5.2.11. xgt.OidcCredentialsAuth¶

class xgt.OidcCredentialsAuth(issuer: str = '', client_id: str = '', scopes: tuple[str, ...] | None = None, audience: str | None = None, use_server_audience: bool = False, ca_cert_path: str | None = None, cache_path: str | None = None, token_endpoint: str | None = None, device_authorization_endpoint: str | None = None, client_secret: str = '')¶

Client-credentials authentication for headless/scripted OIDC login.

Experimental: The API of this class may change in future releases.

The IdP issues an access token directly in exchange for the client_id and client_secret — no browser, no user interaction. Use this for CI/CD pipelines, cron jobs, or any automated context.

Parameters:: client_secret (str) – Secret registered with the IdP for this client application. Should be supplied via an environment variable or secrets manager, not hardcoded.

Methods

resolved_cache_path()

Attributes

`audience`	Audience value for the token request.
`ca_cert_path`	CA bundle to trust for OIDC HTTPS calls.
`cache_path`	Override the default on-disk token cache location.
`client_id`	OAuth2 client ID registered with the IdP.
`client_secret`	Client secret registered with the IdP.
`device_authorization_endpoint`	Override the device authorization endpoint URL.
`issuer`	OIDC issuer URL.
`scopes`	OAuth2 scopes to request.
`token_endpoint`	Override the token endpoint URL.
`use_server_audience`	When True and audience is None, retrieve the audience from the server's OIDC configuration.

audience: str | None = None¶: Audience value for the token request. Required by some IdPs (e.g. Auth0).

ca_cert_path: str | None = None¶: CA bundle to trust for OIDC HTTPS calls. Supports ‘~’ expansion.

cache_path: str | None = None¶: Override the default on-disk token cache location. Supports ‘~’ expansion.

client_id: str = ''¶: OAuth2 client ID registered with the IdP. If empty, fetched from the server.

client_secret: str = ''¶: Client secret registered with the IdP. Supply via environment variable, not hardcoded.

device_authorization_endpoint: str | None = None¶: Override the device authorization endpoint URL. Only used by device flow.

issuer: str = ''¶: OIDC issuer URL. If empty, fetched from the server via GetOidcIssuer.

scopes: tuple[str, ...] | None = None¶: OAuth2 scopes to request. If None, uses server-advertised or default scopes.

token_endpoint: str | None = None¶: Override the token endpoint URL.

use_server_audience: bool = False¶: When True and audience is None, retrieve the audience from the server’s OIDC configuration.