oic_openid_connect_dynamic_discovery_client_registration.py

1from oic.oic import Client
2from oic.utils.authn.client import CLIENT_AUTHN_METHOD
3from oic.oic.message import RegistrationResponse
4from oic.oic.message import AuthorizationResponse
5
6# 1. Create the Client instance
7client = Client(client_authn_method=CLIENT_AUTHN_METHOD)
8
9# 2. Provider Discovery
10# Replace with the actual issuer URL (e.g., 'https://accounts.google.com')
11issuer = "https://example.com"
12client.provider_config(issuer)
13
14# 3. Dynamic Client Registration
15# (Note: In many cases, you will use static registration with pre-shared client_id/secret)
16params = {
17    "redirect_uris": ["https://example.com/callback"],
18    "contact_email": ["support@example.com"]
19}
20registration_response = client.register(client.provider_info["registration_endpoint"], **params)
21
22# 4. Authentication Request
23from oic.utils.http_util import Redirect
24import uuid
25
26state = str(uuid.uuid4())
27nonce = str(uuid.uuid4())
28
29args = {
30    "client_id": client.client_id,
31    "response_type": "code",
32    "scope": ["openid", "profile"],
33    "nonce": nonce,
34    "state": state,
35    "redirect_uri": client.registration_response["redirect_uris"][0]
36}
37
38auth_req = client.construct_AuthorizationRequest(request_args=args)
39login_url = auth_req.request(client.authorization_endpoint)
40
41print(f"Redirect the user to: {login_url}")
42
43# 5. Handling the callback (Conceptual - usually handled by a web framework)
44# response_url = "https://example.com/callback?code=...&state=..."
45# aresp = client.parse_response(AuthorizationResponse, url=response_url, sformat="dict")
46
47# 6. Token Request
48# args = {
49#     "code": aresp["code"],
50#     "redirect_uri": client.registration_response["redirect_uris"][0],
51# }
52# token_resp = client.do_access_token_request(scope="openid", state=aresp["state"], request_args=args)
53
54# 7. UserInfo Request
55# userinfo = client.do_user_info_request(state=aresp["state"])
56# print(userinfo.to_dict())