OAuth2 / OIDC — Aquilia Documentation
Comprehensive guide and documentation for OAuth2 / OIDC in the Aquilia framework. View API reference, examples, and implementation patterns.
Security & Auth OAuth2 / OIDC The OAuth2Manager implements a complete OAuth 2.0 / OpenID Connect authorization server supporting Authorization Code (with PKCE), Client Credentials, Device Authorization, and Refresh Token flows. Supported Grant Types , , , , ].map((flow, i) => ( ))} OAuthClient Model from aquilia.auth.core import OAuthClient client = OAuthClient( client_id="app_my-frontend", client_secret_hash=OAuthClient.hash_client_secret("s3cr3t"), # SHA-256 name="My Frontend App", grant_types=["authorization_code", "refresh_token"], redirect_uris=["https://myapp.com/callback"], scopes=["profile", "orders.read", "orders.write"], require_pkce=True, # Enforce PKCE (default) require_consent=True, # Show consent screen (default) token_endpoint_auth_method="client_secret_post", access_token_ttl=3600, # 1 hour refresh_token_ttl=2592000, # 30 days ) Field Type Description ))} PKCE (Proof Key for Code Exchange) PKCE prevents authorization code interception. The client generates a code_verifier, sends a SHA-256 hash as code_challenge, then proves possession at token exchange. from aquilia.auth.oauth import PKCEVerifier # 1. Client generates verifier (43-128 chars) verifier = PKCEVerifier.generate_code_verifier(length=128) # 2. Client computes challenge challenge = PKCEVerifier.generate_code_challenge(verifier, method="S256") # 3. Server verifies at token exchange is_valid = PKCEVerifier.verify_code_challenge(verifier, challenge, method="S256") # True — constant-time comparison via secrets.compare_digest Authorization Code Flow ))} from aquilia.auth.oauth import OAuth2Manager oauth = OAuth2Manager( client_store=client_store, code_store=code_store, device_store=device_store, token_manager=token_manager, issuer="https://auth.myapp.com", ) # Step 1: Authorization request auth_request = await oauth.authorize( client_id="app_my-frontend", redirect_uri="https://myapp.com/callback", scope="profile orders.read", state="random-csrf-token", code_challenge=challenge, code_challenge_method="S256", ) Client Credentials Flow # Machine-to-machine auth — no user involved tokens = await oauth.client_credentials_grant( client_id="app_backend-service", client_secret="service-secret", scope="internal.admin", ) Device Authorization Flow # Step 1: Device requests authorization device_resp = await oauth.device_authorization( client_id="app_tv-app", scope="profile", ) OAuth Faults Fault Code When Raised ))} OAuth Stores OAuth2Manager requires stores for client data, authorization codes, and device verification tokens. Store Purpose ))} )
Go to Homepage