authentication package
authentication.base module
- class auth0.authentication.base.AuthenticationBase(domain, client_id, client_secret=None, client_assertion_signing_key=None, client_assertion_signing_alg=None, telemetry=True, timeout=5.0, protocol='https')[source]
Bases:
objectBase authentication object providing simple REST methods.
- Args:
domain (str): The domain of your Auth0 tenant client_id (str): Your application’s client ID client_secret (str, optional): Your application’s client secret client_assertion_signing_key (str, optional): Private key used to sign the client assertion JWT. client_assertion_signing_alg (str, optional): Algorithm used to sign the client assertion JWT (defaults to ‘RS256’). telemetry (bool, optional): Enable or disable telemetry (defaults to True) timeout (float or tuple, optional): Change the requests connect and read timeout. Pass a tuple to specify both values separately or a float to set both to it. (defaults to 5.0 for both) protocol (str, optional): Useful for testing. (defaults to ‘https’)
authentication.database module
- class auth0.authentication.database.Database(domain, client_id, client_secret=None, client_assertion_signing_key=None, client_assertion_signing_alg=None, telemetry=True, timeout=5.0, protocol='https')[source]
Bases:
AuthenticationBaseDatabase & Active Directory / LDAP Authentication.
- Args:
domain (str): Your auth0 domain (e.g: username.auth0.com)
- change_password(email, connection, password=None, organization=None)[source]
Asks to change a password for a given user.
email (str): The user’s email address.
connection (str): The name of the database connection where this user should be created.
organization (str, optional): The id of the Organization associated with the user.
- Return type:
str
- signup(email, password, connection, username=None, user_metadata=None, given_name=None, family_name=None, name=None, nickname=None, picture=None)[source]
Signup using email and password.
- Return type:
dict[str, Any]
- Args:
email (str): The user’s email address.
password (str): The user’s desired password.
connection (str): The name of the database connection where this user should be created.
username (str, optional): The user’s username, if required by the database connection.
- user_metadata (dict, optional): Additional key-value information to store for the user.
Some limitations apply, see: https://auth0.com/docs/metadata#metadata-restrictions
given_name (str, optional): The user’s given name(s).
family_name (str, optional): The user’s family name(s).
name (str, optional): The user’s full name.
nickname (str, optional): The user’s nickname.
picture (str, optional): A URI pointing to the user’s picture.
authentication.delegated module
- class auth0.authentication.delegated.Delegated(domain, client_id, client_secret=None, client_assertion_signing_key=None, client_assertion_signing_alg=None, telemetry=True, timeout=5.0, protocol='https')[source]
Bases:
AuthenticationBaseDelegated authentication endpoints.
- Args:
domain (str): Your auth0 domain (e.g: username.auth0.com)
authentication.enterprise module
- class auth0.authentication.enterprise.Enterprise(domain, client_id, client_secret=None, client_assertion_signing_key=None, client_assertion_signing_alg=None, telemetry=True, timeout=5.0, protocol='https')[source]
Bases:
AuthenticationBaseEnterprise endpoints.
- Args:
domain (str): Your auth0 domain (e.g: my-domain.us.auth0.com)
authentication.get_token module
- class auth0.authentication.get_token.GetToken(domain, client_id, client_secret=None, client_assertion_signing_key=None, client_assertion_signing_alg=None, telemetry=True, timeout=5.0, protocol='https')[source]
Bases:
AuthenticationBase/oauth/token related endpoints
- Args:
domain (str): Your auth0 domain (e.g: username.auth0.com)
- authorization_code(code, redirect_uri, grant_type='authorization_code')[source]
Authorization code grant
This is the OAuth 2.0 grant that regular web apps utilize in order to access an API. Use this endpoint to exchange an Authorization Code for a Token.
- Return type:
Any
- Args:
code (str): The Authorization Code received from the /authorize Calls
redirect_uri (str, optional): This is required only if it was set at the GET /authorize endpoint. The values must match
grant_type (str): Denotes the flow you’re using. For authorization code use authorization_code
- Returns:
access_token, id_token
- authorization_code_pkce(code_verifier, code, redirect_uri, grant_type='authorization_code')[source]
Authorization code pkce grant
This is the OAuth 2.0 grant that mobile apps utilize in order to access an API. Use this endpoint to exchange an Authorization Code for a Token.
- Return type:
Any
- Args:
code_verifier (str): Cryptographically random key that was used to generate the code_challenge passed to /authorize.
code (str): The Authorization Code received from the /authorize Calls
redirect_uri (str, optional): This is required only if it was set at the GET /authorize endpoint. The values must match
grant_type (str): Denotes the flow you’re using. For authorization code pkce use authorization_code
- Returns:
access_token, id_token
- client_credentials(audience, grant_type='client_credentials', organization=None)[source]
Client credentials grant
This is the OAuth 2.0 grant that server processes utilize in order to access an API. Use this endpoint to directly request an access_token by using the Application Credentials (a Client Id and a Client Secret).
- Return type:
Any
- Args:
audience (str): The unique identifier of the target API you want to access.
grant_type (str, optional): Denotes the flow you’re using. For client credentials use “client_credentials”
organization (str, optional): Optional Organization name or ID. When included, the access token returned will include the org_id and org_name claims
- Returns:
access_token
- login(username, password, scope=None, realm=None, audience=None, grant_type='http://auth0.com/oauth/grant-type/password-realm', forwarded_for=None)[source]
Calls /oauth/token endpoint with password-realm grant type
This is the OAuth 2.0 grant that highly trusted apps utilize in order to access an API. In this flow the end-user is asked to fill in credentials (username/password) typically using an interactive form in the user-agent (browser). This information is later on sent to the client and Auth0. It is therefore imperative that the client is absolutely trusted with this information.
- Return type:
Any
- Args:
username (str): Resource owner’s identifier
password (str): resource owner’s Secret
scope(str, optional): String value of the different scopes the client is asking for. Multiple scopes are separated with whitespace.
realm (str, optional): String value of the realm the user belongs. Set this if you want to add realm support at this grant.
audience (str, optional): The unique identifier of the target API you want to access.
grant_type (str, optional): Denotes the flow you’re using. For password realm use http://auth0.com/oauth/grant-type/password-realm
forwarded_for (str, optional): End-user IP as a string value. Set this if you want brute-force protection to work in server-side scenarios. See https://auth0.com/docs/get-started/authentication-and-authorization-flow/avoid-common-issues-with-resource-owner-password-flow-and-attack-protection
- Returns:
access_token, id_token
- passwordless_login(username, otp, realm, scope, audience)[source]
Calls /oauth/token endpoint with http://auth0.com/oauth/grant-type/passwordless/otp grant type
Once the verification code was received, login the user using this endpoint with their phone number/email and verification code.
- Return type:
Any
- Args:
username (str): The user’s phone number or email address.
otp (str): the user’s verification code.
realm (str): use ‘sms’ or ‘email’. Should be the same as the one used to start the passwordless flow.
scope(str): String value of the different scopes the client is asking for. Multiple scopes are separated with whitespace.
audience (str): The unique identifier of the target API you want to access.
- Returns:
access_token, id_token
- refresh_token(refresh_token, scope='', grant_type='refresh_token')[source]
Calls /oauth/token endpoint with refresh token grant type
Use this endpoint to refresh an access token, using the refresh token you got during authorization.
- Return type:
Any
- Args:
refresh_token (str): The refresh token returned from the initial token request.
scope (str): Use this to limit the scopes of the new access token. Multiple scopes are separated with whitespace.
grant_type (str): Denotes the flow you’re using. For refresh token use refresh_token
- Returns:
access_token, id_token
authentication.passwordless module
- class auth0.authentication.passwordless.Passwordless(domain, client_id, client_secret=None, client_assertion_signing_key=None, client_assertion_signing_alg=None, telemetry=True, timeout=5.0, protocol='https')[source]
Bases:
AuthenticationBasePasswordless connections endpoints.
- Args:
domain (str): Your auth0 domain (e.g: my-domain.us.auth0.com)
- email(email, send='link', auth_params=None)[source]
Start flow sending an email.
Given the user email address, it will send an email with:
A link (default, send:”link”). You can then authenticate with this user opening the link and he will be automatically logged in to the application. Optionally, you can append/override parameters to the link (like scope, redirect_uri, protocol, response_type, etc.) using auth_params dict.
A verification code (send:”code”). You can then authenticate with this user using email as username and code as password.
Complete the authentication using the get_token.passwordless_login method.
- Args:
email (str): Email address.
send (str, optional): Can be: ‘link’ or ‘code’. Defaults to ‘link’.
auth_params (dict, optional): Parameters to append or override.
- sms(phone_number)[source]
Start flow sending an SMS message.
Given the user phone number, it will send an SMS with a verification code. You can then authenticate with this user using phone number as username and code as password.
Complete the authentication using the get_token.passwordless_login method.
- Return type:
Any
- Args:
phone_number (str): Phone number.
authentication.revoke_token module
- class auth0.authentication.revoke_token.RevokeToken(domain, client_id, client_secret=None, client_assertion_signing_key=None, client_assertion_signing_alg=None, telemetry=True, timeout=5.0, protocol='https')[source]
Bases:
AuthenticationBaseRevoke Refresh Token endpoint
- Args:
domain (str): Your auth0 domain (e.g: my-domain.us.auth0.com)
- revoke_refresh_token(token)[source]
Revokes a Refresh Token if it has been compromised
Each revocation request invalidates not only the specific token, but all other tokens based on the same authorization grant. This means that all Refresh Tokens that have been issued for the same user, application, and audience will be revoked.
- Return type:
Any
- Args:
token (str): The Refresh Token you want to revoke
See: https://auth0.com/docs/api/authentication#refresh-token
authentication.token_verifier module
Token Verifier module
- class auth0.authentication.token_verifier.AsymmetricSignatureVerifier(jwks_url, algorithm='RS256', cache_ttl=600)[source]
Bases:
SignatureVerifierVerifier for RSA signatures, which rely on public key certificates.
- Args:
jwks_url (str): The url where the JWK set is located. algorithm (str, optional): The expected signing algorithm. Defaults to “RS256”. cache_ttl (int, optional): The lifetime of the JWK set cache in seconds. Defaults to 600 seconds.
- class auth0.authentication.token_verifier.JwksFetcher(jwks_url, cache_ttl=600)[source]
Bases:
objectClass that fetches and holds a JSON web key set. This class makes use of an in-memory cache. For it to work properly, define this instance once and re-use it.
- Args:
jwks_url (str): The url where the JWK set is located. cache_ttl (str, optional): The lifetime of the JWK set cache in seconds. Defaults to 600 seconds.
-
CACHE_TTL:
ClassVar[int] = 600
- class auth0.authentication.token_verifier.SignatureVerifier(algorithm)[source]
Bases:
objectAbstract class that will verify a given JSON web token’s signature using the key fetched internally given its key id.
- Args:
algorithm (str): The expected signing algorithm (e.g. RS256).
- DISABLE_JWT_CHECKS: ClassVar[dict[str, bool]] = {'require_exp': False, 'require_iat': False, 'require_nbf': False, 'verify_aud': False, 'verify_exp': False, 'verify_iat': False, 'verify_iss': False, 'verify_nbf': False, 'verify_signature': True}
- class auth0.authentication.token_verifier.SymmetricSignatureVerifier(shared_secret, algorithm='HS256')[source]
Bases:
SignatureVerifierVerifier for HMAC signatures, which rely on shared secrets.
- Args:
shared_secret (str): The shared secret used to decode the token. algorithm (str, optional): The expected signing algorithm. Defaults to “HS256”.
- class auth0.authentication.token_verifier.TokenVerifier(signature_verifier, issuer, audience, leeway=0)[source]
Bases:
objectClass that verifies ID tokens following the steps defined in the OpenID Connect spec. An OpenID Connect ID token is not meant to be consumed until it’s verified.
- Args:
signature_verifier (SignatureVerifier): The instance that knows how to verify the signature. issuer (str): The expected issuer claim value. audience (str): The expected audience claim value. leeway (int, optional): The clock skew to accept when verifying date related claims in seconds. Defaults to 60 seconds.
- verify(token, nonce=None, max_age=None, organization=None)[source]
Attempts to verify the given ID token, following the steps defined in the OpenID Connect spec.
- Return type:
dict[str, Any]
- Args:
token (str): The JWT to verify. nonce (str, optional): The nonce value sent during authentication. max_age (int, optional): The max_age value sent during authentication. organization (str, optional): The expected organization ID (org_id) or orgnization name (org_name) claim value. This should be specified when logging in to an organization.
- Returns:
the decoded payload from the token
- Raises:
TokenValidationError: when the token cannot be decoded, the token signing algorithm is not the expected one, the token signature is invalid or the token has a claim missing or with unexpected value.
authentication.users module
- class auth0.authentication.users.Users(domain, telemetry=True, timeout=5.0, protocol='https')[source]
Bases:
objectUsers client.
- Args:
domain (str): The domain of your Auth0 tenant telemetry (bool, optional): Enable or disable telemetry (defaults to True) timeout (float or tuple, optional): Change the requests connect and read timeout. Pass a tuple to specify both values separately or a float to set both to it. (defaults to 5.0 for both) protocol (str, optional): Useful for testing. (defaults to ‘https’)