Simple OpenID

Simple and opinionated OpenID-Connect relying party and resource server implementation

Quick Links

• PyPi Page
• Documentation
• GitHub Repository

Development philosophy

• Keep the API as simple as possible

  No **kwargs parameters, no function arguments called request_args, http_args or something_else_args

• Fully typed API

  Python has type hints now, let's use them.

• Support commonly used OpenID features and flows

  Commonly used flows will be supported but obscure and legacy or experimental mechanisms not so much.

• Be just an OpenID library

  Tell the user about function requirements clearly but don't try any fancy internal persistence or caching mechanisms that will only fail in different usage scenarios. Instead, abstract the underlying OpenID protocol into usable, clear functions but nothing more.

Language & Framework Support

We aim to follow pythons officially supported versions. This is currently python v3.9, v3.10, v3.11, v3.12 and v3.13.

In addition to being an OpenID library from which one can build their own authentication solutaion, we also offer explicit integrations into the following frameworks and projects:

Name	Package Feature	Integration Docs	Supported Versions
Django	django	Integration Docs	v4.2, v5.1, v5.2
Django-Rest-Framework	djangorestframework	Integration Docs	v3.14, v3.15, v3.16

Supported OpenID Specs

The list of OpenID specifications can be found on the official website.

• (✔️) Partial OpenID Connect Core 1.0

  Only the following flows and features are implemented:

  • ✔️ Authorization Code Flow
  • ✔️ Direct Access Grant (or Resource Owner Password Credentials Grant)
  • ✔️ client_secret_basic client authentication
  • ✔️ none client authentication
  • ✔️ Query String serialization and parsing
  • ✔️ ID Token handling (parsing + validation)
  • ✔️ Using refresh tokens
  • ✔️ Retrieving userinfo
  • ❌ Implicit Flow
  • ❌ Hybrid Flow
  • ❌ Handling third party initiated login
  • ❌ Passing requests as JWTs (neither by value nor by reference)
  • ❌ Self-Issued OpenID Provider
  • ❌ client_secret_post client authentication
  • ❌ client_secret_jwt client authentication
  • ❌ private_key_jwt client authentication

• (✔️) Partial OpenID Connect Discovery 1.0. Provider Configuration Discovery is implemented, Provider Issuer Discovery is not.

  This means that a known issuer can be introspected for its supported algorithms, endpoint locations and so forth but discovering that issuer in the first hand is not possible.

• ✔️ Full OAuth 2.0 Multiple Response Type Encoding Practices

  Only the following features are implemented and supported:

  • ✔️ Response modes (fragment based response parsing)
  • ✔️ Multiple-Valued Response Types
    No explicit support, but it is possible to supply one of the multivalued response_type values to an authentication request and then parse multiple responses from the resulting response.

• ✔️ Full OpenID Connect RP-Initiated Logout 1.0

• ✔️ Full OpenID Connect Front-Channel Logout 1.0

• ✔️ Full OpenID Connect Back-Channel Logout 1.0

• ✔️ Full Proof Key for Code Exchange (PKCE)

• ✔️ Full OAuth 2.0 Token Introspection