{"id":6745,"library":"oic","title":"pyoidc (OpenID Connect and OAuth2 Library)","description":"pyoidc is a Python implementation of both the OAuth2 authorization framework and the OpenID Connect (OIDC) authentication layer on top of it. It provides tools for building OIDC Clients (Relying Parties) and OIDC Providers (OpenID Providers). The current version is 1.7.0, and it maintains an active release cadence with updates typically every few months, addressing bug fixes, dependency updates, and Python version compatibility.","status":"active","version":"1.7.0","language":"en","source_language":"en","source_url":"https://github.com/CZ-NIC/pyoidc/","tags":["oauth2","openid connect","oidc","security","authentication","client","server","federation"],"install":[{"cmd":"pip install oic","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"HTTP client for network communication with OIDC providers.","package":"requests","optional":false},{"reason":"Cryptographic primitives for token signing/encryption and key management.","package":"pycryptodome","optional":false},{"reason":"Used for templating, especially in examples and potentially internal message structures.","package":"Jinja2","optional":false},{"reason":"Data validation and settings management; used for message parsing and validation.","package":"pydantic","optional":false}],"imports":[{"note":"Main class for implementing an OpenID Connect Relying Party (client).","symbol":"Client","correct":"from oic.oic.client import Client"},{"note":"Main class for implementing an OpenID Connect Provider (server).","symbol":"Provider","correct":"from oic.oic.server import Provider"},{"note":"Utility for managing cryptographic keys used in signing and encryption.","symbol":"KeyJar","correct":"from oic.utils.keyio import KeyJar"},{"note":"Represents the OpenID Connect Authorization Request message.","symbol":"AuthorizationRequest","correct":"from oic.oic.message import AuthorizationRequest"}],"quickstart":{"code":"import os\nfrom oic.oic.client import Client\nfrom oic.utils.keyio import KeyJar\n\n# Configure these environment variables for a real flow\nISSUER = os.environ.get(\"OIDC_ISSUER\", \"https://accounts.google.com\")\nCLIENT_ID = os.environ.get(\"OIDC_CLIENT_ID\", \"your_client_id_here\")\nCLIENT_SECRET = os.environ.get(\"OIDC_CLIENT_SECRET\", \"your_client_secret_here\")\nREDIRECT_URI = os.environ.get(\"OIDC_REDIRECT_URI\", \"http://localhost:8080/cb\")\n\n# 1. Initialize the OIDC Client\n# A KeyJar is essential for managing cryptographic keys (e.g., for JWTs)\nkeyjar = KeyJar()\nclient = Client(client_id=CLIENT_ID, client_secret=CLIENT_SECRET, keyjar=keyjar)\n\nprint(f\"Initialized OIDC Client for issuer: {ISSUER}\")\n\ntry:\n # 2. Discover the OIDC Provider's configuration\n # This fetches endpoints, supported algorithms, etc., from the issuer.\n client.provider_config(ISSUER)\n print(f\"Discovered OIDC Provider config for {ISSUER}\")\n print(f\"Authorization endpoint: {client.authorization_endpoint}\")\n\n # 3. Construct an Authorization Request\n # This generates the URL to which the user's browser should be redirected.\n auth_req = client.construct_AuthorizationRequest(\n request_args={\n \"scope\": [\"openid\", \"profile\", \"email\"], # Request standard OIDC scopes\n \"redirect_uri\": REDIRECT_URI,\n \"response_type\": [\"code\"], # Request an authorization code\n \"state\": \"some_random_state_string\", # CSRF protection\n \"nonce\": \"another_random_nonce_string\", # Replay attack protection for ID Tokens\n }\n )\n\n login_url = auth_req.request(client.authorization_endpoint)\n print(f\"\\nUser should be redirected to:\\n{login_url}\")\n print(\"\\nAfter user authenticates, they will be redirected back to `REDIRECT_URI`\")\n print(\"with `code`, `state` (and potentially `id_token`, `access_token`) parameters.\")\n print(\"Further steps involve handling this redirect and exchanging the code for tokens.\")\n\nexcept Exception as e:\n print(f\"An error occurred during client setup or discovery: {e}\")\n print(\"Ensure `OIDC_ISSUER`, `OIDC_CLIENT_ID`, `OIDC_CLIENT_SECRET` are correctly configured.\")\n print(\"For a full OIDC flow, a web server is required to handle redirects.\")","lang":"python","description":"This quickstart demonstrates the initial steps of setting up an OIDC Relying Party (client) using `oic`: client initialization, provider discovery, and generating the authorization request URL. For a full authentication flow, a web server is required to handle the redirect URI and process the authorization code exchange."},"warnings":[{"fix":"Upgrade your Python environment to 3.8 or later.","message":"Python 3.7 support was removed in version 1.7.0. Projects using `oic` must upgrade to Python 3.8 or newer.","severity":"breaking","affected_versions":">=1.7.0"},{"fix":"Update your client implementation to manage grants using a different mechanism, likely involving manual storage and retrieval based on the 'state' parameter from the authorization response.","message":"The `Client.grant_from_state()` method was removed. This method was typically used for retrieving a stored grant based on a 'state' parameter.","severity":"breaking","affected_versions":">=1.5.0"},{"fix":"Ensure `pydantic` is installed at version `2.0` or higher (`pip install 'pydantic>=2.0'`). Be aware of potential breaking changes within Pydantic 2.x itself if your project also directly uses `pydantic`.","message":"The `pydantic` dependency requires version 2.0 or higher since `oic` version 1.7.0. Previous versions of `pydantic` may cause compatibility issues.","severity":"breaking","affected_versions":">=1.7.0"},{"fix":"Always refer to the official PyPI page or the current GitHub repository at `https://github.com/CZ-NIC/pyoidc/` for the latest information and source code.","message":"The `pyoidc` GitHub repository moved from `OpenIDC/pyoidc` to `CZ-NIC/pyoidc`. Older documentation or cloned repositories might reference the old location, leading to confusion or broken links.","severity":"gotcha","affected_versions":"<1.6.0"}],"env_vars":null,"last_verified":"2026-04-15T00:00:00.000Z","next_check":"2026-07-14T00:00:00.000Z","problems":[]}