@@ -85,3 +85,37 @@ def _obtain_token(self, grant_type, *args, **kwargs):
8585 ret ["id_token_claims" ] = self .decode_id_token (ret ["id_token" ])
8686 return ret
8787
88+ def build_auth_request_uri (self , response_type , nonce = None , ** kwargs ):
89+ """Generate an authorization uri to be visited by resource owner.
90+
91+ Return value and all other parameters are the same as
92+ :func:`oauth2.Client.build_auth_request_uri`, plus new parameter(s):
93+
94+ :param nonce:
95+ A hard-to-guess string used to mitigate replay attacks. See also
96+ `OIDC specs <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>`_.
97+ """
98+ return super (Client , self ).build_auth_request_uri (
99+ response_type , nonce = nonce , ** kwargs )
100+
101+ def obtain_token_by_authorization_code (self , code , nonce = None , ** kwargs ):
102+ """Get a token via auhtorization code. a.k.a. Authorization Code Grant.
103+
104+ Return value and all other parameters are the same as
105+ :func:`oauth2.Client.obtain_token_by_authorization_code`,
106+ plus new parameter(s):
107+
108+ :param nonce:
109+ If you provided a nonce when calling :func:`build_auth_request_uri`,
110+ same nonce should also be provided here, so that we'll validate it.
111+ An exception will be raised if the nonce in id token mismatches.
112+ """
113+ result = super (Client , self ).obtain_token_by_authorization_code (
114+ code , ** kwargs )
115+ nonce_in_id_token = result .get ("id_token_claims" , {}).get ("nonce" )
116+ if "id_token_claims" in result and nonce and nonce != nonce_in_id_token :
117+ raise ValueError (
118+ 'The nonce in id token ("%s") should match your nonce ("%s")' %
119+ (nonce_in_id_token , nonce ))
120+ return result
121+
0 commit comments