5.2.8. xgt.OidcClientConfig

class xgt.OidcClientConfig(issuer: str = '', client_id: str = '', scopes: tuple[str, ...] | None = None, audience: str | None = None, use_server_audience: bool = False, ca_cert_path: str | None = None, cache_path: str | None = None, token_endpoint: str | None = None, device_authorization_endpoint: str | None = None)

Base configuration for OIDC authentication. Shared by both the interactive device-flow (OidcAuth), browser-based authorization code flow (OidcAuthorizationCodeAuth), and the headless client-credentials flow (OidcCredentialsAuth).

Experimental: The API of this class may change in future releases.

Parameters:

  • issuer (str) – OIDC issuer URL (e.g. ‘https://auth.example.com’). Used to locate the discovery document and to validate the ‘iss’ claim in access tokens. If empty, the value is fetched from the server via GetOidcIssuer.

  • client_id (str) – OAuth2 client ID registered with the IdP. If empty, the value is fetched from the server via GetOidcIssuer.

  • scopes (Optional[tuple[str, ...]]) – OAuth2 scopes to request. If None, use server-advertised scopes when available, otherwise fall back to (‘openid’, ‘profile’, ‘email’).

  • audience (Optional[str]) – Audience value included in the token request. Required by some IdPs (e.g. Auth0). If None and use_server_audience is True, the value is fetched from the server via GetOidcIssuer.

  • use_server_audience (bool) – When True and audience is None, retrieve the audience from the server’s OIDC configuration rather than requiring the caller to supply it.

  • ca_cert_path (Optional[str]) – CA bundle to trust for OIDC HTTPS calls (discovery, token, userinfo). Supports ‘~’ expansion.

  • cache_path (Optional[str]) – Override the default on-disk token cache location. Supports ‘~’ expansion.

  • token_endpoint (Optional[str]) – Override the token endpoint URL. Skips discovery if set together with device_authorization_endpoint.

  • device_authorization_endpoint (Optional[str]) – Override the device authorization endpoint URL. Only used by device flow.

Methods

resolved_cache_path()

Attributes

audience

Audience value for the token request.

ca_cert_path

CA bundle to trust for OIDC HTTPS calls.

cache_path

Override the default on-disk token cache location.

client_id

OAuth2 client ID registered with the IdP.

device_authorization_endpoint

Override the device authorization endpoint URL.

issuer

OIDC issuer URL.

scopes

OAuth2 scopes to request.

token_endpoint

Override the token endpoint URL.

use_server_audience

When True and audience is None, retrieve the audience from the server's OIDC configuration.
audience: str | None = None

Audience value for the token request. Required by some IdPs (e.g. Auth0).

ca_cert_path: str | None = None

CA bundle to trust for OIDC HTTPS calls. Supports ‘~’ expansion.

cache_path: str | None = None

Override the default on-disk token cache location. Supports ‘~’ expansion.

client_id: str = ''

OAuth2 client ID registered with the IdP. If empty, fetched from the server.

device_authorization_endpoint: str | None = None

Override the device authorization endpoint URL. Only used by device flow.

issuer: str = ''

OIDC issuer URL. If empty, fetched from the server via GetOidcIssuer.

scopes: tuple[str, ...] | None = None

OAuth2 scopes to request. If None, uses server-advertised or default scopes.

token_endpoint: str | None = None

Override the token endpoint URL.

use_server_audience: bool = False

When True and audience is None, retrieve the audience from the server’s OIDC configuration.