: It is recommended to use the connect or disconnect method instead of setting this property.

cookie_count Property

The number of records in the Cookie arrays.

Syntax

def get_cookie_count() -> int: ...
def set_cookie_count(value: int) -> None: ...

cookie_count = property(get_cookie_count, set_cookie_count)

Default Value

0

Remarks

This property controls the size of the following arrays:

• cookie_domain
• cookie_expiration
• cookie_name
• cookie_path
• cookie_secure
• cookie_value

The array indices start at 0 and end at cookie_count - 1.

cookie_domain Property

This is the domain of a received cookie.

Syntax

def get_cookie_domain(cookie_index: int) -> str: ...

Default Value

""

Remarks

This is the domain of a received cookie. This property contains a domain name to limit the cookie to (if provided by the server). If the server does not provide a domain name, this property will contain an empty string. The convention in this case is to use the server name specified by url_server as the cookie domain.

The cookie_index parameter specifies the index of the item in the array. The size of the array is controlled by the cookie_count property.

This property is read-only.

cookie_expiration Property

This property contains an expiration time for the cookie (if provided by the server).

Syntax

def get_cookie_expiration(cookie_index: int) -> str: ...

Default Value

""

Remarks

This property contains an expiration time for the cookie (if provided by the server). The time format used is "Weekday, DD-Mon-YY HH:MM:SS GMT". If the server does not provide an expiration time, this property will contain an empty string. The convention is to drop the cookie at the end of the session.

The cookie_index parameter specifies the index of the item in the array. The size of the array is controlled by the cookie_count property.

This property is read-only.

cookie_name Property

This property, contains the name of the cookie.

Syntax

def get_cookie_name(cookie_index: int) -> str: ...
def set_cookie_name(cookie_index: int, value: str) -> None: ...

Default Value

""

Remarks

This property, contains the name of the cookie.

This property, along with cookie_value, stores the cookie that is to be sent to the server. The on_set_cookie event displays the cookies sent by the server and their properties.

The cookie_index parameter specifies the index of the item in the array. The size of the array is controlled by the cookie_count property.

cookie_path Property

This property contains a path name to limit the cookie to (if provided by the server).

Syntax

def get_cookie_path(cookie_index: int) -> str: ...

Default Value

""

Remarks

This property contains a path name to limit the cookie to (if provided by the server). If the server does not provide a cookie path, the path property will be an empty string. The convention in this case is to use the path specified by url_path as the cookie path.

The cookie_index parameter specifies the index of the item in the array. The size of the array is controlled by the cookie_count property.

This property is read-only.

cookie_secure Property

This property contains the security flag of the received cookie.

Syntax

def get_cookie_secure(cookie_index: int) -> bool: ...

Default Value

FALSE

Remarks

This property contains the security flag of the received cookie. This property specifies whether the cookie is secure. If the value of this property is True, the cookie value must be submitted only through a secure (HTTPS) connection.

The cookie_index parameter specifies the index of the item in the array. The size of the array is controlled by the cookie_count property.

This property is read-only.

cookie_value Property

This property contains the value of the cookie.

Syntax

def get_cookie_value(cookie_index: int) -> str: ...
def set_cookie_value(cookie_index: int, value: str) -> None: ...

Default Value

""

Remarks

This property contains the value of the cookie. A corresponding value is associated with the cookie specified by cookie_name. This property holds that value.

The on_set_cookie event provides the cookies set by the server.

The cookie_index parameter specifies the index of the item in the array. The size of the array is controlled by the cookie_count property.

discovery_doc_details_authorization_url Property

This property holds the server authorization endpoint URL.

Syntax

def get_discovery_doc_details_authorization_url() -> str: ...

discovery_doc_details_authorization_url = property(get_discovery_doc_details_authorization_url, None)

Default Value

""

Remarks

This property holds the server authorization endpoint URL.

This setting corresponds to the authorization_endpoint parameter in the discovery document.

This property is read-only.

discovery_doc_details_claims_param_supported Property

This property indicates whether the claims request parameter is supported by the Open ID provider.

Syntax

def get_discovery_doc_details_claims_param_supported() -> bool: ...

discovery_doc_details_claims_param_supported = property(get_discovery_doc_details_claims_param_supported, None)

Default Value

FALSE

Remarks

This property indicates whether the claims request parameter is supported by the Open ID provider.

This setting corresponds to the claims_parameter_supported parameter in the discovery document.

This property is read-only.

discovery_doc_details_issuer Property

This property holds the issuer identifier of the OpenID provider.

Syntax

def get_discovery_doc_details_issuer() -> str: ...

discovery_doc_details_issuer = property(get_discovery_doc_details_issuer, None)

Default Value

""

Remarks

This property holds the issuer identifier of the OpenID provider. This value is the same as the iss claim returned in ID tokens issued from this provider. The value is a URL with the https scheme with no query string or fragment component.

This setting corresponds to the issuer parameter in the discovery document.

This property is read-only.

discovery_doc_details_registration_url Property

This property holds the dynamic client registration URL.

Syntax

def get_discovery_doc_details_registration_url() -> str: ...

discovery_doc_details_registration_url = property(get_discovery_doc_details_registration_url, None)

Default Value

""

Remarks

This property holds the dynamic client registration URL.

This setting corresponds to the registration_endpoint parameter in the discovery document.

This property is read-only.

discovery_doc_details_service_docs_url Property

This property contains the URL of the human-readable service documentation.

Syntax

def get_discovery_doc_details_service_docs_url() -> str: ...

discovery_doc_details_service_docs_url = property(get_discovery_doc_details_service_docs_url, None)

Default Value

""

Remarks

This property contains the URL of the human-readable service documentation. The information at this URL is intended for developers integrating with the OpenID provider and may contain useful information.

This setting corresponds to the service_documentation parameter in the discovery document.

This property is read-only.

discovery_doc_details_signer_cert_url Property

This property holds the URL of the JSON Web Key Set used to verify signatures on values returned by the OpenID provider.

Syntax

def get_discovery_doc_details_signer_cert_url() -> str: ...

discovery_doc_details_signer_cert_url = property(get_discovery_doc_details_signer_cert_url, None)

Default Value

""

Remarks

This property holds the URL of the JSON Web Key Set used to verify signatures on values returned by the OpenID provider. The signer keys are automatically retrieved by the class when the ID Token signature verification is performed.

This setting corresponds to the jwks_uri parameter in the discovery document.

This property is read-only.

discovery_doc_details_supported_claims Property

This property holds a comma separated list of claims that are supported by the OpenID provider.

Syntax

def get_discovery_doc_details_supported_claims() -> str: ...

discovery_doc_details_supported_claims = property(get_discovery_doc_details_supported_claims, None)

Default Value

""

Remarks

This property holds a comma separated list of claims that are supported by the OpenID provider. For instance: aud,email,email_verified,exp,family_name,given_name,iat,iss,locale,name,picture,sub

This setting corresponds to the claims_supported parameter in the discovery document.

This property is read-only.

discovery_doc_details_supported_displays Property

This property holds a comma separated list of display values that are supported by the OpenID provider.

Syntax

def get_discovery_doc_details_supported_displays() -> str: ...

discovery_doc_details_supported_displays = property(get_discovery_doc_details_supported_displays, None)

Default Value

""

Remarks

This property holds a comma separated list of display values that are supported by the OpenID provider.

This setting corresponds to the display_values_supported parameter in the discovery document.

This property is read-only.

discovery_doc_details_supported_grant_types Property

This property holds a comma separated list of grant types supported by the OpenID provider.

Syntax

def get_discovery_doc_details_supported_grant_types() -> str: ...

discovery_doc_details_supported_grant_types = property(get_discovery_doc_details_supported_grant_types, None)

Default Value

""

Remarks

This property holds a comma separated list of grant types supported by the OpenID provider. If this value is not specified by the OpenID provider it is specified that authorization_code and implicit are supported by the OpenID provider.

This setting corresponds to the grant_types_supported parameter in the discovery document.

This property is read-only.

discovery_doc_details_supported_response_types Property

This property hold a comma separated list of response types supported by the OpenID provider.

Syntax

def get_discovery_doc_details_supported_response_types() -> str: ...

discovery_doc_details_supported_response_types = property(get_discovery_doc_details_supported_response_types, None)

Default Value

""

Remarks

This property hold a comma separated list of response types supported by the OpenID provider. If this value is not specified by the OpenID provider it is defined that the OpenID provider supports (at a minimum) code, id_token, and token id_token values.

This setting corresponds to the response_types_supported parameter in the discovery document.

This property is read-only.

discovery_doc_details_supported_scopes Property

This property hold a comma separated list of scopes that are supported by the OpenID provider.

Syntax

def get_discovery_doc_details_supported_scopes() -> str: ...

discovery_doc_details_supported_scopes = property(get_discovery_doc_details_supported_scopes, None)

Default Value

""

Remarks

This property hold a comma separated list of scopes that are supported by the OpenID provider. For instance: openid,email,profile

This setting corresponds to the scopes_supported parameter in the discovery document.

This property is read-only.

discovery_doc_details_token_url Property

This property holds the token endpoint URL.

Syntax

def get_discovery_doc_details_token_url() -> str: ...

discovery_doc_details_token_url = property(get_discovery_doc_details_token_url, None)

Default Value

""

Remarks

This property holds the token endpoint URL.

This setting corresponds to the token_endpoint parameter in the discovery document.

This property is read-only.

discovery_doc_details_user_info_url Property

This property holds the user info endpoint URL.

Syntax

def get_discovery_doc_details_user_info_url() -> str: ...

discovery_doc_details_user_info_url = property(get_discovery_doc_details_user_info_url, None)

Default Value

""

Remarks

This property holds the user info endpoint URL.

This setting corresponds to the userinfo_endpoint parameter in the discovery document.

This property is read-only.

firewall_auto_detect Property

This property tells the class whether or not to automatically detect and use firewall system settings, if available.

Syntax

def get_firewall_auto_detect() -> bool: ...
def set_firewall_auto_detect(value: bool) -> None: ...

firewall_auto_detect = property(get_firewall_auto_detect, set_firewall_auto_detect)

Default Value

FALSE

Remarks

This property tells the class whether or not to automatically detect and use firewall system settings, if available.

firewall_type Property

This property determines the type of firewall to connect through.

Syntax

def get_firewall_type() -> int: ...
def set_firewall_type(value: int) -> None: ...

firewall_type = property(get_firewall_type, set_firewall_type)

Default Value

0

Remarks

This property determines the type of firewall to connect through. The applicable values are as follows:

firewall_host Property

This property contains the name or IP address of firewall (optional).

Syntax

def get_firewall_host() -> str: ...
def set_firewall_host(value: str) -> None: ...

firewall_host = property(get_firewall_host, set_firewall_host)

Default Value

""

Remarks

This property contains the name or IP address of firewall (optional). If a firewall_host is given, the requested connections will be authenticated through the specified firewall when connecting.

If this property is set to a Domain Name, a DNS request is initiated. Upon successful termination of the request, this property is set to the corresponding address. If the search is not successful, the class fails with an error.

firewall_password Property

This property contains a password if authentication is to be used when connecting through the firewall.

Syntax

def get_firewall_password() -> str: ...
def set_firewall_password(value: str) -> None: ...

firewall_password = property(get_firewall_password, set_firewall_password)

Default Value

""

Remarks

This property contains a password if authentication is to be used when connecting through the firewall. If firewall_host is specified, the firewall_user and firewall_password properties are used to connect and authenticate to the given firewall. If the authentication fails, the class fails with an error.

firewall_port Property

This property contains the transmission control protocol (TCP) port for the firewall Host .

Syntax

def get_firewall_port() -> int: ...
def set_firewall_port(value: int) -> None: ...

firewall_port = property(get_firewall_port, set_firewall_port)

Default Value

0

Remarks

This property contains the transmission control protocol (TCP) port for the firewall firewall_host. See the description of the firewall_host property for details.

Note: This property is set automatically when firewall_type is set to a valid value. See the description of the firewall_type property for details.

firewall_user Property

This property contains a user name if authentication is to be used connecting through a firewall.

Syntax

def get_firewall_user() -> str: ...
def set_firewall_user(value: str) -> None: ...

firewall_user = property(get_firewall_user, set_firewall_user)

Default Value

""

Remarks

This property contains a user name if authentication is to be used connecting through a firewall. If the firewall_host is specified, this property and firewall_password properties are used to connect and authenticate to the given firewall. If the authentication fails, the class fails with an error.

follow_redirects Property

This property determines what happens when the server issues a redirect.

Syntax

def get_follow_redirects() -> int: ...
def set_follow_redirects(value: int) -> None: ...

follow_redirects = property(get_follow_redirects, set_follow_redirects)

Default Value

0

Remarks

This property determines what happens when the server issues a redirect. Normally, the class returns an error if the server responds with an "Object Moved" message. If this property is set to frAlways (1), the new url for the object is retrieved automatically every time.

If this property is set to frSameScheme (2), the new url is retrieved automatically only if the url_scheme is the same; otherwise, the class fails with an error.

Note: Following the HTTP specification, unless this property is set to frAlways (1), automatic redirects will be performed only for GET or HEAD requests. Other methods potentially could change the conditions of the initial request and create security vulnerabilities.

Furthermore, if either the new URL server or port are different from the existing one, user and password are also reset to empty. If, however, this property is set to frAlways (1), the same credentials are used to connect to the new server.

A on_redirect event is fired for every URL the product is redirected to. In the case of automatic redirections, the on_redirect event is a good place to set properties related to the new connection (e.g., new authentication parameters).

The default value is frNever (0). In this case, redirects are never followed, and the class fails with an error instead.

grant_type Property

The grant type defining the authentication flow.

Syntax

def get_grant_type() -> int: ...
def set_grant_type(value: int) -> None: ...

grant_type = property(get_grant_type, set_grant_type)

Default Value

0

Remarks

This property defines the grant type used when performing authentication. The value specified here controls the authentication flow.

Possible values for grant_type are:

• 0 (Authorization Code - Default)
• 1 (Implicit)
• 2 (Hybrid)

When using 0 (Authorization Code Flow - Default) an authorization code is returned from the server_auth_url and the class automatically contacts the server_token_url exchanges the authorization code for an ID token and access token.

When using 1 (Implicit Flow) the server_auth_url returns an ID token and access token directly. This is only recommended for implementations that are in-browser as this potentially exposes the tokens to the end-user and user agent itself.

When using 2 (Hybrid Flow) an authorization code and potentially one or more tokens are returned by the server_auth_url. The class will automatically contact the server_token_url to exchange the authorization code for an ID token and access token.

Additional Notes

The response_type request parameter is automatically set based on the value specified here. In some cases multiple values are acceptable and a default value is chosen automatically. To explicitly specify a response_type value for the chosen grant type set ResponseType after setting this property.

idle Property

The current status of the class.

Syntax

def get_idle() -> bool: ...

idle = property(get_idle, None)

Default Value

TRUE

Remarks

idle will be False if the component is currently busy (communicating and/or waiting for an answer), and True at all other times.

This property is read-only.

local_host Property

The name of the local host or user-assigned IP interface through which connections are initiated or accepted.

Syntax

def get_local_host() -> str: ...
def set_local_host(value: str) -> None: ...

local_host = property(get_local_host, set_local_host)

Default Value

""

Remarks

The local_host property contains the name of the local host as obtained by the gethostname() system call, or if the user has assigned an IP address, the value of that address.

In multi-homed hosts (machines with more than one IP interface) setting LocalHost to the value of an interface will make the class initiate connections (or accept in the case of server classs) only through that interface.

If the class is connected, the local_host property shows the IP address of the interface through which the connection is made in internet dotted format (aaa.bbb.ccc.ddd). In most cases, this is the address of the local host, except for multi-homed hosts (machines with more than one IP interface).

NOTE: local_host is not persistent. You must always set it in code, and never in the property window.

other_headers Property

This property includes other headers as determined by the user (optional).

Syntax

def get_other_headers() -> str: ...
def set_other_headers(value: str) -> None: ...

other_headers = property(get_other_headers, set_other_headers)

Default Value

""

Remarks

This property can be set to a string of headers to be appended to the HTTP request headers created from other properties like content_type and from_.

The headers must follow the format Header: Value as described in the HTTP specifications. Header lines should be separated by CRLF ("\r\n") .

Use this property with caution. If this property contains invalid headers, HTTP requests may fail.

This property is useful for extending the functionality of the class beyond what is provided.

param_count Property

The number of records in the Param arrays.

Syntax

def get_param_count() -> int: ...
def set_param_count(value: int) -> None: ...

param_count = property(get_param_count, set_param_count)

Default Value

0

Remarks

This property controls the size of the following arrays:

• param_name
• param_value

The array indices start at 0 and end at param_count - 1.

param_name Property

This property contains the name of the parameter to be used in the request or returned in the response.

Syntax

def get_param_name(param_index: int) -> str: ...
def set_param_name(param_index: int, value: str) -> None: ...

Default Value

""

Remarks

This property contains the name of the parameter to be used in the request or returned in the response.

The param_index parameter specifies the index of the item in the array. The size of the array is controlled by the param_count property.

param_value Property

This property contains the value of the parameter to be used in the request or returned in the response.

Syntax

def get_param_value(param_index: int) -> str: ...
def set_param_value(param_index: int, value: str) -> None: ...

Default Value

""

Remarks

This property contains the value of the parameter to be used in the request or returned in the response. When issuing a request, the class will URL encode the value specified here. Returned values will be automatically URL decoded.

The param_index parameter specifies the index of the item in the array. The size of the array is controlled by the param_count property.

proxy_auth_scheme Property

This property is used to tell the class which type of authorization to perform when connecting to the proxy.

Syntax

def get_proxy_auth_scheme() -> int: ...
def set_proxy_auth_scheme(value: int) -> None: ...

proxy_auth_scheme = property(get_proxy_auth_scheme, set_proxy_auth_scheme)

Default Value

0

Remarks

This property is used to tell the class which type of authorization to perform when connecting to the proxy. This is used only when the proxy_user and proxy_password properties are set.

proxy_auth_scheme should be set to authNone (3) when no authentication is expected.

By default, proxy_auth_scheme is authBasic (0), and if the proxy_user and proxy_password properties are set, the component will attempt basic authentication.

If proxy_auth_scheme is set to authDigest (1), digest authentication will be attempted instead.

If proxy_auth_scheme is set to authProprietary (2), then the authorization token will not be generated by the class. Look at the configuration file for the class being used to find more information about manually setting this token.

If proxy_auth_scheme is set to authNtlm (4), NTLM authentication will be used.

For security reasons, setting this property will clear the values of proxy_user and proxy_password.

proxy_auto_detect Property

This property tells the class whether or not to automatically detect and use proxy system settings, if available.

Syntax

def get_proxy_auto_detect() -> bool: ...
def set_proxy_auto_detect(value: bool) -> None: ...

proxy_auto_detect = property(get_proxy_auto_detect, set_proxy_auto_detect)

Default Value

FALSE

Remarks

This property tells the class whether or not to automatically detect and use proxy system settings, if available. The default value is False.

proxy_password Property

This property contains a password if authentication is to be used for the proxy.

Syntax

def get_proxy_password() -> str: ...
def set_proxy_password(value: str) -> None: ...

proxy_password = property(get_proxy_password, set_proxy_password)

Default Value

""

Remarks

This property contains a password if authentication is to be used for the proxy.

If proxy_auth_scheme is set to Basic Authentication, the proxy_user and proxy_password are Base64 encoded and the proxy authentication token will be generated in the form Basic [encoded-user-password].

If proxy_auth_scheme is set to Digest Authentication, the proxy_user and proxy_password properties are used to respond to the Digest Authentication challenge from the server.

If proxy_auth_scheme is set to NTLM Authentication, the proxy_user and proxy_password properties are used to authenticate through NTLM negotiation.

proxy_port Property

This property contains the Transmission Control Protocol (TCP) port for the proxy Server (default 80).

Syntax

def get_proxy_port() -> int: ...
def set_proxy_port(value: int) -> None: ...

proxy_port = property(get_proxy_port, set_proxy_port)

Default Value

80

Remarks

This property contains the Transmission Control Protocol (TCP) port for the proxy proxy_server (default 80). See the description of the proxy_server property for details.

proxy_server Property

If a proxy Server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified.

Syntax

def get_proxy_server() -> str: ...
def set_proxy_server(value: str) -> None: ...

proxy_server = property(get_proxy_server, set_proxy_server)

Default Value

""

Remarks

If a proxy proxy_server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified.

If the proxy_server property is set to a domain name, a DNS request is initiated. Upon successful termination of the request, the proxy_server property is set to the corresponding address. If the search is not successful, an error is returned.

proxy_ssl Property

This property determines when to use a Secure Sockets Layer (SSL) for the connection to the proxy.

Syntax

def get_proxy_ssl() -> int: ...
def set_proxy_ssl(value: int) -> None: ...

proxy_ssl = property(get_proxy_ssl, set_proxy_ssl)

Default Value

0

Remarks

This property determines when to use a Secure Sockets Layer (SSL) for the connection to the proxy. The applicable values are as follows:

proxy_user Property

This property contains a user name, if authentication is to be used for the proxy.

Syntax

def get_proxy_user() -> str: ...
def set_proxy_user(value: str) -> None: ...

proxy_user = property(get_proxy_user, set_proxy_user)

Default Value

""

Remarks

This property contains a user name, if authentication is to be used for the proxy.

If proxy_auth_scheme is set to Basic Authentication, the proxy_user and proxy_password are Base64 encoded and the proxy authentication token will be generated in the form Basic [encoded-user-password].

If proxy_auth_scheme is set to Digest Authentication, the proxy_user and proxy_password properties are used to respond to the Digest Authentication challenge from the server.

If proxy_auth_scheme is set to NTLM Authentication, the proxy_user and proxy_password properties are used to authenticate through NTLM negotiation.

refresh_token Property

This property specifies the refresh token received from or sent to the authorization server.

Syntax

def get_refresh_token() -> str: ...
def set_refresh_token(value: str) -> None: ...

refresh_token = property(get_refresh_token, set_refresh_token)

Default Value

""

Remarks

When get_authorization is called, if the authorization server returns a refresh token along with the access token, this property will hold the refresh token. Save this value for later use.

When your access token expires, set this property to the corresponding refresh token. Then call get_authorization, and the class will use this token to retrieve a new access token. The new authorization string will be returned by the get_authorization method. No user interaction is required when refreshing an access token.

return_url Property

This property includes the URL where the user (browser) returns after authenticating.

Syntax

def get_return_url() -> str: ...
def set_return_url(value: str) -> None: ...

return_url = property(get_return_url, set_return_url)

Default Value

""

Remarks

When client_profile is set to ocpApplication, this will be automatically set to the address of the local embedded web server. In that case, this property can be inspected to determine the URL where the user will be redirected, but it does not need to be set.

When calling get_authorization_url, which is common when client_profile is set to ocpWeb, set this property to the URL on your server where the user will be redirected after authenticating with the authorization server.

This property corresponds to the redirect_uri query string parameter.

server_auth_url Property

This property includes the URL of the authorization server.

Syntax

def get_server_auth_url() -> str: ...
def set_server_auth_url(value: str) -> None: ...

server_auth_url = property(get_server_auth_url, set_server_auth_url)

Default Value

""

Remarks

This property specifies the URL of the authorization server used when get_authorization is called. This value is used when constructing the URL to which the user will be redirected to authenticate and grant access.

This should be specified before calling get_authorization.

server_token_url Property

This property includes the URL used to obtain the access token.

Syntax

def get_server_token_url() -> str: ...
def set_server_token_url(value: str) -> None: ...

server_token_url = property(get_server_token_url, set_server_token_url)

Default Value

""

Remarks

The property specifies the URL where the grant will be exchanged for the access token. This is typically a separate HTTP endpoint on the authorization server.

This must be set before calling get_authorization.

server_user_info_url Property

The URL of the OpenID provider's user info endpoint.

Syntax

def get_server_user_info_url() -> str: ...
def set_server_user_info_url(value: str) -> None: ...

server_user_info_url = property(get_server_user_info_url, set_server_user_info_url)

Default Value

""

Remarks

This property holds the URL of the OpenID provider's user info endpoint. This value is required when calling get_user_info.

This property is populated when get_discovery_doc is called.

signer_cert_encoded Property

This is the certificate (PEM/base64 encoded).

Syntax

def get_signer_cert_encoded() -> bytes: ...
def set_signer_cert_encoded(value: bytes) -> None: ...

signer_cert_encoded = property(get_signer_cert_encoded, set_signer_cert_encoded)

Default Value

""

Remarks

This is the certificate (PEM/base64 encoded). This property is used to assign a specific certificate. The signer_cert_store and signer_cert_subject properties also may be used to specify a certificate.

When signer_cert_encoded is set, a search is initiated in the current signer_cert_store for the private key of the certificate. If the key is found, signer_cert_subject is updated to reflect the full subject of the selected certificate; otherwise, signer_cert_subject is set to an empty string.

signer_cert_store Property

This is the name of the certificate store for the client certificate.

Syntax

def get_signer_cert_store() -> bytes: ...
def set_signer_cert_store(value: bytes) -> None: ...

signer_cert_store = property(get_signer_cert_store, set_signer_cert_store)

Default Value

"MY"

Remarks

This is the name of the certificate store for the client certificate.

The signer_cert_store_type property denotes the type of the certificate store specified by signer_cert_store. If the store is password protected, specify the password in signer_cert_store_password.

signer_cert_store is used in conjunction with the signer_cert_subject property to specify client certificates. If signer_cert_store has a value, and signer_cert_subject or signer_cert_encoded is set, a search for a certificate is initiated. Please see the signer_cert_subject property for details.

Designations of certificate stores are platform-dependent.

The following are designations of the most common User and Machine certificate stores in Windows:

When the certificate store type is PFXFile, this property must be set to the name of the file. When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e. PKCS12 certificate store).

signer_cert_store_password Property

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Syntax

def get_signer_cert_store_password() -> str: ...
def set_signer_cert_store_password(value: str) -> None: ...

signer_cert_store_password = property(get_signer_cert_store_password, set_signer_cert_store_password)

Default Value

""

Remarks

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

signer_cert_store_type Property

This is the type of certificate store for this certificate.

Syntax

def get_signer_cert_store_type() -> int: ...
def set_signer_cert_store_type(value: int) -> None: ...

signer_cert_store_type = property(get_signer_cert_store_type, set_signer_cert_store_type)

Default Value

0

Remarks

This is the type of certificate store for this certificate.

The class supports both public and private keys in a variety of formats. When the cstAuto value is used the class will automatically determine the type. This property can take one of the following values:

signer_cert_subject Property

This is the subject of the certificate used for client authentication.

Syntax

def get_signer_cert_subject() -> str: ...
def set_signer_cert_subject(value: str) -> None: ...

signer_cert_subject = property(get_signer_cert_subject, set_signer_cert_subject)

Default Value

""

Remarks

This is the subject of the certificate used for client authentication.

This property must be set after all other certificate properites are set. When this property is set, a search is performed in the current certificate store certificate with matching subject.

If a matching certificate is found, the property is set to the full subject of the matching certificate.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma separated list of distinguished name fields and values. For instance "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are displayed below.

If a field value contains a comma it must be quoted.

signer_cert_url Property

The URL of the OpenID provider's signing certificate.

Syntax

def get_signer_cert_url() -> str: ...
def set_signer_cert_url(value: str) -> None: ...

signer_cert_url = property(get_signer_cert_url, set_signer_cert_url)

Default Value

""

Remarks

This property holds the URL of the OpenID provider's signing certificate. The signing certificate is used to very the signature of the ID token returned when calling get_authorization.

When calling get_authorization either signer_cert_url or signer_cert must be specified.

This property is populated when get_discovery_doc is called.

ssl_accept_server_cert_encoded Property

This is the certificate (PEM/base64 encoded).

Syntax

def get_ssl_accept_server_cert_encoded() -> bytes: ...
def set_ssl_accept_server_cert_encoded(value: bytes) -> None: ...

ssl_accept_server_cert_encoded = property(get_ssl_accept_server_cert_encoded, set_ssl_accept_server_cert_encoded)

Default Value

""

Remarks

This is the certificate (PEM/base64 encoded). This property is used to assign a specific certificate. The ssl_accept_server_cert_store and ssl_accept_server_cert_subject properties also may be used to specify a certificate.

When ssl_accept_server_cert_encoded is set, a search is initiated in the current ssl_accept_server_cert_store for the private key of the certificate. If the key is found, ssl_accept_server_cert_subject is updated to reflect the full subject of the selected certificate; otherwise, ssl_accept_server_cert_subject is set to an empty string.

ssl_cert_encoded Property

This is the certificate (PEM/base64 encoded).

Syntax

def get_ssl_cert_encoded() -> bytes: ...
def set_ssl_cert_encoded(value: bytes) -> None: ...

ssl_cert_encoded = property(get_ssl_cert_encoded, set_ssl_cert_encoded)

Default Value

""

Remarks

This is the certificate (PEM/base64 encoded). This property is used to assign a specific certificate. The ssl_cert_store and ssl_cert_subject properties also may be used to specify a certificate.

When ssl_cert_encoded is set, a search is initiated in the current ssl_cert_store for the private key of the certificate. If the key is found, ssl_cert_subject is updated to reflect the full subject of the selected certificate; otherwise, ssl_cert_subject is set to an empty string.

ssl_cert_store Property

This is the name of the certificate store for the client certificate.

Syntax

def get_ssl_cert_store() -> bytes: ...
def set_ssl_cert_store(value: bytes) -> None: ...

ssl_cert_store = property(get_ssl_cert_store, set_ssl_cert_store)

Default Value

"MY"

Remarks

This is the name of the certificate store for the client certificate.

The ssl_cert_store_type property denotes the type of the certificate store specified by ssl_cert_store. If the store is password protected, specify the password in ssl_cert_store_password.

ssl_cert_store is used in conjunction with the ssl_cert_subject property to specify client certificates. If ssl_cert_store has a value, and ssl_cert_subject or ssl_cert_encoded is set, a search for a certificate is initiated. Please see the ssl_cert_subject property for details.

Designations of certificate stores are platform-dependent.

The following are designations of the most common User and Machine certificate stores in Windows:

When the certificate store type is PFXFile, this property must be set to the name of the file. When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e. PKCS12 certificate store).

ssl_cert_store_password Property

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Syntax

def get_ssl_cert_store_password() -> str: ...
def set_ssl_cert_store_password(value: str) -> None: ...

ssl_cert_store_password = property(get_ssl_cert_store_password, set_ssl_cert_store_password)

Default Value

""

Remarks

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

ssl_cert_store_type Property

This is the type of certificate store for this certificate.

Syntax

def get_ssl_cert_store_type() -> int: ...
def set_ssl_cert_store_type(value: int) -> None: ...

ssl_cert_store_type = property(get_ssl_cert_store_type, set_ssl_cert_store_type)

Default Value

0

Remarks

This is the type of certificate store for this certificate.

The class supports both public and private keys in a variety of formats. When the cstAuto value is used the class will automatically determine the type. This property can take one of the following values:

ssl_cert_subject Property

This is the subject of the certificate used for client authentication.

Syntax

def get_ssl_cert_subject() -> str: ...
def set_ssl_cert_subject(value: str) -> None: ...

ssl_cert_subject = property(get_ssl_cert_subject, set_ssl_cert_subject)

Default Value

""

Remarks

This is the subject of the certificate used for client authentication.

This property must be set after all other certificate properites are set. When this property is set, a search is performed in the current certificate store certificate with matching subject.

If a matching certificate is found, the property is set to the full subject of the matching certificate.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma separated list of distinguished name fields and values. For instance "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are displayed below.

If a field value contains a comma it must be quoted.

ssl_provider Property

This specifies the SSL/TLS implementation to use.

Syntax

def get_ssl_provider() -> int: ...
def set_ssl_provider(value: int) -> None: ...

ssl_provider = property(get_ssl_provider, set_ssl_provider)

Default Value

0

Remarks

This property specifies the SSL/TLS implementation to use. In most cases the default value of 0 (Automatic) is recommended and should not be changed. When set to 0 (Automatic) the class will select whether to use the platform implementation or the internal implementation depending on the operating system as well as the TLS version being used.

Possible values are:

Additional Notes

In most cases using the default value (Automatic) is recommended. The class will select a provider depending on the current platform.

When Automatic is selected, on Windows the class will use the platform implementation. On Linux/macOS the class will use the internal implementation. When TLS 1.3 is enabled via SSLEnabledProtocols the internal implementation is used on all platforms.

ssl_server_cert_encoded Property

This is the certificate (PEM/base64 encoded).

Syntax

def get_ssl_server_cert_encoded() -> bytes: ...

ssl_server_cert_encoded = property(get_ssl_server_cert_encoded, None)

Default Value

""

Remarks

This is the certificate (PEM/base64 encoded). This property is used to assign a specific certificate. The ssl_server_cert_store and ssl_server_cert_subject properties also may be used to specify a certificate.

When ssl_server_cert_encoded is set, a search is initiated in the current ssl_server_cert_store for the private key of the certificate. If the key is found, ssl_server_cert_subject is updated to reflect the full subject of the selected certificate; otherwise, ssl_server_cert_subject is set to an empty string.

This property is read-only.

state Property

Opaque value used to maintain state between the request and response.

Syntax

def get_state() -> str: ...
def set_state(value: str) -> None: ...

state = property(get_state, set_state)

Default Value

""

Remarks

This property optionally holds a string value which will be returned by the authorization server with the response.

Any value may be specified here and it will be returned exactly as it was sent. This can be used to maintain state within the application, and also may be used for security purposes (for instance to prevent Cross-Site Request Forgery). The contents of this property are treated as an opaque value.

When client_profile is set to ocpApplication the on_return_url event provides the state value returned by the authorization server.

timeout Property

A timeout for the class.

Syntax

def get_timeout() -> int: ...
def set_timeout(value: int) -> None: ...

timeout = property(get_timeout, set_timeout)

Default Value

60

Remarks

If the timeout property is set to 0, all operations will run uninterrupted until successful completion or an error condition is encountered.

If timeout is set to a positive value, the class will wait for the operation to complete before returning control.

The class will use do_events to enter an efficient wait loop during any potential waiting period, making sure that all system events are processed immediately as they arrive. This ensures that the host application does not "freeze" and remains responsive.

If timeout expires, and the operation is not yet complete, the class fails with an error.

Please note that by default, all timeouts are inactivity timeouts, i.e. the timeout period is extended by timeout seconds when any amount of data is successfully sent or received.

The default value for the timeout property is 60 seconds.

transferred_data Property

This property includes the contents of the last response from the server.

Syntax

def get_transferred_data() -> bytes: ...

transferred_data = property(get_transferred_data, None)

Default Value

""

Remarks

This property contains the contents of the last response from the server.

TransferredDataLimit controls the maximum amount of data accumulated in transferred_data (by default, there is no limit).

This property is read-only.

transferred_headers Property

This property includes the full set of headers as received from the server.

Syntax

def get_transferred_headers() -> str: ...

transferred_headers = property(get_transferred_headers, None)

Default Value

""

Remarks

This property returns the complete set of raw headers as received from the server.

The on_header event shows the individual headers as parsed by the class.

This property is read-only.

use_pkce Property

This property specifies if Proof Key for Code Exchange (PKCE) should be used.

Syntax

def get_use_pkce() -> bool: ...
def set_use_pkce(value: bool) -> None: ...

use_pkce = property(get_use_pkce, set_use_pkce)

Default Value

FALSE

Remarks

If specified, Proof Key for Code Exchange (PKCE) defined by RFC 7636 will be used when get_authorization is called. This applies when using the Authorization Code grant_type. The PKCEChallengeEncoding configuration setting can be used to control the code challenge method that will be used.

user_details_addr_country Property

This property holds the country name portion of the user's address.

Syntax

def get_user_details_addr_country() -> str: ...

user_details_addr_country = property(get_user_details_addr_country, None)

Default Value

""

Remarks

This property holds the country name portion of the user's address.

This property is read-only.

user_details_addr_formatted Property

This property holds the full mailing address of the user, formatted for display or use on a mailing label.

Syntax

def get_user_details_addr_formatted() -> str: ...

user_details_addr_formatted = property(get_user_details_addr_formatted, None)

Default Value

""

Remarks

This property holds the full mailing address of the user, formatted for display or use on a mailing label. This value may contain multiple lines.

This property is read-only.

user_details_addr_locality Property

This property holds the city or locality portion of the user's address.

Syntax

def get_user_details_addr_locality() -> str: ...

user_details_addr_locality = property(get_user_details_addr_locality, None)

Default Value

""

Remarks

This property holds the city or locality portion of the user's address.

This property is read-only.

user_details_addr_postal_code Property

This property holds the zip code or postal code portion of the user's address.

Syntax

def get_user_details_addr_postal_code() -> str: ...

user_details_addr_postal_code = property(get_user_details_addr_postal_code, None)

Default Value

""

Remarks

This property holds the zip code or postal code portion of the user's address.

This property is read-only.

user_details_addr_region Property

This property holds the state, province, prefecture, or region portion of the user's address.

Syntax

def get_user_details_addr_region() -> str: ...

user_details_addr_region = property(get_user_details_addr_region, None)

Default Value

""

Remarks

This property holds the state, province, prefecture, or region portion of the user's address.

This property is read-only.

user_details_addr_street_addr Property

This property holds the street address portion of the user's address.

Syntax

def get_user_details_addr_street_addr() -> str: ...

user_details_addr_street_addr = property(get_user_details_addr_street_addr, None)

Default Value

""

Remarks

This property holds the street address portion of the user's address. This is the full street address which may include house number, street name, post office box, and multi-line extended street information. This value may contain multiple lines.

This property is read-only.

user_details_audiences Property

This property contains a comma separated list of audiences for which the user information is intended.

Syntax

def get_user_details_audiences() -> str: ...

user_details_audiences = property(get_user_details_audiences, None)

Default Value

""

Remarks

This property contains a comma separated list of audiences for which the user information is intended.

This property is read-only.

user_details_birthday Property

This property contains the user's birthday.

Syntax

def get_user_details_birthday() -> str: ...

user_details_birthday = property(get_user_details_birthday, None)

Default Value

""

Remarks

This property contains the user's birthday. The format of the value is YYYY-MM-DD or YYYY. The year may be 0000 to indicate it was omitted.

This property is read-only.

user_details_email Property

This property contains the user's preferred email address.

Syntax

def get_user_details_email() -> str: ...

user_details_email = property(get_user_details_email, None)

Default Value

""

Remarks

This property contains the user's preferred email address.

This property is read-only.

user_details_email_verified Property

This property indicates whether the user's email address has been verified.

Syntax

def get_user_details_email_verified() -> bool: ...

user_details_email_verified = property(get_user_details_email_verified, None)

Default Value

FALSE

Remarks

This property indicates whether the user's email address has been verified. To be considered verified the end-user must prove the email address was under the user's control at the time of verification.

This property is read-only.

user_details_first_name Property

This property holds the first name of the user.

Syntax

def get_user_details_first_name() -> str: ...

user_details_first_name = property(get_user_details_first_name, None)

Default Value

""

Remarks

This property holds the first name of the user. If multiple names are present they are space separated.

This property is read-only.

user_details_gender Property

This property holds the user's gender.

Syntax

def get_user_details_gender() -> str: ...

user_details_gender = property(get_user_details_gender, None)

Default Value

""

Remarks

This property holds the user's gender. Defined values are male and female but other values may also be used.

This property is read-only.

user_details_issuer Property

This property contains the identifier of the issuer who issued the ID token.

Syntax

def get_user_details_issuer() -> str: ...

user_details_issuer = property(get_user_details_issuer, None)

Default Value

""

Remarks

This property contains the identifier of the issuer who issued the ID token.

This property is read-only.

user_details_last_name Property

This property holds the last name of the user.

Syntax

def get_user_details_last_name() -> str: ...

user_details_last_name = property(get_user_details_last_name, None)

Default Value

""

Remarks

This property holds the last name of the user. If multiple names are present they are space separated.

This property is read-only.

user_details_locale Property

This property holds the end user's locale.

Syntax

def get_user_details_locale() -> str: ...

user_details_locale = property(get_user_details_locale, None)

Default Value

""

Remarks

This property holds the end user's locale. This is represented as a BCP47 (RFC 5646) language tag. For instance en-US or en_US.

This property is read-only.

user_details_middle_name Property

This property holds the middle name of the user.

Syntax

def get_user_details_middle_name() -> str: ...

user_details_middle_name = property(get_user_details_middle_name, None)

Default Value

""

Remarks

This property holds the middle name of the user. If multiple names are present they are space separated.

This property is read-only.

user_details_name Property

This property contains the user's full name in displayable form including all name parts.

Syntax

def get_user_details_name() -> str: ...

user_details_name = property(get_user_details_name, None)

Default Value

""

Remarks

This property contains the user's full name in displayable form including all name parts. This may include titles and suffixes.

This property is read-only.

user_details_nickname Property

This property holds the casual name of the user.

Syntax

def get_user_details_nickname() -> str: ...

user_details_nickname = property(get_user_details_nickname, None)

Default Value

""

Remarks

This property holds the casual name of the user. This may or may not be the same as user_details_first_name.

This property is read-only.

user_details_phone_number Property

This property holds the user's phone number.

Syntax

def get_user_details_phone_number() -> str: ...

user_details_phone_number = property(get_user_details_phone_number, None)

Default Value

""

Remarks

This property holds the user's phone number. This may be in E.164 format, for instance +1 (425) 555-1212. If an extension is present it may be represented according to RFC 3966. For instance: +1 (604) 555-1234;ext=5678.

This property is read-only.

user_details_phone_number_verified Property

This property indicates whether the user's phone number has been verified.

Syntax

def get_user_details_phone_number_verified() -> bool: ...

user_details_phone_number_verified = property(get_user_details_phone_number_verified, None)

Default Value

FALSE

Remarks

This property indicates whether the user's phone number has been verified. To be considered verified the end-user must prove the phone number was under the user's control at the time of verification.

This property is read-only.

user_details_picture_url Property

This property holds the URL of the user's profile picture.

Syntax

def get_user_details_picture_url() -> str: ...

user_details_picture_url = property(get_user_details_picture_url, None)

Default Value

""

Remarks

This property holds the URL of the user's profile picture.

This property is read-only.

user_details_preferred_username Property

This property holds the shorthand name by which the end-user wishes to be referred.

Syntax

def get_user_details_preferred_username() -> str: ...

user_details_preferred_username = property(get_user_details_preferred_username, None)

Default Value

""

Remarks

This property holds the shorthand name by which the end-user wishes to be referred.

This property is read-only.

user_details_profile_url Property

This property holds the URL of the user's profile page.

Syntax

def get_user_details_profile_url() -> str: ...

user_details_profile_url = property(get_user_details_profile_url, None)

Default Value

""

Remarks

This property holds the URL of the user's profile page.

This property is read-only.

user_details_subject Property

This property holds the subject identifier of the token.

Syntax

def get_user_details_subject() -> str: ...

user_details_subject = property(get_user_details_subject, None)

Default Value

""

Remarks

This property holds the subject identifier of the token.

This property is read-only.

user_details_token_auth_time Property

This property holds the time when authentication occurred.

Syntax

def get_user_details_token_auth_time() -> int: ...

user_details_token_auth_time = property(get_user_details_token_auth_time, None)

Default Value

0

Remarks

This property holds the time when authentication occurred.

The time value is a number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.

This property is read-only.

user_details_token_exp_time Property

This property holds the expiration time of the token.

Syntax

def get_user_details_token_exp_time() -> int: ...

user_details_token_exp_time = property(get_user_details_token_exp_time, None)

Default Value

0

Remarks

This property holds the expiration time of the token.

The time value is a number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.

This property is read-only.

user_details_token_issued_at Property

This property holds the time when the token was issued.

Syntax

def get_user_details_token_issued_at() -> int: ...

user_details_token_issued_at = property(get_user_details_token_issued_at, None)

Default Value

0

Remarks

This property holds the time when the token was issued.

The time value is a number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.

This property is read-only.

user_details_updated_at Property

This property holds the time when the user's information was last updated.

Syntax

def get_user_details_updated_at() -> int: ...

user_details_updated_at = property(get_user_details_updated_at, None)

Default Value

0

Remarks

This property holds the time when the user's information was last updated.

The time value is a number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.

This property is read-only.

user_details_website Property

This property holds the URL of the user's website.

Syntax

def get_user_details_website() -> str: ...

user_details_website = property(get_user_details_website, None)

Default Value

""

Remarks

This property holds the URL of the user's website.

This property is read-only.

user_details_zone_info Property

This property holds the user's time zone.

Syntax

def get_user_details_zone_info() -> str: ...

user_details_zone_info = property(get_user_details_zone_info, None)

Default Value

""

Remarks

This property holds the user's time zone. For instance: America/Los_Angeles.

This property is read-only.

web_server_port Property

This property includes the local port on which the embedded web server listens.

Syntax

def get_web_server_port() -> int: ...
def set_web_server_port(value: int) -> None: ...

web_server_port = property(get_web_server_port, set_web_server_port)

Default Value

0

Remarks

This property specifies the port on which the embedded web server listens. Setting this to 0 (default) enables the system to choose a port at random. The chosen port will be returned when this setting is queried after the server has started listening. This is applicable only when using the embedded web server.

web_server_ssl_cert_store Property

This is the name of the certificate store for the client certificate.

Syntax

def get_web_server_ssl_cert_store() -> bytes: ...
def set_web_server_ssl_cert_store(value: bytes) -> None: ...

web_server_ssl_cert_store = property(get_web_server_ssl_cert_store, set_web_server_ssl_cert_store)

Default Value

"MY"

Remarks

This is the name of the certificate store for the client certificate.

The web_server_ssl_cert_store_type property denotes the type of the certificate store specified by web_server_ssl_cert_store. If the store is password protected, specify the password in web_server_ssl_cert_store_password.

web_server_ssl_cert_store is used in conjunction with the web_server_ssl_cert_subject property to specify client certificates. If web_server_ssl_cert_store has a value, and web_server_ssl_cert_subject or web_server_ssl_cert_encoded is set, a search for a certificate is initiated. Please see the web_server_ssl_cert_subject property for details.

Designations of certificate stores are platform-dependent.

The following are designations of the most common User and Machine certificate stores in Windows:

When the certificate store type is PFXFile, this property must be set to the name of the file. When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e. PKCS12 certificate store).

web_server_ssl_cert_store_password Property

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Syntax

def get_web_server_ssl_cert_store_password() -> str: ...
def set_web_server_ssl_cert_store_password(value: str) -> None: ...

web_server_ssl_cert_store_password = property(get_web_server_ssl_cert_store_password, set_web_server_ssl_cert_store_password)

Default Value

""

Remarks

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

web_server_ssl_cert_store_type Property

This is the type of certificate store for this certificate.

Syntax

def get_web_server_ssl_cert_store_type() -> int: ...
def set_web_server_ssl_cert_store_type(value: int) -> None: ...

web_server_ssl_cert_store_type = property(get_web_server_ssl_cert_store_type, set_web_server_ssl_cert_store_type)

Default Value

0

Remarks

This is the type of certificate store for this certificate.

The class supports both public and private keys in a variety of formats. When the cstAuto value is used the class will automatically determine the type. This property can take one of the following values:

web_server_ssl_cert_subject Property

This is the subject of the certificate used for client authentication.

Syntax

def get_web_server_ssl_cert_subject() -> str: ...
def set_web_server_ssl_cert_subject(value: str) -> None: ...

web_server_ssl_cert_subject = property(get_web_server_ssl_cert_subject, set_web_server_ssl_cert_subject)

Default Value

""

Remarks

This is the subject of the certificate used for client authentication.

This property must be set after all other certificate properites are set. When this property is set, a search is performed in the current certificate store certificate with matching subject.

If a matching certificate is found, the property is set to the full subject of the matching certificate.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma separated list of distinguished name fields and values. For instance "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are displayed below.

If a field value contains a comma it must be quoted.

web_server_ssl_enabled Property

This property specifies whether the web server requires Secure Sockets Layer (SSL) connections.

Syntax

def get_web_server_ssl_enabled() -> bool: ...
def set_web_server_ssl_enabled(value: bool) -> None: ...

web_server_ssl_enabled = property(get_web_server_ssl_enabled, set_web_server_ssl_enabled)

Default Value

FALSE

Remarks

This setting specifies whether the embedded web server uses a Secure Sockets Layer (SSL). If set to True, web_server_ssl_cert is required and the server will accept only SSL connections. If set to False, only plaintext connects are supported.

add_cookie Method

This method adds a cookie and the corresponding value to the outgoing request headers.

Syntax

def add_cookie(cookie_name: str, cookie_value: str) -> None: ...

Remarks

This property adds a cookie and the corresponding value to the outgoing request headers. Please refer to the cookies property for more information on cookies and how they are managed.

add_param Method

This method adds a name-value pair to the query string parameters of outgoing request.

Syntax

def add_param(param_name: str, param_value: str) -> None: ...

Remarks

This method can be used to add query string parameters to the outgoing request. One common use for this method would be to add the state parameter to the request, which can be used when the client_profile is ocpWeb to add user-defined data. The authorization server will include the state parameter in the response and will be available in the post back to your server, which will allow you to maintain state in your application.

config Method

Sets or retrieves a configuration setting.

Syntax

def config(configuration_string: str) -> str: ...

Remarks

config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

do_events Method

Processes events from the internal message queue.

Syntax

def do_events() -> None: ...

Remarks

When do_events is called, the class processes any available events. If no events are available, it waits for a preset period of time, and then returns.

get_authorization Method

Gets the authorization string required to access the protected resource.

Syntax

def get_authorization() -> str: ...

Remarks

get_authorization performs several operations automatically depending on the value of client_profile. Please see the introduction section for the OpenID class for a detailed overview of the typical scenarios.

After authorization is complete user_details will be populated with the claims parsed from the ID token. This method also returns an authorization string. The authorization string grants access to additional resources as requested via the authorization_scope property. If access to another resource was requested the access token returned here may be set in the Authorization property of any other class (or passed as the value of the HTTP Authorization header).

get_user_info may be called after calling this method.

The following properties are applicable when calling this method:

• client_id (required)
• client_secret (required)
• server_auth_url (required - populated by get_discovery_doc.)
• server_token_url (required - populated by get_discovery_doc.)
• signer_cert_url (conditional - populated by get_discovery_doc. Required if signer_cert is not set.)
• signer_cert (conditional - required if signer_cert_url is not set.)
• authorization_scope
• client_profile
• grant_type
• params
• refresh_token
• return_url
• state
• timeout
• Display
• Prompt
• IDTokenHint
• LoginHint
• ResponseType

get_authorization_url Method

This method builds and returns the URL to which the user should be redirected for authorization.

Syntax

def get_authorization_url() -> str: ...

Remarks

When this method is called, the class will return the URL used for authorization. The class will not make any connections, but instead it will return the URL to you so that you may redirect the user to this location. This is useful when client_profile is set to ocpWeb. Before calling this method, set the following:

• client_id
• client_secret
• return_url
• authorization_scope (optional)

get_discovery_doc Method

Gets the OpenID Discovery Document.

Syntax

def get_discovery_doc(url: str) -> None: ...

Remarks

This method gets the OpenID Connect Discovery Document specified by the URL parameter and parses the response. The discover document contains details about the OpenID Provider configuration including endpoint URLs, supported claims and response types, and more.

The discovery document URL is typically published by an OpenID provider and must be known before calling this method. The format of the URL is standardized and typically takes the form:

https://www.youropenidserver.com/.well-known/openid-configuration

Call get_discovery_doc before calling get_authorization to populate the class properties with information required to complete the authorization. The retrieved information includes endpoint URLs as well as the OpenID public certificates used to verify the signature on the ID token. After calling this method the following properties are populated:

• server_auth_url
• server_token_url
• server_user_info_url
• signer_cert_url

The above values may be stored, and later populated from the stored values, to avoid the requirement of calling get_discovery_doc on subsequent authorization requests.

The following discovery document fields are populated after get_discovery_doc returns:

• discovery_doc_details_authorization_url
• discovery_doc_details_claims_param_supported
• discovery_doc_details_issuer
• discovery_doc_details_signer_cert_url
• discovery_doc_details_registration_url
• discovery_doc_details_service_docs_url
• discovery_doc_details_supported_claims
• discovery_doc_details_supported_displays
• discovery_doc_details_supported_grant_types
• discovery_doc_details_supported_response_types
• discovery_doc_details_supported_scopes
• discovery_doc_details_token_url
• discovery_doc_details_user_info_url

To access values not automatically parsed by the class the XPath configuration setting may be set to retrieve a specific value. Alternatively the RawJSON setting returns the entire JSON document which may be parsed separately.

get_param Method

This method gets a specific parameter from a query string.

Syntax

def get_param(param_name: str) -> str: ...

Remarks

This method can be used to get a specific parameter from a query string.

For example, when using the ocpApplication profile, this method can be used in the on_return_url event to query the parameters that are returned from the authorization server. Then, it can be called after get_authorization completes to query the parameters that the token server responded with.

string authorizationString = oauth.GetAuthorization(); string stateValue = oauth.GetParam("state");

get_user_info Method

Retrieves claims about the user.

Syntax

def get_user_info() -> None: ...

Remarks

This method retrieves claims about the user. Before calling get_user_info method a successful call to get_authorization must be made. The access token returned by get_authorization is used by the OpenID provider at server_user_info_url to identify the user for which claims are being retrieved.

When this method is called the class requests the claims about the user from the server_user_info_url. The resulting claims are available in the UserDetail* properties.

Note: The get_user_info method will populate the UserDetail* properties with the claims returned in the ID token during the authorization process. This method may not need to be called in order to access the desired claims about the user.

openid.GetUserInfo(); // ... use the user info in the remainder of your application ...

interrupt Method

Interrupt the current method.

Syntax

def interrupt() -> None: ...

Remarks

If there is no method in progress, interrupt simply returns, doing nothing.

reset Method

Reset the class.

Syntax

def reset() -> None: ...

Remarks

This method will reset the class's properties to their default values.

start_web_server Method

This method starts the embedded web server.

Syntax

def start_web_server() -> None: ...

Remarks

This method starts the embedded web server. This method can be used to manually start the embedded web server. Under normal circumstances, this is not needed as the component will automatically start and stop the web server when get_authorization is called. You may decide, however, to start the web server manually before calling get_authorization. When called, this method will also populate return_url with the address of the embedded server.

stop_web_server Method

This method stops the embedded web server.

Syntax

def stop_web_server() -> None: ...

Remarks

This method stops the embedded web server. Under normal circumstances, the web server will be stopped automatically during the authorization process when get_authorization is called. If ReUseWebServer is set to True, the server will not be automatically stopped, and this method must be called to stop the embedded web server.

on_connected Event

This event is fired immediately after a connection completes (or fails).

Syntax

class OpenIDConnectedEventParams(object):
  @property
  def status_code() -> int: ...

  @property
  def description() -> str: ...

# In class OpenID:
@property
def on_connected() -> Callable[[OpenIDConnectedEventParams], None]: ...
@on_connected.setter
def on_connected(event_hook: Callable[[OpenIDConnectedEventParams], None]) -> None: ...

Remarks

If the connection is made normally, StatusCode is 0 and Description is "OK".

If the connection fails, StatusCode has the error code returned by the Transmission Control Protocol (TCP)/IP stack. Description contains a description of this code. The value of StatusCode is equal to the value of the error.

Please refer to the Error Codes section for more information.

on_connection_status Event

This event is fired to indicate changes in the connection state.

Syntax

class OpenIDConnectionStatusEventParams(object):
  @property
  def connection_event() -> str: ...

  @property
  def status_code() -> int: ...

  @property
  def description() -> str: ...

# In class OpenID:
@property
def on_connection_status() -> Callable[[OpenIDConnectionStatusEventParams], None]: ...
@on_connection_status.setter
def on_connection_status(event_hook: Callable[[OpenIDConnectionStatusEventParams], None]) -> None: ...

Remarks

The on_connection_status event is fired when the connection state changes: for example, completion of a firewall or proxy connection or completion of a security handshake.

The ConnectionEvent parameter indicates the type of connection event. Values may include the following:

StatusCode has the error code returned by the Transmission Control Protocol (TCP)/IP stack. Description contains a description of this code. The value of StatusCode is equal to the value of the error.

on_disconnected Event

This event is fired when a connection is closed.

Syntax

class OpenIDDisconnectedEventParams(object):
  @property
  def status_code() -> int: ...

  @property
  def description() -> str: ...

# In class OpenID:
@property
def on_disconnected() -> Callable[[OpenIDDisconnectedEventParams], None]: ...
@on_disconnected.setter
def on_disconnected(event_hook: Callable[[OpenIDDisconnectedEventParams], None]) -> None: ...

Remarks

If the connection is broken normally, StatusCode is 0 and Description is "OK".

If the connection is broken for any other reason, StatusCode has the error code returned by the Transmission Control Protocol (TCP/IP) subsystem. Description contains a description of this code. The value of StatusCode is equal to the value of the TCP/IP error.

Please refer to the Error Codes section for more information.

on_end_transfer Event

This event is fired when a document finishes transferring.

Syntax

class OpenIDEndTransferEventParams(object):
  @property
  def direction() -> int: ...

# In class OpenID:
@property
def on_end_transfer() -> Callable[[OpenIDEndTransferEventParams], None]: ...
@on_end_transfer.setter
def on_end_transfer(event_hook: Callable[[OpenIDEndTransferEventParams], None]) -> None: ...

Remarks

The on_end_transfer event is fired first when the client finishes sending data to the server (in a POST or PUT request) and then when the document text finishes transferring from the server to the local host.

The Direction parameter shows whether the client (0) or the server (1) is sending the data.

on_error Event

Information about errors during data delivery.

Syntax

class OpenIDErrorEventParams(object):
  @property
  def error_code() -> int: ...

  @property
  def description() -> str: ...

# In class OpenID:
@property
def on_error() -> Callable[[OpenIDErrorEventParams], None]: ...
@on_error.setter
def on_error(event_hook: Callable[[OpenIDErrorEventParams], None]) -> None: ...

Remarks

The on_error event is fired in case of exceptional conditions during message processing. Normally the class fails with an error.

ErrorCode contains an error code and Description contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Error Codes section.

on_header Event

This event is fired every time a header line comes in.

Syntax

class OpenIDHeaderEventParams(object):
  @property
  def field() -> str: ...

  @property
  def value() -> str: ...

# In class OpenID:
@property
def on_header() -> Callable[[OpenIDHeaderEventParams], None]: ...
@on_header.setter
def on_header(event_hook: Callable[[OpenIDHeaderEventParams], None]) -> None: ...

Remarks

The Field parameter contains the name of the HTTP header (which is the same as it is delivered). The Value parameter contains the header contents.

If the header line being retrieved is a continuation header line, then the Field parameter contains "" (empty string).

on_launch_browser Event

This event fires before launching a browser with the authorization URL.

Syntax

class OpenIDLaunchBrowserEventParams(object):
  @property
  def url() -> str: ...
  @url.setter
  def url(value) -> None: ...

  @property
  def command() -> str: ...
  @command.setter
  def command(value) -> None: ...

# In class OpenID:
@property
def on_launch_browser() -> Callable[[OpenIDLaunchBrowserEventParams], None]: ...
@on_launch_browser.setter
def on_launch_browser(event_hook: Callable[[OpenIDLaunchBrowserEventParams], None]) -> None: ...

Remarks

When the client_profile property is set to ocpApplication and get_authorization is called, the class will fire this event with the Command, which will be executed by the class. The URL parameter will be the authorization URL that the user will be directed to authenticate.

Within this event, you may override the current value of either Command or URL and provide your own value. If Command is set to an empty string, the class will not attempt to launch the browser and instead you will be responsible for directing the user to the authorization URL specified by the URL parameter.

In Windows, ShellExecute is used to execute Command, which limits the verbs available for use in Command to:

• edit
• explore
• find
• open
• print

on_log Event

This event fires once for each log message.

Syntax

class OpenIDLogEventParams(object):
  @property
  def log_level() -> int: ...

  @property
  def message() -> str: ...

  @property
  def log_type() -> str: ...

# In class OpenID:
@property
def on_log() -> Callable[[OpenIDLogEventParams], None]: ...
@on_log.setter
def on_log(event_hook: Callable[[OpenIDLogEventParams], None]) -> None: ...

Remarks

This event fires once for each log message generated by the class. The verbosity is controlled by the LogLevel setting.

LogLevel indicates the level of message. Possible values are as follows:

The value 1 (Info) logs basic information, including the URL, HTTP version, and status details.

The value 2 (Verbose) logs additional information about the request and response.

The value 3 (Debug) logs the headers and body for both the request and response, as well as additional debug information (if any).

Message is the log entry.

LogType identifies the type of log entry. Possible values are as follows:

• "Info"
• "RequestHeaders"
• "ResponseHeaders"
• "RequestBody"
• "ResponseBody"
• "ProxyRequest"
• "ProxyResponse"
• "FirewallRequest"
• "FirewallResponse"

on_redirect Event

This event is fired when a redirection is received from the server.

Syntax

class OpenIDRedirectEventParams(object):
  @property
  def location() -> str: ...

  @property
  def accept() -> bool: ...
  @accept.setter
  def accept(value) -> None: ...

# In class OpenID:
@property
def on_redirect() -> Callable[[OpenIDRedirectEventParams], None]: ...
@on_redirect.setter
def on_redirect(event_hook: Callable[[OpenIDRedirectEventParams], None]) -> None: ...

Remarks

This event is fired in cases in which the client can decide whether or not to continue with the redirection process. The Accept parameter is always True by default, but if you do not want to follow the redirection, Accept may be set to False, in which case the class fails with an error. Location is the location to which the client is being redirected. Further control over redirection is provided in the follow_redirects property.

on_return_url Event

Fires when the user is redirected to the embedded web server.

Syntax

class OpenIDReturnURLEventParams(object):
  @property
  def url_path() -> str: ...

  @property
  def query_string() -> str: ...

  @property
  def state() -> str: ...

  @property
  def response_headers() -> str: ...
  @response_headers.setter
  def response_headers(value) -> None: ...

  @property
  def response_body() -> str: ...
  @response_body.setter
  def response_body(value) -> None: ...

# In class OpenID:
@property
def on_return_url() -> Callable[[OpenIDReturnURLEventParams], None]: ...
@on_return_url.setter
def on_return_url(event_hook: Callable[[OpenIDReturnURLEventParams], None]) -> None: ...

Remarks

When client_profile is set to ocpApplication and the embedded web server is used (default), this event will fire when the user is redirected from authorization server back to the local embedded web server. The event provides an opportunity to set the ResponseHeaders and ResponseBody and provide a custom response that the user will see in their browser.

URLPath and QueryString are informational parameters that show the values sent by the authorization server.

State holds the value of the state parameter that was originally sent with the authorization request. This may be used to maintain state between the request and response. See state for more details.

on_set_cookie Event

This event is fired for every cookie set by the server.

Syntax

class OpenIDSetCookieEventParams(object):
  @property
  def name() -> str: ...

  @property
  def value() -> str: ...

  @property
  def expires() -> str: ...

  @property
  def domain() -> str: ...

  @property
  def path() -> str: ...

  @property
  def secure() -> bool: ...

# In class OpenID:
@property
def on_set_cookie() -> Callable[[OpenIDSetCookieEventParams], None]: ...
@on_set_cookie.setter
def on_set_cookie(event_hook: Callable[[OpenIDSetCookieEventParams], None]) -> None: ...

Remarks

The on_set_cookie event is fired for every Set-Cookie: header received from the HTTP server.

The Name parameter contains the name of the cookie, with the corresponding value supplied in the Value parameter.

The Expires parameter contains an expiration time for the cookie (if provided by the server). The time format used is "Weekday, DD-Mon-YY HH:MM:SS GMT". If the server does not provide an expiration time, the Expires parameter will be an empty string. In this case, the convention is to drop the cookie at the end of the session.

The Domain parameter contains a domain name to limit the cookie to (if provided by the server). If the server does not provide a domain name, the Domain parameter will be an empty string. The convention in this case is to use the server specified in the URL (url_server) as the cookie domain.

The Path parameter contains a path name to limit the cookie to (if provided by the server). If the server does not provide a cookie path, the Path parameter will be an empty string. The convention in this case is to use the path specified in the URL (url_path) as the cookie path.

The Secure parameter specifies whether the cookie is secure. If the value of this parameter is True, the cookie value must be submitted only through a secure (HTTPS) connection.

on_ssl_server_authentication Event

Fired after the server presents its certificate to the client.

Syntax

class OpenIDSSLServerAuthenticationEventParams(object):
  @property
  def cert_encoded() -> bytes: ...

  @property
  def cert_subject() -> str: ...

  @property
  def cert_issuer() -> str: ...

  @property
  def status() -> str: ...

  @property
  def accept() -> bool: ...
  @accept.setter
  def accept(value) -> None: ...

# In class OpenID:
@property
def on_ssl_server_authentication() -> Callable[[OpenIDSSLServerAuthenticationEventParams], None]: ...
@on_ssl_server_authentication.setter
def on_ssl_server_authentication(event_hook: Callable[[OpenIDSSLServerAuthenticationEventParams], None]) -> None: ...

Remarks

This event is where the client can decide whether to continue with the connection process or not. The Accept parameter is a recommendation on whether to continue or close the connection. This is just a suggestion: application software must use its own logic to determine whether to continue or not.

When Accept is False, Status shows why the verification failed (otherwise, Status contains the string "OK"). If it is decided to continue, you can override and accept the certificate by setting the Accept parameter to True.

on_ssl_status Event

Shows the progress of the secure connection.

Syntax

class OpenIDSSLStatusEventParams(object):
  @property
  def message() -> str: ...

# In class OpenID:
@property
def on_ssl_status() -> Callable[[OpenIDSSLStatusEventParams], None]: ...
@on_ssl_status.setter
def on_ssl_status(event_hook: Callable[[OpenIDSSLStatusEventParams], None]) -> None: ...

Remarks

The event is fired for informational and logging purposes only. Used to track the progress of the connection.

on_start_transfer Event

This event is fired when a document starts transferring (after the headers).

Syntax

class OpenIDStartTransferEventParams(object):
  @property
  def direction() -> int: ...

# In class OpenID:
@property
def on_start_transfer() -> Callable[[OpenIDStartTransferEventParams], None]: ...
@on_start_transfer.setter
def on_start_transfer(event_hook: Callable[[OpenIDStartTransferEventParams], None]) -> None: ...

Remarks

The on_start_transfer event is fired first when the client starts sending data to the server (in a POST or PUT request) and then when the document text starts transferring from the server to the local host.

The Direction parameter shows whether the client (0) or the server (1) is sending the data.

on_status Event

This event is fired when the HTTP status line is received from the server.

Syntax

class OpenIDStatusEventParams(object):
  @property
  def http_version() -> str: ...

  @property
  def status_code() -> int: ...

  @property
  def description() -> str: ...

# In class OpenID:
@property
def on_status() -> Callable[[OpenIDStatusEventParams], None]: ...
@on_status.setter
def on_status(event_hook: Callable[[OpenIDStatusEventParams], None]) -> None: ...

Remarks

HTTPVersion is a string containing the HTTP version string as returned from the server (e.g., "1.1").

StatusCode contains the HTTP status code (e.g., 200), and Description the associated message returned by the server (e.g., "OK").

on_transfer Event

This event is fired while a document transfers (delivers document).

Syntax

class OpenIDTransferEventParams(object):
  @property
  def direction() -> int: ...

  @property
  def bytes_transferred() -> int: ...

  @property
  def percent_done() -> int: ...

  @property
  def text() -> bytes: ...

# In class OpenID:
@property
def on_transfer() -> Callable[[OpenIDTransferEventParams], None]: ...
@on_transfer.setter
def on_transfer(event_hook: Callable[[OpenIDTransferEventParams], None]) -> None: ...

Remarks

The Text parameter contains the portion of the document text being received. It is empty if data are being posted to the server.

The BytesTransferred parameter contains the number of bytes transferred in this Direction since the beginning of the document text (excluding HTTP response headers).

The Direction parameter shows whether the client (0) or the server (1) is sending the data.

The PercentDone parameter shows the progress of the transfer in the corresponding direction. If PercentDone can not be calculated the value will be -1.

Note: Events are not re-entrant. Performing time-consuming operations within this event will prevent it from firing again in a timely manner and may affect overall performance.

OpenID Config Settings

<firstlevel>
  <one>value</one>
  <two>
    <item>first</item>
    <item>second</item>
  </two>
  <three>value three</three>
</firstlevel>

{
  "firstlevel": {
    "one": "value",
    "two": ["first", "second"],
    "three": "value three"
  }
}