authentication package

authentication.base module

class auth0.authentication.base.AuthenticationBase(domain: str, client_id: str, client_secret: str | None = None, client_assertion_signing_key: str | None = None, client_assertion_signing_alg: str | None = None, telemetry: bool = True, timeout: TimeoutType = 5.0, protocol: str = 'https')[source]

Bases: object

Base authentication object providing simple REST methods.

Args:: domain (str): The domain of your Auth0 tenant client_id (str): Your application’s client ID client_secret (str, optional): Your application’s client secret client_assertion_signing_key (str, optional): Private key used to sign the client assertion JWT. client_assertion_signing_alg (str, optional): Algorithm used to sign the client assertion JWT (defaults to ‘RS256’). telemetry (bool, optional): Enable or disable telemetry (defaults to True) timeout (float or tuple, optional): Change the requests connect and read timeout. Pass a tuple to specify both values separately or a float to set both to it. (defaults to 5.0 for both) protocol (str, optional): Useful for testing. (defaults to ‘https’)

authenticated_post(url: str, data: dict[str, Any], headers: dict[str, str] | None = None) → Any[source]

get(url: str, params: dict[str, Any] | None = None, headers: dict[str, str] | None = None) → Any[source]

post(url: str, data: RequestData | None = None, headers: dict[str, str] | None = None) → Any[source]

authentication.database module

class auth0.authentication.database.Database(domain: str, client_id: str, client_secret: str | None = None, client_assertion_signing_key: str | None = None, client_assertion_signing_alg: str | None = None, telemetry: bool = True, timeout: TimeoutType = 5.0, protocol: str = 'https')[source]

Bases: auth0.authentication.base.AuthenticationBase

Database & Active Directory / LDAP Authentication.

Args:: domain (str): Your auth0 domain (e.g: username.auth0.com)

change_password(email: str, connection: str, password: str | None = None) → str[source]

Asks to change a password for a given user.

email (str): The user’s email address.

connection (str): The name of the database connection where this user should be created.

Signup using email and password.

Args:

email (str): The user’s email address.

password (str): The user’s desired password.

connection (str): The name of the database connection where this user should be created.

username (str, optional): The user’s username, if required by the database connection.

user_metadata (dict, optional): Additional key-value information to store for the user.: Some limitations apply, see: https://auth0.com/docs/metadata#metadata-restrictions

given_name (str, optional): The user’s given name(s).

family_name (str, optional): The user’s family name(s).

name (str, optional): The user’s full name.

nickname (str, optional): The user’s nickname.

picture (str, optional): A URI pointing to the user’s picture.

See: https://auth0.com/docs/api/authentication#signup

authentication.delegated module

class auth0.authentication.delegated.Delegated(domain: str, client_id: str, client_secret: str | None = None, client_assertion_signing_key: str | None = None, client_assertion_signing_alg: str | None = None, telemetry: bool = True, timeout: TimeoutType = 5.0, protocol: str = 'https')[source]

Bases: auth0.authentication.base.AuthenticationBase

Delegated authentication endpoints.

Args:: domain (str): Your auth0 domain (e.g: username.auth0.com)

get_token(target: str, api_type: str, grant_type: str, id_token: str | None = None, refresh_token: str | None = None, scope: str = 'openid') → Any[source]: Obtain a delegation token.

authentication.enterprise module

class auth0.authentication.enterprise.Enterprise(domain: str, client_id: str, client_secret: str | None = None, client_assertion_signing_key: str | None = None, client_assertion_signing_alg: str | None = None, telemetry: bool = True, timeout: TimeoutType = 5.0, protocol: str = 'https')[source]

Bases: auth0.authentication.base.AuthenticationBase

Enterprise endpoints.

Args:: domain (str): Your auth0 domain (e.g: my-domain.us.auth0.com)

saml_metadata() → Any[source]: Get SAML2.0 Metadata.

wsfed_metadata() → Any[source]: Returns the WS-Federation Metadata.

authentication.get_token module

class auth0.authentication.get_token.GetToken(domain: str, client_id: str, client_secret: str | None = None, client_assertion_signing_key: str | None = None, client_assertion_signing_alg: str | None = None, telemetry: bool = True, timeout: TimeoutType = 5.0, protocol: str = 'https')[source]

Bases: auth0.authentication.base.AuthenticationBase

/oauth/token related endpoints

Args:: domain (str): Your auth0 domain (e.g: username.auth0.com)

authorization_code(code: str, redirect_uri: str | None, grant_type: str = 'authorization_code') → Any[source]

Authorization code grant

This is the OAuth 2.0 grant that regular web apps utilize in order to access an API. Use this endpoint to exchange an Authorization Code for a Token.

Args:

code (str): The Authorization Code received from the /authorize Calls

redirect_uri (str, optional): This is required only if it was set at the GET /authorize endpoint. The values must match

grant_type (str): Denotes the flow you’re using. For authorization code use authorization_code

Returns:

access_token, id_token

authorization_code_pkce(code_verifier: str, code: str, redirect_uri: str | None, grant_type: str = 'authorization_code') → Any[source]

Authorization code pkce grant

This is the OAuth 2.0 grant that mobile apps utilize in order to access an API. Use this endpoint to exchange an Authorization Code for a Token.

Args:

code_verifier (str): Cryptographically random key that was used to generate the code_challenge passed to /authorize.

code (str): The Authorization Code received from the /authorize Calls

redirect_uri (str, optional): This is required only if it was set at the GET /authorize endpoint. The values must match

grant_type (str): Denotes the flow you’re using. For authorization code pkce use authorization_code

Returns:

access_token, id_token

client_credentials(audience: str, grant_type: str = 'client_credentials') → Any[source]

Client credentials grant

This is the OAuth 2.0 grant that server processes utilize in order to access an API. Use this endpoint to directly request an access_token by using the Application Credentials (a Client Id and a Client Secret).

Args:

audience (str): The unique identifier of the target API you want to access.

grant_type (str, optional): Denotes the flow you’re using. For client credentials use “client_credentials”

Returns:

access_token

login(username: str, password: str, scope: str | None = None, realm: str | None = None, audience: str | None = None, grant_type: str = 'http://auth0.com/oauth/grant-type/password-realm', forwarded_for: str | None = None) → Any[source]

Calls /oauth/token endpoint with password-realm grant type

This is the OAuth 2.0 grant that highly trusted apps utilize in order to access an API. In this flow the end-user is asked to fill in credentials (username/password) typically using an interactive form in the user-agent (browser). This information is later on sent to the client and Auth0. It is therefore imperative that the client is absolutely trusted with this information.

Args:

username (str): Resource owner’s identifier

password (str): resource owner’s Secret

scope(str, optional): String value of the different scopes the client is asking for. Multiple scopes are separated with whitespace.

realm (str, optional): String value of the realm the user belongs. Set this if you want to add realm support at this grant.

audience (str, optional): The unique identifier of the target API you want to access.

grant_type (str, optional): Denotes the flow you’re using. For password realm use http://auth0.com/oauth/grant-type/password-realm

forwarded_for (str, optional): End-user IP as a string value. Set this if you want brute-force protection to work in server-side scenarios. See https://auth0.com/docs/get-started/authentication-and-authorization-flow/avoid-common-issues-with-resource-owner-password-flow-and-attack-protection

Returns:

access_token, id_token

passwordless_login(username: str, otp: str, realm: str, scope: str, audience: str) → Any[source]

Calls /oauth/token endpoint with http://auth0.com/oauth/grant-type/passwordless/otp grant type

Once the verification code was received, login the user using this endpoint with their phone number/email and verification code.

Args:

username (str): The user’s phone number or email address.

otp (str): the user’s verification code.

realm (str): use ‘sms’ or ‘email’. Should be the same as the one used to start the passwordless flow.

scope(str): String value of the different scopes the client is asking for. Multiple scopes are separated with whitespace.

audience (str): The unique identifier of the target API you want to access.

Returns:

access_token, id_token

refresh_token(refresh_token: str, scope: str = '', grant_type: str = 'refresh_token') → Any[source]

Calls /oauth/token endpoint with refresh token grant type

Use this endpoint to refresh an access token, using the refresh token you got during authorization.

Args:

refresh_token (str): The refresh token returned from the initial token request.

scope (str): Use this to limit the scopes of the new access token. Multiple scopes are separated with whitespace.

grant_type (str): Denotes the flow you’re using. For refresh token use refresh_token

Returns:

access_token, id_token

authentication.passwordless module

class auth0.authentication.passwordless.Passwordless(domain: str, client_id: str, client_secret: str | None = None, client_assertion_signing_key: str | None = None, client_assertion_signing_alg: str | None = None, telemetry: bool = True, timeout: TimeoutType = 5.0, protocol: str = 'https')[source]

Bases: auth0.authentication.base.AuthenticationBase

Passwordless connections endpoints.

Args:: domain (str): Your auth0 domain (e.g: my-domain.us.auth0.com)

email(email: str, send: str = 'link', auth_params: dict[str, str] | None = None) → Any[source]

Start flow sending an email.

Given the user email address, it will send an email with:

A link (default, send:”link”). You can then authenticate with this user opening the link and he will be automatically logged in to the application. Optionally, you can append/override parameters to the link (like scope, redirect_uri, protocol, response_type, etc.) using auth_params dict.

A verification code (send:”code”). You can then authenticate with this user using email as username and code as password.

Complete the authentication using the get_token.passwordless_login method.

Args:

email (str): Email address.

send (str, optional): Can be: ‘link’ or ‘code’. Defaults to ‘link’.

auth_params (dict, optional): Parameters to append or override.

sms(phone_number: str) → Any[source]

Start flow sending an SMS message.

Given the user phone number, it will send an SMS with a verification code. You can then authenticate with this user using phone number as username and code as password.

Complete the authentication using the get_token.passwordless_login method.

Args:: phone_number (str): Phone number.

authentication.revoke_token module

class auth0.authentication.revoke_token.RevokeToken(domain: str, client_id: str, client_secret: str | None = None, client_assertion_signing_key: str | None = None, client_assertion_signing_alg: str | None = None, telemetry: bool = True, timeout: TimeoutType = 5.0, protocol: str = 'https')[source]

Bases: auth0.authentication.base.AuthenticationBase

Revoke Refresh Token endpoint

Args:: domain (str): Your auth0 domain (e.g: my-domain.us.auth0.com)

revoke_refresh_token(token: str) → Any[source]

Revokes a Refresh Token if it has been compromised

Each revocation request invalidates not only the specific token, but all other tokens based on the same authorization grant. This means that all Refresh Tokens that have been issued for the same user, application, and audience will be revoked.

Args:: token (str): The Refresh Token you want to revoke

See: https://auth0.com/docs/api/authentication#refresh-token

authentication.token_verifier module

Token Verifier module

class auth0.authentication.token_verifier.AsymmetricSignatureVerifier(jwks_url: str, algorithm: str = 'RS256', cache_ttl: int = 600)[source]

Bases: auth0.authentication.token_verifier.SignatureVerifier

Verifier for RSA signatures, which rely on public key certificates.

Args:: jwks_url (str): The url where the JWK set is located. algorithm (str, optional): The expected signing algorithm. Defaults to “RS256”. cache_ttl (int, optional): The lifetime of the JWK set cache in seconds. Defaults to 600 seconds.

class auth0.authentication.token_verifier.JwksFetcher(jwks_url: str, cache_ttl: int = 600)[source]

Bases: object

Class that fetches and holds a JSON web key set. This class makes use of an in-memory cache. For it to work properly, define this instance once and re-use it.

Args:: jwks_url (str): The url where the JWK set is located. cache_ttl (str, optional): The lifetime of the JWK set cache in seconds. Defaults to 600 seconds.

CACHE_TTL: ClassVar[int] = 600

get_key(key_id: str) → RSAPublicKey[source]

Obtains the JWK associated with the given key id.

Args:: key_id (str): The id of the key to fetch.
Returns:: the JWK associated with the given key id.
Raises:: TokenValidationError: when a key with that id cannot be found

class auth0.authentication.token_verifier.SignatureVerifier(algorithm: str)[source]

Bases: object

Abstract class that will verify a given JSON web token’s signature using the key fetched internally given its key id.

Args:: algorithm (str): The expected signing algorithm (e.g. RS256).

DISABLE_JWT_CHECKS: ClassVar[dict[str, bool]] = {'require_exp': False, 'require_iat': False, 'require_nbf': False, 'verify_aud': False, 'verify_exp': False, 'verify_iat': False, 'verify_iss': False, 'verify_nbf': False, 'verify_signature': True}

verify_signature(token: str) → dict[str, Any][source]

Verifies the signature of the given JSON web token.

Args:: token (str): The JWT to get its signature verified.
Raises:: TokenValidationError: if the token cannot be decoded, the algorithm is invalid or the token’s signature doesn’t match the calculated one.

class auth0.authentication.token_verifier.SymmetricSignatureVerifier(shared_secret: str, algorithm: str = 'HS256')[source]

Bases: auth0.authentication.token_verifier.SignatureVerifier

Verifier for HMAC signatures, which rely on shared secrets.

Args:: shared_secret (str): The shared secret used to decode the token. algorithm (str, optional): The expected signing algorithm. Defaults to “HS256”.

class auth0.authentication.token_verifier.TokenVerifier(signature_verifier: auth0.authentication.token_verifier.SignatureVerifier, issuer: str, audience: str, leeway: int = 0)[source]

Bases: object

Class that verifies ID tokens following the steps defined in the OpenID Connect spec. An OpenID Connect ID token is not meant to be consumed until it’s verified.

Args:: signature_verifier (SignatureVerifier): The instance that knows how to verify the signature. issuer (str): The expected issuer claim value. audience (str): The expected audience claim value. leeway (int, optional): The clock skew to accept when verifying date related claims in seconds. Defaults to 60 seconds.

verify(token: str, nonce: str | None = None, max_age: int | None = None, organization: str | None = None) → dict[str, Any][source]

Attempts to verify the given ID token, following the steps defined in the OpenID Connect spec.

Args:: token (str): The JWT to verify. nonce (str, optional): The nonce value sent during authentication. max_age (int, optional): The max_age value sent during authentication. organization (str, optional): The expected organization ID (org_id) or orgnization name (org_name) claim value. This should be specified when logging in to an organization.
Returns:: the decoded payload from the token
Raises:: TokenValidationError: when the token cannot be decoded, the token signing algorithm is not the expected one, the token signature is invalid or the token has a claim missing or with unexpected value.

authentication.users module

class auth0.authentication.users.Users(domain: str, telemetry: bool = True, timeout: Union[float, Tuple[float, float]] = 5.0, protocol: str = 'https')[source]

Bases: object

Users client.

Args:: domain (str): The domain of your Auth0 tenant telemetry (bool, optional): Enable or disable telemetry (defaults to True) timeout (float or tuple, optional): Change the requests connect and read timeout. Pass a tuple to specify both values separately or a float to set both to it. (defaults to 5.0 for both) protocol (str, optional): Useful for testing. (defaults to ‘https’)

userinfo(access_token: str) → dict[str, Any][source]

Returns the user information based on the Auth0 access token. This endpoint will work only if openid was granted as a scope for the access_token.

Args:: access_token (str): Auth0 access token (obtained during login).
Returns:: The user profile.

authentication package

authentication.base module

authentication.database module

authentication.delegated module

authentication.enterprise module

authentication.get_token module

authentication.passwordless module

authentication.revoke_token module

authentication.social module

authentication.token_verifier module

authentication.users module