5.2.10. xgt.OidcAuthorizationCodeAuth¶

class xgt.OidcAuthorizationCodeAuth(issuer: str = '', client_id: str = '', scopes: tuple[str, ...] | None = None, audience: str | None = None, use_server_audience: bool = False, ca_cert_path: str | None = None, cache_path: str | None = None, token_endpoint: str | None = None, device_authorization_endpoint: str | None = None, flow: str = 'auth_code', force_login: bool = False, open_browser: bool = True, authorization_endpoint: str | None = None, redirect_uri: str | None = None, callback_host: str = '127.0.0.1', callback_port: int = 8765, callback_timeout_seconds: int = 300, pkce: bool = True, client_secret: str | None = None)¶

Compatibility wrapper for OidcAuth(flow=’auth_code’).

Experimental: The API of this class may change in future releases.

Methods

resolved_cache_path()

Attributes

`audience`	Audience value for the token request.
`authorization_endpoint`	Override the authorization endpoint URL.
`ca_cert_path`	CA bundle to trust for OIDC HTTPS calls.
`cache_path`	Override the default on-disk token cache location.
`callback_host`	Host/interface for the temporary loopback listener.
`callback_port`	Port for the temporary loopback listener.
`callback_timeout_seconds`	Maximum seconds to wait for the browser redirect before failing.
`client_id`	OAuth2 client ID registered with the IdP.
`client_secret`	Optional client secret for the authorization code token exchange.
`device_authorization_endpoint`	Override the device authorization endpoint URL.
`flow`	Fixed to 'auth_code'.
`force_login`	When True, ignore any cached token and always start a new login flow.
`issuer`	OIDC issuer URL.
`open_browser`	When True, automatically open the browser for the login URL.
`pkce`	When True, use PKCE for the authorization code flow.
`redirect_uri`	Explicit redirect URI.
`scopes`	OAuth2 scopes to request.
`token_endpoint`	Override the token endpoint URL.
`use_server_audience`	When True and audience is None, retrieve the audience from the server's OIDC configuration.

audience: str | None = None¶: Audience value for the token request. Required by some IdPs (e.g. Auth0).

authorization_endpoint: str | None = None¶: Override the authorization endpoint URL. Used by authorization-code flow.

ca_cert_path: str | None = None¶: CA bundle to trust for OIDC HTTPS calls. Supports ‘~’ expansion.

cache_path: str | None = None¶: Override the default on-disk token cache location. Supports ‘~’ expansion.

callback_host: str = '127.0.0.1'¶: Host/interface for the temporary loopback listener.

callback_port: int = 8765¶: Port for the temporary loopback listener.

callback_timeout_seconds: int = 300¶: Maximum seconds to wait for the browser redirect before failing.

client_id: str = ''¶: OAuth2 client ID registered with the IdP. If empty, fetched from the server.

client_secret: str | None = None¶: Optional client secret for the authorization code token exchange.

device_authorization_endpoint: str | None = None¶: Override the device authorization endpoint URL. Only used by device flow.

flow: str = 'auth_code'¶: Fixed to ‘auth_code’.

force_login: bool = False¶: When True, ignore any cached token and always start a new login flow.

issuer: str = ''¶: OIDC issuer URL. If empty, fetched from the server via GetOidcIssuer.

open_browser: bool = True¶: When True, automatically open the browser for the login URL.

pkce: bool = True¶: When True, use PKCE for the authorization code flow.

redirect_uri: str | None = None¶: Explicit redirect URI. If omitted, a loopback URI on callback_port is used.

scopes: tuple[str, ...] | None = None¶: OAuth2 scopes to request. If None, uses server-advertised or default scopes.

token_endpoint: str | None = None¶: Override the token endpoint URL.

use_server_audience: bool = False¶: When True and audience is None, retrieve the audience from the server’s OIDC configuration.