requests-auth


Namerequests-auth JSON
Version 8.0.0 PyPI version JSON
download
home_pageNone
SummaryAuthentication for Requests
upload_time2024-06-18 18:50:05
maintainerNone
docs_urlNone
authorNone
requires_python>=3.8
licenseMIT License Copyright (c) 2024 Colin Bounouar Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
keywords authentication ntlm oauth2 okta aad entra
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            <h2 align="center">Authentication for Requests</h2>

<p align="center">
<a href="https://pypi.org/project/requests-auth/"><img alt="pypi version" src="https://img.shields.io/pypi/v/requests_auth"></a>
<a href="https://github.com/Colin-b/requests_auth/actions"><img alt="Build status" src="https://github.com/Colin-b/requests_auth/workflows/Release/badge.svg"></a>
<a href="https://github.com/Colin-b/requests_auth/actions"><img alt="Coverage" src="https://img.shields.io/badge/coverage-100%25-brightgreen"></a>
<a href="https://github.com/psf/black"><img alt="Code style: black" src="https://img.shields.io/badge/code%20style-black-000000.svg"></a>
<a href="https://github.com/Colin-b/requests_auth/actions"><img alt="Number of tests" src="https://img.shields.io/badge/tests-363 passed-blue"></a>
<a href="https://pypi.org/project/requests-auth/"><img alt="Number of downloads" src="https://img.shields.io/pypi/dm/requests_auth"></a>
</p>

Provides authentication classes to be used with [`requests`][1] [authentication parameter][2].

<p align="center">
    <a href="https://oauth.net/2/"><img alt="OAuth2" src="https://oauth.net/images/oauth-2-sm.png"></a>
    <a href="https://www.okta.com"><img alt="Okta" src="https://www.okta.com/sites/all/themes/Okta/images/logos/developer/Dev_Logo-03_Large.png" height="120"></a>
    <a href="https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id"><img alt="Microsoft Entra ID, formerly Azure Active Directory (AD)" src="https://svgshare.com/i/12u_.svg" height="120"></a>
</p>
<p align="center">Some of the supported authentication</p>

## Available authentication

- [OAuth2](#oauth-2)
  - [Authorization Code Flow](#authorization-code-flow)
    - [Okta](#okta-oauth2-authorization-code)
  - [Authorization Code Flow with PKCE](#authorization-code-flow-with-proof-key-for-code-exchange)
    - [Okta](#okta-oauth2-proof-key-for-code-exchange)
  - [Resource Owner Password Credentials flow](#resource-owner-password-credentials-flow)
  - [Client Credentials Flow](#client-credentials-flow)
    - [Okta](#okta-oauth2-client-credentials)
  - [Implicit Flow](#implicit-flow)
    - [Microsoft Entra (Access Token)](#microsoft---azure-active-directory-oauth2-access-token)
    - [Microsoft Entra (ID token)](#microsoft---azure-active-directory-openid-connect-id-token)
    - [Okta (Access Token)](#okta-oauth2-implicit-access-token)
    - [Okta (ID token)](#okta-openid-connect-implicit-id-token)
  - [Managing token cache](#managing-token-cache)
  - [Managing browser](#managing-the-web-browser)
- API key
  - [In header](#api-key-in-header)
  - [In query](#api-key-in-query)
- [Basic](#basic)
- [NTLM (Windows)](#ntlm)
- [Multiple authentication at once](#multiple-authentication-at-once)
- [Endorsements](#endorsements)

## OAuth 2

Most of [OAuth2](https://oauth.net/2/) flows are supported.

If the one you are looking for is not yet supported, feel free to [ask for its implementation](https://github.com/Colin-b/requests_auth/issues/new).

### Authorization Code flow

Authorization Code Grant is implemented following [rfc6749](https://tools.ietf.org/html/rfc6749#section-4.1).

Use `requests_auth.OAuth2AuthorizationCode` to configure this kind of authentication.

```python
import requests
from requests_auth import OAuth2AuthorizationCode

requests.get('https://www.example.com', auth=OAuth2AuthorizationCode('https://www.authorization.url', 'https://www.token.url'))
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).
* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).

#### Parameters

| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value  |
|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------|
| `authorization_url`     | OAuth 2 authorization URL.                                                                                                                                                                                                                                                                        | Mandatory  |                |
| `token_url`             | OAuth 2 token URL.                                                                                                                                                                                                                                                                                | Mandatory  |                |
| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost      |
| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''             |
| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 code will be started.                                                                                                                                                                                                                      | Optional   | 5000           |
| `timeout`               | Maximum amount of seconds to wait for a code or a token to be received once requested.                                                                                                                                                                                                            | Optional   | 60             |
| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization  |
| `header_value`          | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token} |
| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | code           |
| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token   |
| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0           |
| `code_field_name`       | Field name containing the code.                                                                                                                                                                                                                                                                   | Optional   | code           |
| `username`              | User name in case basic authentication should be used to retrieve token.                                                                                                                                                                                                                          | Optional   |                |
| `password`              | User password in case basic authentication should be used to retrieve token.                                                                                                                                                                                                                      | Optional   |                |
| `session`               | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                |

Any other parameter will be put as query parameter in the authorization URL and as body parameters in the token URL.        

Usual extra parameters are:
        
| Name            | Description                                                          |
|:----------------|:---------------------------------------------------------------------|
| `client_id`     | Corresponding to your Application ID (in Microsoft Azure app portal) |
| `client_secret` | If client is not authenticated with the authorization server         |
| `nonce`         | Refer to [OpenID ID Token specifications][3] for more details        |

#### Common providers

Most of [OAuth2](https://oauth.net/2/) Authorization Code Grant providers are supported.

If the one you are looking for is not yet supported, feel free to [ask for its implementation](https://github.com/Colin-b/requests_auth/issues/new).

##### Okta (OAuth2 Authorization Code)

[Okta Authorization Code Grant](https://developer.okta.com/docs/guides/implement-auth-code/overview/) providing access tokens is supported.

Use `requests_auth.OktaAuthorizationCode` to configure this kind of authentication.

```python
import requests
from requests_auth import OktaAuthorizationCode


okta = OktaAuthorizationCode(instance='testserver.okta-emea.com', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd')
requests.get('https://www.example.com', auth=okta)
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).
* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).

###### Parameters

| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value                                |
|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------------------------------------|
| `instance`              | Okta instance (like "testserver.okta-emea.com").                                                                                                                                                                                                                                                  | Mandatory  |                                              |
| `client_id`             | Okta Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                                              |
| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | token                                        |
| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token                                 |
| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0                                         |
| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details.                                                                                                                                                                                                                                    | Optional   | Newly generated Universal Unique Identifier. |
| `scope`                 | Scope parameter sent in query. Can also be a list of scopes.                                                                                                                                                                                                                                      | Optional   | openid                                       |
| `authorization_server`  | Okta authorization server.                                                                                                                                                                                                                                                                        | Optional   | 'default'                                    |
| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost                                    |
| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''                                           |
| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional   | 5000                                         |
| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60                                           |
| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization                                |
| `header_value`          | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token}                               |
| `session`               | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                                              |

Any other parameter will be put as query parameter in the authorization URL.        

Usual extra parameters are:
        
| Name            | Description                                                          |
|:----------------|:---------------------------------------------------------------------|
| `prompt`        | none to avoid prompting the user if a session is already opened.     |

##### WakaTime (OAuth2 Authorization Code)

[WakaTime Authorization Code Grant](https://wakatime.com/developers#authentication) providing access tokens is supported.

Use `requests_auth.WakaTimeAuthorizationCode` to configure this kind of authentication.

```python
import requests
from requests_auth import WakaTimeAuthorizationCode


waka_time = WakaTimeAuthorizationCode(client_id="aPJQV0op6Pu3b66MWDi9b1wB", client_secret="waka_sec_0c5MB", scope="email")
requests.get('https://wakatime.com/api/v1/users/current', auth=waka_time)
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).
* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).

###### Parameters

| Name                    | Description                | Mandatory | Default value                                |
|:------------------------|:---------------------------|:----------|:---------------------------------------------|
| `client_id`             | WakaTime Application Identifier (formatted as an Universal Unique Identifier). | Mandatory |                                              |
| `client_secret`         | WakaTime Application Secret (formatted as waka_sec_ followed by an Universal Unique Identifier). | Mandatory |                                              |
| `scope`                 | Scope parameter sent in query. Can also be a list of scopes. | Mandatory |                                              |
| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL. | Optional  | token                                        |
| `token_field_name`      | Field name containing the token. | Optional  | access_token                                 |
| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional  | 30.0                                         |
| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details. | Optional  | Newly generated Universal Unique Identifier. |
| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost      |
| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''             |
| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started. | Optional  | 5000                                         |
| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested. | Optional  | 60                                           |
| `header_name`           | Name of the header field used to send token. | Optional  | Authorization                                |
| `header_value`          | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token. | Optional  | Bearer {token}                               |
| `session`               | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                                              |

Any other parameter will be put as query parameter in the authorization URL.

### Authorization Code Flow with Proof Key for Code Exchange

Proof Key for Code Exchange is implemented following [rfc7636](https://tools.ietf.org/html/rfc7636).

Use `requests_auth.OAuth2AuthorizationCodePKCE` to configure this kind of authentication.

```python
import requests
from requests_auth import OAuth2AuthorizationCodePKCE

requests.get('https://www.example.com', auth=OAuth2AuthorizationCodePKCE('https://www.authorization.url', 'https://www.token.url'))
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).
* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).

#### Parameters 

| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value  |
|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------|
| `authorization_url`     | OAuth 2 authorization URL.                                                                                                                                                                                                                                                                        | Mandatory  |                |
| `token_url`             | OAuth 2 token URL.                                                                                                                                                                                                                                                                                | Mandatory  |                |
| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost      |
| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''             |
| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 code will be started.                                                                                                                                                                                                                      | Optional   | 5000           |
| `timeout`               | Maximum amount of seconds to wait for a code or a token to be received once requested.                                                                                                                                                                                                            | Optional   | 60             |
| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization  |
| `header_value`          | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token} |
| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | code           |
| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token   |
| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0           |
| `code_field_name`       | Field name containing the code.                                                                                                                                                                                                                                                                   | Optional   | code           |
| `session`               | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                |

Any other parameter will be put as query parameter in the authorization URL and as body parameters in the token URL.        

Usual extra parameters are:
        
| Name            | Description                                                          |
|:----------------|:---------------------------------------------------------------------|
| `client_id`     | Corresponding to your Application ID (in Microsoft Azure app portal) |
| `client_secret` | If client is not authenticated with the authorization server         |
| `nonce`         | Refer to [OpenID ID Token specifications][3] for more details        |

#### Common providers

Most of [OAuth2](https://oauth.net/2/) Proof Key for Code Exchange providers are supported.

If the one you are looking for is not yet supported, feel free to [ask for its implementation](https://github.com/Colin-b/requests_auth/issues/new).

##### Okta (OAuth2 Proof Key for Code Exchange)

[Okta Proof Key for Code Exchange](https://developer.okta.com/docs/guides/implement-auth-code-pkce/overview/) providing access tokens is supported.

Use `requests_auth.OktaAuthorizationCodePKCE` to configure this kind of authentication.

```python
import requests
from requests_auth import OktaAuthorizationCodePKCE


okta = OktaAuthorizationCodePKCE(instance='testserver.okta-emea.com', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd')
requests.get('https://www.example.com', auth=okta)
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).
* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).

###### Parameters

| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value                                |
|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------------------------------------|
| `instance`              | Okta instance (like "testserver.okta-emea.com").                                                                                                                                                                                                                                                  | Mandatory  |                                              |
| `client_id`             | Okta Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                                              |
| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | code                                         |
| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token                                 |
| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0                                         |
| `code_field_name`       | Field name containing the code.                                                                                                                                                                                                                                                                   | Optional   | code                                         |
| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details.                                                                                                                                                                                                                                    | Optional   | Newly generated Universal Unique Identifier. |
| `scope`                 | Scope parameter sent in query. Can also be a list of scopes.                                                                                                                                                                                                                                      | Optional   | openid                                       |
| `authorization_server`  | Okta authorization server.                                                                                                                                                                                                                                                                        | Optional   | 'default'                                    |
| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost                                    |
| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''                                           |
| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional   | 5000                                         |
| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60                                           |
| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization                                |
| `header_value`          | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token}                               |
| `session`               | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                                              |

Any other parameter will be put as query parameter in the authorization URL and as body parameters in the token URL.        

Usual extra parameters are:

| Name                  | Description                                                       |
|:----------------------|:------------------------------------------------------------------|
| `client_secret`       | If client is not authenticated with the authorization server      |
| `nonce`               | Refer to [OpenID ID Token specifications][3] for more details     |

### Resource Owner Password Credentials flow

Resource Owner Password Credentials Grant is implemented following [rfc6749](https://tools.ietf.org/html/rfc6749#section-4.3).

Use `requests_auth.OAuth2ResourceOwnerPasswordCredentials` to configure this kind of authentication.

```python
import requests
from requests_auth import OAuth2ResourceOwnerPasswordCredentials

requests.get('https://www.example.com', auth=OAuth2ResourceOwnerPasswordCredentials('https://www.token.url', 'user name', 'user password'))
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).

#### Parameters

| Name               | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value  |
|:-------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------|
| `token_url`        | OAuth 2 token URL.                                                                                                                                                                                                                                                                                | Mandatory  |                |
| `username`         | Resource owner user name.                                                                                                                                                                                                                                                                         | Mandatory  |                |
| `password`         | Resource owner password.                                                                                                                                                                                                                                                                          | Mandatory  |                |
| `session_auth`     | Client authentication if the client type is confidential or the client was issued client credentials (or assigned other authentication requirements). Can be a tuple or any requests authentication class instance.                                                                               | Optional   |                |
| `timeout`          | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60             |
| `header_name`      | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization  |
| `header_value`     | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token} |
| `scope`            | Scope parameter sent to token URL as body. Can also be a list of scopes.                                                                                                                                                                                                                          | Optional   |                |
| `token_field_name` | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token   |
| `early_expiry`     | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0           |
| `session`          | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                |

Any other parameter will be put as body parameter in the token URL.

#### Common providers

Most of [OAuth2](https://oauth.net/2/) Resource Owner Password Credentials providers are supported.

If the one you are looking for is not yet supported, feel free to [ask for its implementation](https://github.com/Colin-b/requests_auth/issues/new).

##### Okta (OAuth2 Resource Owner Password Credentials)

[Okta Resource Owner Password Credentials](https://developer.okta.com/docs/guides/implement-grant-type/ropassword/main/) providing access tokens is supported.

Use `requests_auth.OktaResourceOwnerPasswordCredentials` to configure this kind of authentication.

```python
import requests
from requests_auth import OktaResourceOwnerPasswordCredentials


okta = OktaResourceOwnerPasswordCredentials(instance='testserver.okta-emea.com', username='user name', password='user password', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd', client_secret="0c5MB")
requests.get('https://www.example.com', auth=okta)
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).

###### Parameters

| Name                   | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value  |
|:-----------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------|
| `instance`             | Okta instance (like "testserver.okta-emea.com").                                                                                                                                                                                                                                                  | Mandatory  |                |
| `username`             | Resource owner user name.                                                                                                                                                                                                                                                                         | Mandatory  |                |
| `password`             | Resource owner password.                                                                                                                                                                                                                                                                          | Mandatory  |                |
| `client_id`            | Okta Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                |
| `client_secret`        | Resource owner password.                                                                                                                                                                                                                                                                          | Mandatory  |                |
| `timeout`              | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60             |
| `header_name`          | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization  |
| `header_value`         | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token} |
| `scope`                | Scope parameter sent in query. Can also be a list of scopes.                                                                                                                                                                                                                                      | Optional   | openid         |
| `token_field_name`     | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token   |
| `early_expiry`         | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0           |
| `session`              | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                |

Any other parameter will be put as body parameters in the token URL.

### Client Credentials flow

Client Credentials Grant is implemented following [rfc6749](https://tools.ietf.org/html/rfc6749#section-4.4).

Use `requests_auth.OAuth2ClientCredentials` to configure this kind of authentication.

```python
import requests
from requests_auth import OAuth2ClientCredentials

requests.get('https://www.example.com', auth=OAuth2ClientCredentials('https://www.token.url', client_id='id', client_secret='secret'))
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).

#### Parameters

| Name               | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value  |
|:-------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------|
| `token_url`        | OAuth 2 token URL.                                                                                                                                                                                                                                                                                | Mandatory  |                |
| `client_id`        | Resource owner user name.                                                                                                                                                                                                                                                                         | Mandatory  |                |
| `client_secret`    | Resource owner password.                                                                                                                                                                                                                                                                          | Mandatory  |                |
| `timeout`          | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60             |
| `header_name`      | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization  |
| `header_value`     | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token} |
| `scope`            | Scope parameter sent to token URL as body. Can also be a list of scopes.                                                                                                                                                                                                                          | Optional   |                |
| `token_field_name` | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token   |
| `early_expiry`     | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0           |
| `session`          | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                |

Any other parameter will be put as body parameter in the token URL.

#### Common providers

Most of [OAuth2](https://oauth.net/2/) Client Credentials Grant providers are supported.

If the one you are looking for is not yet supported, feel free to [ask for its implementation](https://github.com/Colin-b/requests_auth/issues/new).

##### Okta (OAuth2 Client Credentials)

[Okta Client Credentials Grant](https://developer.okta.com/docs/guides/implement-client-creds/overview/) providing access tokens is supported.

Use `requests_auth.OktaClientCredentials` to configure this kind of authentication.

```python
import requests
from requests_auth import OktaClientCredentials


okta = OktaClientCredentials(instance='testserver.okta-emea.com', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd', client_secret="secret", scope=["scope1", "scope2"])
requests.get('https://www.example.com', auth=okta)
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).

###### Parameters

| Name                   | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value  |
|:-----------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------|
| `instance`             | Okta instance (like "testserver.okta-emea.com").                                                                                                                                                                                                                                                  | Mandatory  |                |
| `client_id`            | Okta Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                |
| `client_secret`        | Resource owner password.                                                                                                                                                                                                                                                                          | Mandatory  |                |
| `scope`                | Scope parameter sent in query. Can also be a list of scopes.                                                                                                                                                                                                                                      | Mandatory  |                |
| `authorization_server` | Okta authorization server.                                                                                                                                                                                                                                                                        | Optional   | 'default'      |
| `timeout`              | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60             |
| `header_name`          | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization  |
| `header_value`         | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token} |
| `token_field_name`     | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token   |
| `early_expiry`         | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0           |
| `session`              | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                |

Any other parameter will be put as query parameter in the token URL.        

### Implicit flow

Implicit Grant is implemented following [rfc6749](https://tools.ietf.org/html/rfc6749#section-4.2).

Use `requests_auth.OAuth2Implicit` to configure this kind of authentication.

```python
import requests
from requests_auth import OAuth2Implicit

requests.get('https://www.example.com', auth=OAuth2Implicit('https://www.authorization.url'))
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).
* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).

#### Parameters

| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory | Default value                                                 |
|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------|:--------------------------------------------------------------|
| `authorization_url`     | OAuth 2 authorization URL.                                                                                                                                                                                                                                                                        | Mandatory |                                                               |
| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional  | token                                                         |
| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional  | id_token if response_type is id_token, otherwise access_token |
| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional  | 30.0                                                          |
| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional  | localhost                                                     |
| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional  | ''                                                            |
| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional  | 5000                                                          |
| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional  | 60                                                            |
| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional  | Authorization                                                 |
| `header_value`          | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional  | Bearer {token}                                                |

Any other parameter will be put as query parameter in the authorization URL.        

Usual extra parameters are:
        
| Name            | Description                                                          |
|:----------------|:---------------------------------------------------------------------|
| `client_id`     | Corresponding to your Application ID (in Microsoft Azure app portal) |
| `nonce`         | Refer to [OpenID ID Token specifications][3] for more details        |
| `prompt`        | none to avoid prompting the user if a session is already opened.     |

#### Common providers

Most of [OAuth2](https://oauth.net/2/) Implicit Grant providers are supported.

If the one you are looking for is not yet supported, feel free to [ask for its implementation](https://github.com/Colin-b/requests_auth/issues/new).

##### Microsoft - Azure Active Directory (OAuth2 Access Token)

[Microsoft identity platform access tokens](https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens) are supported.

Use `requests_auth.AzureActiveDirectoryImplicit` to configure this kind of authentication.

```python
import requests
from requests_auth import AzureActiveDirectoryImplicit


aad = AzureActiveDirectoryImplicit(tenant_id='45239d18-c68c-4c47-8bdd-ce71ea1d50cd', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd')
requests.get('https://www.example.com', auth=aad)
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).
* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).

You can retrieve Microsoft Azure Active Directory application information thanks to the [application list on Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/).

###### Parameters

| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value                                |
|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------------------------------------|
| `tenant_id`             | Microsoft Tenant Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                                              |
| `client_id`             | Microsoft Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                   | Mandatory  |                                              |
| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | token                                        |
| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token                                 |
| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0                                         |
| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details                                                                                                                                                                                                                                     | Optional   | Newly generated Universal Unique Identifier. |
| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost                                    |
| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''                                           |
| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional   | 5000                                         |
| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60                                           |
| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization                                |
| `header_value`          | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token}                               |

Any other parameter will be put as query parameter in the authorization URL.        

Usual extra parameters are:
        
| Name            | Description                                                          |
|:----------------|:---------------------------------------------------------------------|
| `prompt`        | none to avoid prompting the user if a session is already opened.     |

##### Microsoft - Azure Active Directory (OpenID Connect ID token)

[Microsoft identity platform ID tokens](https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens) are supported.

Use `requests_auth.AzureActiveDirectoryImplicitIdToken` to configure this kind of authentication.

```python
import requests
from requests_auth import AzureActiveDirectoryImplicitIdToken


aad = AzureActiveDirectoryImplicitIdToken(tenant_id='45239d18-c68c-4c47-8bdd-ce71ea1d50cd', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd')
requests.get('https://www.example.com', auth=aad)
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).
* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).

You can retrieve Microsoft Azure Active Directory application information thanks to the [application list on Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/).

###### Parameters

| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory | Default value                                |
|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------|:---------------------------------------------|
| `tenant_id`             | Microsoft Tenant Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory |                                              |
| `client_id`             | Microsoft Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                   | Mandatory |                                              |
| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional  | id_token                                     |
| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional  | id_token                                     |
| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional  | 30.0                                         |
| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details                                                                                                                                                                                                                                     | Optional  | Newly generated Universal Unique Identifier. |
| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional  | localhost                                    |
| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional  | ''                                           |
| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional  | 5000                                         |
| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional  | 60                                           |
| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional  | Authorization                                |
| `header_value`          | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional  | Bearer {token}                               |

Any other parameter will be put as query parameter in the authorization URL.        

Usual extra parameters are:
        
| Name            | Description                                                          |
|:----------------|:---------------------------------------------------------------------|
| `prompt`        | none to avoid prompting the user if a session is already opened.     |

##### Okta (OAuth2 Implicit Access Token)

[Okta Implicit Grant](https://developer.okta.com/docs/guides/implement-implicit/overview/) providing access tokens is supported.

Use `requests_auth.OktaImplicit` to configure this kind of authentication.

```python
import requests
from requests_auth import OktaImplicit


okta = OktaImplicit(instance='testserver.okta-emea.com', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd')
requests.get('https://www.example.com', auth=okta)
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).
* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).

###### Parameters

| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value                                |
|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------------------------------------|
| `instance`              | Okta instance (like "testserver.okta-emea.com").                                                                                                                                                                                                                                                  | Mandatory  |                                              |
| `client_id`             | Okta Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                                              |
| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | token                                        |
| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token                                 |
| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0                                         |
| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details.                                                                                                                                                                                                                                    | Optional   | Newly generated Universal Unique Identifier. |
| `scope`                 | Scope parameter sent in query. Can also be a list of scopes.                                                                                                                                                                                                                                      | Optional   | ['openid', 'profile', 'email']               |
| `authorization_server`  | Okta authorization server.                                                                                                                                                                                                                                                                        | Optional   | 'default'                                    |
| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost                                    |
| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''                                           |
| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional   | 5000                                         |
| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60                                           |
| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization                                |
| `header_value`          | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token}                               |

Any other parameter will be put as query parameter in the authorization URL.        

Usual extra parameters are:
        
| Name            | Description                                                          |
|:----------------|:---------------------------------------------------------------------|
| `prompt`        | none to avoid prompting the user if a session is already opened.     |

##### Okta (OpenID Connect Implicit ID token)

[Okta Implicit Grant](https://developer.okta.com/docs/guides/implement-implicit/overview/) providing ID tokens is supported.

Use `requests_auth.OktaImplicitIdToken` to configure this kind of authentication.

```python
import requests
from requests_auth import OktaImplicitIdToken


okta = OktaImplicitIdToken(instance='testserver.okta-emea.com', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd')
requests.get('https://www.example.com', auth=okta)
```

Note:
* You can persist tokens thanks to [the token cache](#managing-token-cache).
* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).

###### Parameters

| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value                                |
|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------------------------------------|
| `instance`              | Okta instance (like "testserver.okta-emea.com").                                                                                                                                                                                                                                                  | Mandatory  |                                              |
| `client_id`             | Okta Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                                              |
| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | id_token                                     |
| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | id_token                                     |
| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0                                         |
| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details.                                                                                                                                                                                                                                    | Optional   | Newly generated Universal Unique Identifier. |
| `scope`                 | Scope parameter sent in query. Can also be a list of scopes.                                                                                                                                                                                                                                      | Optional   | ['openid', 'profile', 'email']               |
| `authorization_server`  | Okta authorization server.                                                                                                                                                                                                                                                                        | Optional   | 'default'                                    |
| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost                                    |
| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''                                           |
| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional   | 5000                                         |
| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60                                           |
| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization                                |
| `header_value`          | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token}                               |

Any other parameter will be put as query parameter in the authorization URL.        

Usual extra parameters are:
        
| Name            | Description                                                          |
|:----------------|:---------------------------------------------------------------------|
| `prompt`        | none to avoid prompting the user if a session is already opened.     |

### Managing token cache

To avoid asking for a new token every new request, a token cache is used.

Default cache is in memory, but it is also possible to use a physical cache.

You need to provide the location of your token cache file. It can be a full or relative path (`str` or `pathlib.Path).

If the file already exists it will be used, if the file do not exist it will be created.

```python
from requests_auth import OAuth2, JsonTokenFileCache

OAuth2.token_cache = JsonTokenFileCache('path/to/my_token_cache.json')
```

### Managing the web browser

You can configure the browser display settings thanks to `requests_auth.OAuth2.display` as in the following:
```python
from requests_auth import OAuth2, DisplaySettings

OAuth2.display = DisplaySettings()
```

The following parameters can be provided to `DisplaySettings`:

| Name                   | Description                                                                                                                                                                      | Default value |
|:-----------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------|
| `success_display_time` | In case a code or token is successfully received, this is the maximum amount of milliseconds the success page will be displayed in your browser.                                 | 1             |
| `success_html`         | In case a code or token is successfully received, this is the success page that will be displayed in your browser. `{display_time}` is expected in this content.                 |               |
| `failure_display_time` | In case received code or token is not valid, this is the maximum amount of milliseconds the failure page will be displayed in your browser.                                      | 10_000        |
| `failure_html`         | In case received code or token is not valid, this is the failure page that will be displayed in your browser. `{information}` and `{display_time}` are expected in this content. |               |

## API key in header

You can send an API key inside the header of your request using `requests_auth.HeaderApiKey`.

```python
import requests
from requests_auth import HeaderApiKey

requests.get('https://www.example.com', auth=HeaderApiKey('my_api_key'))
```

### Parameters

| Name                    | Description                    | Mandatory | Default value |
|:------------------------|:-------------------------------|:----------|:--------------|
| `api_key`               | The API key that will be sent. | Mandatory |               |
| `header_name`           | Name of the header field.      | Optional  | "X-API-Key"   |

## API key in query

You can send an API key inside the query parameters of your request using `requests_auth.QueryApiKey`.

```python
import requests
from requests_auth import QueryApiKey

requests.get('https://www.example.com', auth=QueryApiKey('my_api_key'))
```

### Parameters

| Name                    | Description                    | Mandatory | Default value |
|:------------------------|:-------------------------------|:----------|:--------------|
| `api_key`               | The API key that will be sent. | Mandatory |               |
| `query_parameter_name`  | Name of the query parameter.   | Optional  | "api_key"     |

## Basic

You can use basic authentication using `requests_auth.Basic`.

The only advantage of using this class instead of `requests` native support of basic authentication, is to be able to use it in [multiple authentication](#multiple-authentication-at-once).

```python
import requests
from requests_auth import Basic

requests.get('https://www.example.com', auth=Basic('username', 'password'))
```

### Parameters

| Name                    | Description                    | Mandatory | Default value |
|:------------------------|:-------------------------------|:----------|:--------------|
| `username`              | User name.                     | Mandatory |               |
| `password`              | User password.                 | Mandatory |               |

## NTLM

Requires [`requests-negotiate-sspi` module][4] or [`requests_ntlm` module][5] depending on provided parameters.

You can use Windows authentication using `requests_auth.NTLM`.

```python
import requests
from requests_auth import NTLM

requests.get('https://www.example.com', auth=NTLM())
```

### Parameters

| Name                    | Description                    | Mandatory | Default value |
|:------------------------|:-------------------------------|:----------|:--------------|
| `username`              | User name.                     | Mandatory if `requests_negotiate_sspi` module is not installed. In such a case `requests_ntlm` module is mandatory. |               |
| `password`              | User password.                 | Mandatory if `requests_negotiate_sspi` module is not installed. In such a case `requests_ntlm` module is mandatory. |               |

## Multiple authentication at once

You can also use a combination of authentication using `+` or `&` as in the following sample:

```python
import requests
from requests_auth import HeaderApiKey, OAuth2Implicit

api_key = HeaderApiKey('my_api_key')
oauth2 = OAuth2Implicit('https://www.example.com')
requests.get('https://www.example.com', auth=api_key + oauth2)
```

This is supported on every authentication class exposed by `requests_auth`, but you can also enable it on your own authentication classes by using `requests_auth.SupportMultiAuth` as in the following sample:

```python
from requests_auth import SupportMultiAuth
# TODO Import your own auth here
from my_package import MyAuth

class MyMultiAuth(MyAuth, SupportMultiAuth):
    pass
```

## Available pytest fixtures

Testing the code using `requests_auth` authentication classes can be achieved using provided [`pytest`][6] fixtures.

### token_cache_mock

```python
from requests_auth.testing import token_cache_mock, token_mock

def test_something(token_cache_mock):
    # perform code using authentication
    pass
```

Use this fixture to mock authentication success for any of the following classes:
 * OAuth2AuthorizationCodePKCE
 * OktaAuthorizationCodePKCE
 * OAuth2Implicit
 * OktaImplicit
 * OktaImplicitIdToken
 * AzureActiveDirectoryImplicit
 * AzureActiveDirectoryImplicitIdToken
 * OAuth2AuthorizationCode
 * OktaAuthorizationCode
 * OAuth2ClientCredentials
 * OktaClientCredentials
 * OAuth2ResourceOwnerPasswordCredentials,

By default, an access token with value `2YotnFZFEjr1zCsicMWpAA` is generated.

You can however return your custom token by providing your own `token_mock` fixture as in the following sample:

```python
import pytest

from requests_auth.testing import token_cache_mock


@pytest.fixture
def token_mock() -> str:
    return "MyCustomTokenValue"


def test_something(token_cache_mock):
    # perform code using authentication
    pass
```

You can even return a more complex token by using the `create_token` function.

Note that [`pyjwt`](https://pypi.org/project/PyJWT/) is a required dependency in this case as it is used to generate the token returned by the authentication.

```python
import pytest

from requests_auth.testing import token_cache_mock, create_token


@pytest.fixture
def token_mock() -> str:
    expiry = None  # TODO Compute your expiry
    return create_token(expiry)


def test_something(token_cache_mock):
    # perform code using authentication
    pass
```

### Advanced testing

#### token_cache

This [`pytest`][6] fixture will return the token cache and ensure it is reset at the end of the test case.

```python
from requests_auth.testing import token_cache

def test_something(token_cache):
    # perform code using authentication
    pass
```

#### browser_mock

This [`pytest`][6] fixture will allow to mock the behavior of a web browser.

With this [`pytest`][6] fixture you will be allowed to fine tune your authentication related failures handling.

[`pyjwt`](https://pypi.org/project/PyJWT/) is a required dependency if you use `create_token` helper function.

```python
import datetime

from requests_auth.testing import browser_mock, BrowserMock, create_token

def test_something(browser_mock: BrowserMock):
    token_expiry = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(hours=1)
    token = create_token(token_expiry)
    tab = browser_mock.add_response(
        opened_url="http://url_opened_by_browser?state=1234",
        reply_url=f"http://localhost:5000#access_token={token}&state=1234",
    )

    # perform code using authentication

    tab.assert_success()
```

## Endorsements

> I love requests_auth. As a ~15 year pythonista, this library makes working with OAuth services a breeze. <333

**Randall Degges**, Head of Evangelism, [Okta](https://developer.okta.com)

[1]: https://pypi.python.org/pypi/requests "requests module"
[2]: https://2.python-requests.org/en/master/user/authentication/ "authentication parameter on requests module"
[3]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken "OpenID ID Token specifications"
[4]: https://pypi.python.org/pypi/requests-negotiate-sspi "requests-negotiate-sspi module"
[5]: https://pypi.python.org/pypi/requests_ntlm "requests_ntlm module"
[6]: https://docs.pytest.org/en/latest/ "pytest module"

            

Raw data

            {
    "_id": null,
    "home_page": null,
    "name": "requests-auth",
    "maintainer": null,
    "docs_url": null,
    "requires_python": ">=3.8",
    "maintainer_email": "Colin Bounouar <colin.bounouar.dev@gmail.com>",
    "keywords": "authentication, ntlm, oauth2, okta, aad, entra",
    "author": null,
    "author_email": "Colin Bounouar <colin.bounouar.dev@gmail.com>",
    "download_url": "https://files.pythonhosted.org/packages/2b/c7/3a1119e11477e789bf4a75cadf9c09cf3b6fd7df3c38011a71583346762b/requests_auth-8.0.0.tar.gz",
    "platform": null,
    "description": "<h2 align=\"center\">Authentication for Requests</h2>\n\n<p align=\"center\">\n<a href=\"https://pypi.org/project/requests-auth/\"><img alt=\"pypi version\" src=\"https://img.shields.io/pypi/v/requests_auth\"></a>\n<a href=\"https://github.com/Colin-b/requests_auth/actions\"><img alt=\"Build status\" src=\"https://github.com/Colin-b/requests_auth/workflows/Release/badge.svg\"></a>\n<a href=\"https://github.com/Colin-b/requests_auth/actions\"><img alt=\"Coverage\" src=\"https://img.shields.io/badge/coverage-100%25-brightgreen\"></a>\n<a href=\"https://github.com/psf/black\"><img alt=\"Code style: black\" src=\"https://img.shields.io/badge/code%20style-black-000000.svg\"></a>\n<a href=\"https://github.com/Colin-b/requests_auth/actions\"><img alt=\"Number of tests\" src=\"https://img.shields.io/badge/tests-363 passed-blue\"></a>\n<a href=\"https://pypi.org/project/requests-auth/\"><img alt=\"Number of downloads\" src=\"https://img.shields.io/pypi/dm/requests_auth\"></a>\n</p>\n\nProvides authentication classes to be used with [`requests`][1] [authentication parameter][2].\n\n<p align=\"center\">\n    <a href=\"https://oauth.net/2/\"><img alt=\"OAuth2\" src=\"https://oauth.net/images/oauth-2-sm.png\"></a>\n    <a href=\"https://www.okta.com\"><img alt=\"Okta\" src=\"https://www.okta.com/sites/all/themes/Okta/images/logos/developer/Dev_Logo-03_Large.png\" height=\"120\"></a>\n    <a href=\"https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id\"><img alt=\"Microsoft Entra ID, formerly Azure Active Directory (AD)\" src=\"https://svgshare.com/i/12u_.svg\" height=\"120\"></a>\n</p>\n<p align=\"center\">Some of the supported authentication</p>\n\n## Available authentication\n\n- [OAuth2](#oauth-2)\n  - [Authorization Code Flow](#authorization-code-flow)\n    - [Okta](#okta-oauth2-authorization-code)\n  - [Authorization Code Flow with PKCE](#authorization-code-flow-with-proof-key-for-code-exchange)\n    - [Okta](#okta-oauth2-proof-key-for-code-exchange)\n  - [Resource Owner Password Credentials flow](#resource-owner-password-credentials-flow)\n  - [Client Credentials Flow](#client-credentials-flow)\n    - [Okta](#okta-oauth2-client-credentials)\n  - [Implicit Flow](#implicit-flow)\n    - [Microsoft Entra (Access Token)](#microsoft---azure-active-directory-oauth2-access-token)\n    - [Microsoft Entra (ID token)](#microsoft---azure-active-directory-openid-connect-id-token)\n    - [Okta (Access Token)](#okta-oauth2-implicit-access-token)\n    - [Okta (ID token)](#okta-openid-connect-implicit-id-token)\n  - [Managing token cache](#managing-token-cache)\n  - [Managing browser](#managing-the-web-browser)\n- API key\n  - [In header](#api-key-in-header)\n  - [In query](#api-key-in-query)\n- [Basic](#basic)\n- [NTLM (Windows)](#ntlm)\n- [Multiple authentication at once](#multiple-authentication-at-once)\n- [Endorsements](#endorsements)\n\n## OAuth 2\n\nMost of [OAuth2](https://oauth.net/2/) flows are supported.\n\nIf the one you are looking for is not yet supported, feel free to [ask for its implementation](https://github.com/Colin-b/requests_auth/issues/new).\n\n### Authorization Code flow\n\nAuthorization Code Grant is implemented following [rfc6749](https://tools.ietf.org/html/rfc6749#section-4.1).\n\nUse `requests_auth.OAuth2AuthorizationCode` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import OAuth2AuthorizationCode\n\nrequests.get('https://www.example.com', auth=OAuth2AuthorizationCode('https://www.authorization.url', 'https://www.token.url'))\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).\n\n#### Parameters\n\n| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value  |\n|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------|\n| `authorization_url`     | OAuth 2 authorization URL.                                                                                                                                                                                                                                                                        | Mandatory  |                |\n| `token_url`             | OAuth 2 token URL.                                                                                                                                                                                                                                                                                | Mandatory  |                |\n| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost      |\n| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''             |\n| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 code will be started.                                                                                                                                                                                                                      | Optional   | 5000           |\n| `timeout`               | Maximum amount of seconds to wait for a code or a token to be received once requested.                                                                                                                                                                                                            | Optional   | 60             |\n| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization  |\n| `header_value`          | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token} |\n| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | code           |\n| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token   |\n| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0           |\n| `code_field_name`       | Field name containing the code.                                                                                                                                                                                                                                                                   | Optional   | code           |\n| `username`              | User name in case basic authentication should be used to retrieve token.                                                                                                                                                                                                                          | Optional   |                |\n| `password`              | User password in case basic authentication should be used to retrieve token.                                                                                                                                                                                                                      | Optional   |                |\n| `session`               | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                |\n\nAny other parameter will be put as query parameter in the authorization URL and as body parameters in the token URL.        \n\nUsual extra parameters are:\n        \n| Name            | Description                                                          |\n|:----------------|:---------------------------------------------------------------------|\n| `client_id`     | Corresponding to your Application ID (in Microsoft Azure app portal) |\n| `client_secret` | If client is not authenticated with the authorization server         |\n| `nonce`         | Refer to [OpenID ID Token specifications][3] for more details        |\n\n#### Common providers\n\nMost of [OAuth2](https://oauth.net/2/) Authorization Code Grant providers are supported.\n\nIf the one you are looking for is not yet supported, feel free to [ask for its implementation](https://github.com/Colin-b/requests_auth/issues/new).\n\n##### Okta (OAuth2 Authorization Code)\n\n[Okta Authorization Code Grant](https://developer.okta.com/docs/guides/implement-auth-code/overview/) providing access tokens is supported.\n\nUse `requests_auth.OktaAuthorizationCode` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import OktaAuthorizationCode\n\n\nokta = OktaAuthorizationCode(instance='testserver.okta-emea.com', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd')\nrequests.get('https://www.example.com', auth=okta)\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).\n\n###### Parameters\n\n| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value                                |\n|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------------------------------------|\n| `instance`              | Okta instance (like \"testserver.okta-emea.com\").                                                                                                                                                                                                                                                  | Mandatory  |                                              |\n| `client_id`             | Okta Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                                              |\n| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | token                                        |\n| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token                                 |\n| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0                                         |\n| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details.                                                                                                                                                                                                                                    | Optional   | Newly generated Universal Unique Identifier. |\n| `scope`                 | Scope parameter sent in query. Can also be a list of scopes.                                                                                                                                                                                                                                      | Optional   | openid                                       |\n| `authorization_server`  | Okta authorization server.                                                                                                                                                                                                                                                                        | Optional   | 'default'                                    |\n| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost                                    |\n| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''                                           |\n| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional   | 5000                                         |\n| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60                                           |\n| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization                                |\n| `header_value`          | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token}                               |\n| `session`               | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                                              |\n\nAny other parameter will be put as query parameter in the authorization URL.        \n\nUsual extra parameters are:\n        \n| Name            | Description                                                          |\n|:----------------|:---------------------------------------------------------------------|\n| `prompt`        | none to avoid prompting the user if a session is already opened.     |\n\n##### WakaTime (OAuth2 Authorization Code)\n\n[WakaTime Authorization Code Grant](https://wakatime.com/developers#authentication) providing access tokens is supported.\n\nUse `requests_auth.WakaTimeAuthorizationCode` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import WakaTimeAuthorizationCode\n\n\nwaka_time = WakaTimeAuthorizationCode(client_id=\"aPJQV0op6Pu3b66MWDi9b1wB\", client_secret=\"waka_sec_0c5MB\", scope=\"email\")\nrequests.get('https://wakatime.com/api/v1/users/current', auth=waka_time)\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).\n\n###### Parameters\n\n| Name                    | Description                | Mandatory | Default value                                |\n|:------------------------|:---------------------------|:----------|:---------------------------------------------|\n| `client_id`             | WakaTime Application Identifier (formatted as an Universal Unique Identifier). | Mandatory |                                              |\n| `client_secret`         | WakaTime Application Secret (formatted as waka_sec_ followed by an Universal Unique Identifier). | Mandatory |                                              |\n| `scope`                 | Scope parameter sent in query. Can also be a list of scopes. | Mandatory |                                              |\n| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL. | Optional  | token                                        |\n| `token_field_name`      | Field name containing the token. | Optional  | access_token                                 |\n| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional  | 30.0                                         |\n| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details. | Optional  | Newly generated Universal Unique Identifier. |\n| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost      |\n| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''             |\n| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started. | Optional  | 5000                                         |\n| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested. | Optional  | 60                                           |\n| `header_name`           | Name of the header field used to send token. | Optional  | Authorization                                |\n| `header_value`          | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token. | Optional  | Bearer {token}                               |\n| `session`               | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                                              |\n\nAny other parameter will be put as query parameter in the authorization URL.\n\n### Authorization Code Flow with Proof Key for Code Exchange\n\nProof Key for Code Exchange is implemented following [rfc7636](https://tools.ietf.org/html/rfc7636).\n\nUse `requests_auth.OAuth2AuthorizationCodePKCE` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import OAuth2AuthorizationCodePKCE\n\nrequests.get('https://www.example.com', auth=OAuth2AuthorizationCodePKCE('https://www.authorization.url', 'https://www.token.url'))\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).\n\n#### Parameters \n\n| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value  |\n|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------|\n| `authorization_url`     | OAuth 2 authorization URL.                                                                                                                                                                                                                                                                        | Mandatory  |                |\n| `token_url`             | OAuth 2 token URL.                                                                                                                                                                                                                                                                                | Mandatory  |                |\n| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost      |\n| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''             |\n| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 code will be started.                                                                                                                                                                                                                      | Optional   | 5000           |\n| `timeout`               | Maximum amount of seconds to wait for a code or a token to be received once requested.                                                                                                                                                                                                            | Optional   | 60             |\n| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization  |\n| `header_value`          | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token} |\n| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | code           |\n| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token   |\n| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0           |\n| `code_field_name`       | Field name containing the code.                                                                                                                                                                                                                                                                   | Optional   | code           |\n| `session`               | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                |\n\nAny other parameter will be put as query parameter in the authorization URL and as body parameters in the token URL.        \n\nUsual extra parameters are:\n        \n| Name            | Description                                                          |\n|:----------------|:---------------------------------------------------------------------|\n| `client_id`     | Corresponding to your Application ID (in Microsoft Azure app portal) |\n| `client_secret` | If client is not authenticated with the authorization server         |\n| `nonce`         | Refer to [OpenID ID Token specifications][3] for more details        |\n\n#### Common providers\n\nMost of [OAuth2](https://oauth.net/2/) Proof Key for Code Exchange providers are supported.\n\nIf the one you are looking for is not yet supported, feel free to [ask for its implementation](https://github.com/Colin-b/requests_auth/issues/new).\n\n##### Okta (OAuth2 Proof Key for Code Exchange)\n\n[Okta Proof Key for Code Exchange](https://developer.okta.com/docs/guides/implement-auth-code-pkce/overview/) providing access tokens is supported.\n\nUse `requests_auth.OktaAuthorizationCodePKCE` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import OktaAuthorizationCodePKCE\n\n\nokta = OktaAuthorizationCodePKCE(instance='testserver.okta-emea.com', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd')\nrequests.get('https://www.example.com', auth=okta)\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).\n\n###### Parameters\n\n| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value                                |\n|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------------------------------------|\n| `instance`              | Okta instance (like \"testserver.okta-emea.com\").                                                                                                                                                                                                                                                  | Mandatory  |                                              |\n| `client_id`             | Okta Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                                              |\n| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | code                                         |\n| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token                                 |\n| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0                                         |\n| `code_field_name`       | Field name containing the code.                                                                                                                                                                                                                                                                   | Optional   | code                                         |\n| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details.                                                                                                                                                                                                                                    | Optional   | Newly generated Universal Unique Identifier. |\n| `scope`                 | Scope parameter sent in query. Can also be a list of scopes.                                                                                                                                                                                                                                      | Optional   | openid                                       |\n| `authorization_server`  | Okta authorization server.                                                                                                                                                                                                                                                                        | Optional   | 'default'                                    |\n| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost                                    |\n| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''                                           |\n| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional   | 5000                                         |\n| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60                                           |\n| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization                                |\n| `header_value`          | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token}                               |\n| `session`               | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                                              |\n\nAny other parameter will be put as query parameter in the authorization URL and as body parameters in the token URL.        \n\nUsual extra parameters are:\n\n| Name                  | Description                                                       |\n|:----------------------|:------------------------------------------------------------------|\n| `client_secret`       | If client is not authenticated with the authorization server      |\n| `nonce`               | Refer to [OpenID ID Token specifications][3] for more details     |\n\n### Resource Owner Password Credentials flow\n\nResource Owner Password Credentials Grant is implemented following [rfc6749](https://tools.ietf.org/html/rfc6749#section-4.3).\n\nUse `requests_auth.OAuth2ResourceOwnerPasswordCredentials` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import OAuth2ResourceOwnerPasswordCredentials\n\nrequests.get('https://www.example.com', auth=OAuth2ResourceOwnerPasswordCredentials('https://www.token.url', 'user name', 'user password'))\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n\n#### Parameters\n\n| Name               | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value  |\n|:-------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------|\n| `token_url`        | OAuth 2 token URL.                                                                                                                                                                                                                                                                                | Mandatory  |                |\n| `username`         | Resource owner user name.                                                                                                                                                                                                                                                                         | Mandatory  |                |\n| `password`         | Resource owner password.                                                                                                                                                                                                                                                                          | Mandatory  |                |\n| `session_auth`     | Client authentication if the client type is confidential or the client was issued client credentials (or assigned other authentication requirements). Can be a tuple or any requests authentication class instance.                                                                               | Optional   |                |\n| `timeout`          | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60             |\n| `header_name`      | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization  |\n| `header_value`     | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token} |\n| `scope`            | Scope parameter sent to token URL as body. Can also be a list of scopes.                                                                                                                                                                                                                          | Optional   |                |\n| `token_field_name` | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token   |\n| `early_expiry`     | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0           |\n| `session`          | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                |\n\nAny other parameter will be put as body parameter in the token URL.\n\n#### Common providers\n\nMost of [OAuth2](https://oauth.net/2/) Resource Owner Password Credentials providers are supported.\n\nIf the one you are looking for is not yet supported, feel free to [ask for its implementation](https://github.com/Colin-b/requests_auth/issues/new).\n\n##### Okta (OAuth2 Resource Owner Password Credentials)\n\n[Okta Resource Owner Password Credentials](https://developer.okta.com/docs/guides/implement-grant-type/ropassword/main/) providing access tokens is supported.\n\nUse `requests_auth.OktaResourceOwnerPasswordCredentials` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import OktaResourceOwnerPasswordCredentials\n\n\nokta = OktaResourceOwnerPasswordCredentials(instance='testserver.okta-emea.com', username='user name', password='user password', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd', client_secret=\"0c5MB\")\nrequests.get('https://www.example.com', auth=okta)\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n\n###### Parameters\n\n| Name                   | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value  |\n|:-----------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------|\n| `instance`             | Okta instance (like \"testserver.okta-emea.com\").                                                                                                                                                                                                                                                  | Mandatory  |                |\n| `username`             | Resource owner user name.                                                                                                                                                                                                                                                                         | Mandatory  |                |\n| `password`             | Resource owner password.                                                                                                                                                                                                                                                                          | Mandatory  |                |\n| `client_id`            | Okta Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                |\n| `client_secret`        | Resource owner password.                                                                                                                                                                                                                                                                          | Mandatory  |                |\n| `timeout`              | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60             |\n| `header_name`          | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization  |\n| `header_value`         | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token} |\n| `scope`                | Scope parameter sent in query. Can also be a list of scopes.                                                                                                                                                                                                                                      | Optional   | openid         |\n| `token_field_name`     | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token   |\n| `early_expiry`         | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0           |\n| `session`              | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                |\n\nAny other parameter will be put as body parameters in the token URL.\n\n### Client Credentials flow\n\nClient Credentials Grant is implemented following [rfc6749](https://tools.ietf.org/html/rfc6749#section-4.4).\n\nUse `requests_auth.OAuth2ClientCredentials` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import OAuth2ClientCredentials\n\nrequests.get('https://www.example.com', auth=OAuth2ClientCredentials('https://www.token.url', client_id='id', client_secret='secret'))\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n\n#### Parameters\n\n| Name               | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value  |\n|:-------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------|\n| `token_url`        | OAuth 2 token URL.                                                                                                                                                                                                                                                                                | Mandatory  |                |\n| `client_id`        | Resource owner user name.                                                                                                                                                                                                                                                                         | Mandatory  |                |\n| `client_secret`    | Resource owner password.                                                                                                                                                                                                                                                                          | Mandatory  |                |\n| `timeout`          | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60             |\n| `header_name`      | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization  |\n| `header_value`     | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token} |\n| `scope`            | Scope parameter sent to token URL as body. Can also be a list of scopes.                                                                                                                                                                                                                          | Optional   |                |\n| `token_field_name` | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token   |\n| `early_expiry`     | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0           |\n| `session`          | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                |\n\nAny other parameter will be put as body parameter in the token URL.\n\n#### Common providers\n\nMost of [OAuth2](https://oauth.net/2/) Client Credentials Grant providers are supported.\n\nIf the one you are looking for is not yet supported, feel free to [ask for its implementation](https://github.com/Colin-b/requests_auth/issues/new).\n\n##### Okta (OAuth2 Client Credentials)\n\n[Okta Client Credentials Grant](https://developer.okta.com/docs/guides/implement-client-creds/overview/) providing access tokens is supported.\n\nUse `requests_auth.OktaClientCredentials` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import OktaClientCredentials\n\n\nokta = OktaClientCredentials(instance='testserver.okta-emea.com', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd', client_secret=\"secret\", scope=[\"scope1\", \"scope2\"])\nrequests.get('https://www.example.com', auth=okta)\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n\n###### Parameters\n\n| Name                   | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value  |\n|:-----------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------|\n| `instance`             | Okta instance (like \"testserver.okta-emea.com\").                                                                                                                                                                                                                                                  | Mandatory  |                |\n| `client_id`            | Okta Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                |\n| `client_secret`        | Resource owner password.                                                                                                                                                                                                                                                                          | Mandatory  |                |\n| `scope`                | Scope parameter sent in query. Can also be a list of scopes.                                                                                                                                                                                                                                      | Mandatory  |                |\n| `authorization_server` | Okta authorization server.                                                                                                                                                                                                                                                                        | Optional   | 'default'      |\n| `timeout`              | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60             |\n| `header_name`          | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization  |\n| `header_value`         | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token} |\n| `token_field_name`     | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token   |\n| `early_expiry`         | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0           |\n| `session`              | `requests.Session` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                        | Optional   |                |\n\nAny other parameter will be put as query parameter in the token URL.        \n\n### Implicit flow\n\nImplicit Grant is implemented following [rfc6749](https://tools.ietf.org/html/rfc6749#section-4.2).\n\nUse `requests_auth.OAuth2Implicit` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import OAuth2Implicit\n\nrequests.get('https://www.example.com', auth=OAuth2Implicit('https://www.authorization.url'))\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).\n\n#### Parameters\n\n| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory | Default value                                                 |\n|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------|:--------------------------------------------------------------|\n| `authorization_url`     | OAuth 2 authorization URL.                                                                                                                                                                                                                                                                        | Mandatory |                                                               |\n| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional  | token                                                         |\n| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional  | id_token if response_type is id_token, otherwise access_token |\n| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional  | 30.0                                                          |\n| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional  | localhost                                                     |\n| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional  | ''                                                            |\n| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional  | 5000                                                          |\n| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional  | 60                                                            |\n| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional  | Authorization                                                 |\n| `header_value`          | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional  | Bearer {token}                                                |\n\nAny other parameter will be put as query parameter in the authorization URL.        \n\nUsual extra parameters are:\n        \n| Name            | Description                                                          |\n|:----------------|:---------------------------------------------------------------------|\n| `client_id`     | Corresponding to your Application ID (in Microsoft Azure app portal) |\n| `nonce`         | Refer to [OpenID ID Token specifications][3] for more details        |\n| `prompt`        | none to avoid prompting the user if a session is already opened.     |\n\n#### Common providers\n\nMost of [OAuth2](https://oauth.net/2/) Implicit Grant providers are supported.\n\nIf the one you are looking for is not yet supported, feel free to [ask for its implementation](https://github.com/Colin-b/requests_auth/issues/new).\n\n##### Microsoft - Azure Active Directory (OAuth2 Access Token)\n\n[Microsoft identity platform access tokens](https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens) are supported.\n\nUse `requests_auth.AzureActiveDirectoryImplicit` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import AzureActiveDirectoryImplicit\n\n\naad = AzureActiveDirectoryImplicit(tenant_id='45239d18-c68c-4c47-8bdd-ce71ea1d50cd', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd')\nrequests.get('https://www.example.com', auth=aad)\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).\n\nYou can retrieve Microsoft Azure Active Directory application information thanks to the [application list on Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/).\n\n###### Parameters\n\n| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value                                |\n|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------------------------------------|\n| `tenant_id`             | Microsoft Tenant Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                                              |\n| `client_id`             | Microsoft Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                   | Mandatory  |                                              |\n| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | token                                        |\n| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token                                 |\n| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0                                         |\n| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details                                                                                                                                                                                                                                     | Optional   | Newly generated Universal Unique Identifier. |\n| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost                                    |\n| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''                                           |\n| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional   | 5000                                         |\n| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60                                           |\n| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization                                |\n| `header_value`          | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token}                               |\n\nAny other parameter will be put as query parameter in the authorization URL.        \n\nUsual extra parameters are:\n        \n| Name            | Description                                                          |\n|:----------------|:---------------------------------------------------------------------|\n| `prompt`        | none to avoid prompting the user if a session is already opened.     |\n\n##### Microsoft - Azure Active Directory (OpenID Connect ID token)\n\n[Microsoft identity platform ID tokens](https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens) are supported.\n\nUse `requests_auth.AzureActiveDirectoryImplicitIdToken` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import AzureActiveDirectoryImplicitIdToken\n\n\naad = AzureActiveDirectoryImplicitIdToken(tenant_id='45239d18-c68c-4c47-8bdd-ce71ea1d50cd', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd')\nrequests.get('https://www.example.com', auth=aad)\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).\n\nYou can retrieve Microsoft Azure Active Directory application information thanks to the [application list on Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/).\n\n###### Parameters\n\n| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory | Default value                                |\n|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------|:---------------------------------------------|\n| `tenant_id`             | Microsoft Tenant Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory |                                              |\n| `client_id`             | Microsoft Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                   | Mandatory |                                              |\n| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional  | id_token                                     |\n| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional  | id_token                                     |\n| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional  | 30.0                                         |\n| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details                                                                                                                                                                                                                                     | Optional  | Newly generated Universal Unique Identifier. |\n| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional  | localhost                                    |\n| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional  | ''                                           |\n| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional  | 5000                                         |\n| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional  | 60                                           |\n| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional  | Authorization                                |\n| `header_value`          | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional  | Bearer {token}                               |\n\nAny other parameter will be put as query parameter in the authorization URL.        \n\nUsual extra parameters are:\n        \n| Name            | Description                                                          |\n|:----------------|:---------------------------------------------------------------------|\n| `prompt`        | none to avoid prompting the user if a session is already opened.     |\n\n##### Okta (OAuth2 Implicit Access Token)\n\n[Okta Implicit Grant](https://developer.okta.com/docs/guides/implement-implicit/overview/) providing access tokens is supported.\n\nUse `requests_auth.OktaImplicit` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import OktaImplicit\n\n\nokta = OktaImplicit(instance='testserver.okta-emea.com', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd')\nrequests.get('https://www.example.com', auth=okta)\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).\n\n###### Parameters\n\n| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value                                |\n|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------------------------------------|\n| `instance`              | Okta instance (like \"testserver.okta-emea.com\").                                                                                                                                                                                                                                                  | Mandatory  |                                              |\n| `client_id`             | Okta Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                                              |\n| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | token                                        |\n| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | access_token                                 |\n| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0                                         |\n| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details.                                                                                                                                                                                                                                    | Optional   | Newly generated Universal Unique Identifier. |\n| `scope`                 | Scope parameter sent in query. Can also be a list of scopes.                                                                                                                                                                                                                                      | Optional   | ['openid', 'profile', 'email']               |\n| `authorization_server`  | Okta authorization server.                                                                                                                                                                                                                                                                        | Optional   | 'default'                                    |\n| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost                                    |\n| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''                                           |\n| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional   | 5000                                         |\n| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60                                           |\n| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization                                |\n| `header_value`          | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token}                               |\n\nAny other parameter will be put as query parameter in the authorization URL.        \n\nUsual extra parameters are:\n        \n| Name            | Description                                                          |\n|:----------------|:---------------------------------------------------------------------|\n| `prompt`        | none to avoid prompting the user if a session is already opened.     |\n\n##### Okta (OpenID Connect Implicit ID token)\n\n[Okta Implicit Grant](https://developer.okta.com/docs/guides/implement-implicit/overview/) providing ID tokens is supported.\n\nUse `requests_auth.OktaImplicitIdToken` to configure this kind of authentication.\n\n```python\nimport requests\nfrom requests_auth import OktaImplicitIdToken\n\n\nokta = OktaImplicitIdToken(instance='testserver.okta-emea.com', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd')\nrequests.get('https://www.example.com', auth=okta)\n```\n\nNote:\n* You can persist tokens thanks to [the token cache](#managing-token-cache).\n* You can tweak web browser interaction thanks to [the display settings](#managing-the-web-browser).\n\n###### Parameters\n\n| Name                    | Description                                                                                                                                                                                                                                                                                       | Mandatory  | Default value                                |\n|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------|:---------------------------------------------|\n| `instance`              | Okta instance (like \"testserver.okta-emea.com\").                                                                                                                                                                                                                                                  | Mandatory  |                                              |\n| `client_id`             | Okta Application Identifier (formatted as an Universal Unique Identifier).                                                                                                                                                                                                                        | Mandatory  |                                              |\n| `response_type`         | Value of the response_type query parameter if not already provided in authorization URL.                                                                                                                                                                                                          | Optional   | id_token                                     |\n| `token_field_name`      | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional   | id_token                                     |\n| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional   | 30.0                                         |\n| `nonce`                 | Refer to [OpenID ID Token specifications][3] for more details.                                                                                                                                                                                                                                    | Optional   | Newly generated Universal Unique Identifier. |\n| `scope`                 | Scope parameter sent in query. Can also be a list of scopes.                                                                                                                                                                                                                                      | Optional   | ['openid', 'profile', 'email']               |\n| `authorization_server`  | Okta authorization server.                                                                                                                                                                                                                                                                        | Optional   | 'default'                                    |\n| `redirect_uri_domain`   | [FQDN](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) to use in the redirect_uri when localhost is not allowed.                                                                                                                                                                       | Optional   | localhost                                    |\n| `redirect_uri_endpoint` | Custom endpoint that will be used as redirect_uri the following way: http://<redirect_uri_domain>:<redirect_uri_port>/<redirect_uri_endpoint>.                                                                                                                                                    | Optional   | ''                                           |\n| `redirect_uri_port`     | The port on which the server listening for the OAuth 2 token will be started.                                                                                                                                                                                                                     | Optional   | 5000                                         |\n| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional   | 60                                           |\n| `header_name`           | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional   | Authorization                                |\n| `header_value`          | Format used to send the token value. \"{token}\" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional   | Bearer {token}                               |\n\nAny other parameter will be put as query parameter in the authorization URL.        \n\nUsual extra parameters are:\n        \n| Name            | Description                                                          |\n|:----------------|:---------------------------------------------------------------------|\n| `prompt`        | none to avoid prompting the user if a session is already opened.     |\n\n### Managing token cache\n\nTo avoid asking for a new token every new request, a token cache is used.\n\nDefault cache is in memory, but it is also possible to use a physical cache.\n\nYou need to provide the location of your token cache file. It can be a full or relative path (`str` or `pathlib.Path).\n\nIf the file already exists it will be used, if the file do not exist it will be created.\n\n```python\nfrom requests_auth import OAuth2, JsonTokenFileCache\n\nOAuth2.token_cache = JsonTokenFileCache('path/to/my_token_cache.json')\n```\n\n### Managing the web browser\n\nYou can configure the browser display settings thanks to `requests_auth.OAuth2.display` as in the following:\n```python\nfrom requests_auth import OAuth2, DisplaySettings\n\nOAuth2.display = DisplaySettings()\n```\n\nThe following parameters can be provided to `DisplaySettings`:\n\n| Name                   | Description                                                                                                                                                                      | Default value |\n|:-----------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------|\n| `success_display_time` | In case a code or token is successfully received, this is the maximum amount of milliseconds the success page will be displayed in your browser.                                 | 1             |\n| `success_html`         | In case a code or token is successfully received, this is the success page that will be displayed in your browser. `{display_time}` is expected in this content.                 |               |\n| `failure_display_time` | In case received code or token is not valid, this is the maximum amount of milliseconds the failure page will be displayed in your browser.                                      | 10_000        |\n| `failure_html`         | In case received code or token is not valid, this is the failure page that will be displayed in your browser. `{information}` and `{display_time}` are expected in this content. |               |\n\n## API key in header\n\nYou can send an API key inside the header of your request using `requests_auth.HeaderApiKey`.\n\n```python\nimport requests\nfrom requests_auth import HeaderApiKey\n\nrequests.get('https://www.example.com', auth=HeaderApiKey('my_api_key'))\n```\n\n### Parameters\n\n| Name                    | Description                    | Mandatory | Default value |\n|:------------------------|:-------------------------------|:----------|:--------------|\n| `api_key`               | The API key that will be sent. | Mandatory |               |\n| `header_name`           | Name of the header field.      | Optional  | \"X-API-Key\"   |\n\n## API key in query\n\nYou can send an API key inside the query parameters of your request using `requests_auth.QueryApiKey`.\n\n```python\nimport requests\nfrom requests_auth import QueryApiKey\n\nrequests.get('https://www.example.com', auth=QueryApiKey('my_api_key'))\n```\n\n### Parameters\n\n| Name                    | Description                    | Mandatory | Default value |\n|:------------------------|:-------------------------------|:----------|:--------------|\n| `api_key`               | The API key that will be sent. | Mandatory |               |\n| `query_parameter_name`  | Name of the query parameter.   | Optional  | \"api_key\"     |\n\n## Basic\n\nYou can use basic authentication using `requests_auth.Basic`.\n\nThe only advantage of using this class instead of `requests` native support of basic authentication, is to be able to use it in [multiple authentication](#multiple-authentication-at-once).\n\n```python\nimport requests\nfrom requests_auth import Basic\n\nrequests.get('https://www.example.com', auth=Basic('username', 'password'))\n```\n\n### Parameters\n\n| Name                    | Description                    | Mandatory | Default value |\n|:------------------------|:-------------------------------|:----------|:--------------|\n| `username`              | User name.                     | Mandatory |               |\n| `password`              | User password.                 | Mandatory |               |\n\n## NTLM\n\nRequires [`requests-negotiate-sspi` module][4] or [`requests_ntlm` module][5] depending on provided parameters.\n\nYou can use Windows authentication using `requests_auth.NTLM`.\n\n```python\nimport requests\nfrom requests_auth import NTLM\n\nrequests.get('https://www.example.com', auth=NTLM())\n```\n\n### Parameters\n\n| Name                    | Description                    | Mandatory | Default value |\n|:------------------------|:-------------------------------|:----------|:--------------|\n| `username`              | User name.                     | Mandatory if `requests_negotiate_sspi` module is not installed. In such a case `requests_ntlm` module is mandatory. |               |\n| `password`              | User password.                 | Mandatory if `requests_negotiate_sspi` module is not installed. In such a case `requests_ntlm` module is mandatory. |               |\n\n## Multiple authentication at once\n\nYou can also use a combination of authentication using `+` or `&` as in the following sample:\n\n```python\nimport requests\nfrom requests_auth import HeaderApiKey, OAuth2Implicit\n\napi_key = HeaderApiKey('my_api_key')\noauth2 = OAuth2Implicit('https://www.example.com')\nrequests.get('https://www.example.com', auth=api_key + oauth2)\n```\n\nThis is supported on every authentication class exposed by `requests_auth`, but you can also enable it on your own authentication classes by using `requests_auth.SupportMultiAuth` as in the following sample:\n\n```python\nfrom requests_auth import SupportMultiAuth\n# TODO Import your own auth here\nfrom my_package import MyAuth\n\nclass MyMultiAuth(MyAuth, SupportMultiAuth):\n    pass\n```\n\n## Available pytest fixtures\n\nTesting the code using `requests_auth` authentication classes can be achieved using provided [`pytest`][6] fixtures.\n\n### token_cache_mock\n\n```python\nfrom requests_auth.testing import token_cache_mock, token_mock\n\ndef test_something(token_cache_mock):\n    # perform code using authentication\n    pass\n```\n\nUse this fixture to mock authentication success for any of the following classes:\n * OAuth2AuthorizationCodePKCE\n * OktaAuthorizationCodePKCE\n * OAuth2Implicit\n * OktaImplicit\n * OktaImplicitIdToken\n * AzureActiveDirectoryImplicit\n * AzureActiveDirectoryImplicitIdToken\n * OAuth2AuthorizationCode\n * OktaAuthorizationCode\n * OAuth2ClientCredentials\n * OktaClientCredentials\n * OAuth2ResourceOwnerPasswordCredentials,\n\nBy default, an access token with value `2YotnFZFEjr1zCsicMWpAA` is generated.\n\nYou can however return your custom token by providing your own `token_mock` fixture as in the following sample:\n\n```python\nimport pytest\n\nfrom requests_auth.testing import token_cache_mock\n\n\n@pytest.fixture\ndef token_mock() -> str:\n    return \"MyCustomTokenValue\"\n\n\ndef test_something(token_cache_mock):\n    # perform code using authentication\n    pass\n```\n\nYou can even return a more complex token by using the `create_token` function.\n\nNote that [`pyjwt`](https://pypi.org/project/PyJWT/) is a required dependency in this case as it is used to generate the token returned by the authentication.\n\n```python\nimport pytest\n\nfrom requests_auth.testing import token_cache_mock, create_token\n\n\n@pytest.fixture\ndef token_mock() -> str:\n    expiry = None  # TODO Compute your expiry\n    return create_token(expiry)\n\n\ndef test_something(token_cache_mock):\n    # perform code using authentication\n    pass\n```\n\n### Advanced testing\n\n#### token_cache\n\nThis [`pytest`][6] fixture will return the token cache and ensure it is reset at the end of the test case.\n\n```python\nfrom requests_auth.testing import token_cache\n\ndef test_something(token_cache):\n    # perform code using authentication\n    pass\n```\n\n#### browser_mock\n\nThis [`pytest`][6] fixture will allow to mock the behavior of a web browser.\n\nWith this [`pytest`][6] fixture you will be allowed to fine tune your authentication related failures handling.\n\n[`pyjwt`](https://pypi.org/project/PyJWT/) is a required dependency if you use `create_token` helper function.\n\n```python\nimport datetime\n\nfrom requests_auth.testing import browser_mock, BrowserMock, create_token\n\ndef test_something(browser_mock: BrowserMock):\n    token_expiry = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(hours=1)\n    token = create_token(token_expiry)\n    tab = browser_mock.add_response(\n        opened_url=\"http://url_opened_by_browser?state=1234\",\n        reply_url=f\"http://localhost:5000#access_token={token}&state=1234\",\n    )\n\n    # perform code using authentication\n\n    tab.assert_success()\n```\n\n## Endorsements\n\n> I love requests_auth. As a ~15 year pythonista, this library makes working with OAuth services a breeze. <333\n\n**Randall Degges**, Head of Evangelism, [Okta](https://developer.okta.com)\n\n[1]: https://pypi.python.org/pypi/requests \"requests module\"\n[2]: https://2.python-requests.org/en/master/user/authentication/ \"authentication parameter on requests module\"\n[3]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken \"OpenID ID Token specifications\"\n[4]: https://pypi.python.org/pypi/requests-negotiate-sspi \"requests-negotiate-sspi module\"\n[5]: https://pypi.python.org/pypi/requests_ntlm \"requests_ntlm module\"\n[6]: https://docs.pytest.org/en/latest/ \"pytest module\"\n",
    "bugtrack_url": null,
    "license": "MIT License  Copyright (c) 2024 Colin Bounouar  Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:  The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.  THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ",
    "summary": "Authentication for Requests",
    "version": "8.0.0",
    "project_urls": {
        "changelog": "https://github.com/Colin-b/requests_auth/blob/master/CHANGELOG.md",
        "documentation": "https://colin-b.github.io/requests_auth/",
        "issues": "https://github.com/Colin-b/requests_auth/issues",
        "repository": "https://github.com/Colin-b/requests_auth"
    },
    "split_keywords": [
        "authentication",
        " ntlm",
        " oauth2",
        " okta",
        " aad",
        " entra"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "6dc6a586233b044203b9faec662ed147421730fcbd16040c72753445abd8dced",
                "md5": "d3de0b02cfa8d1d999d38290e5eb207c",
                "sha256": "7faf0c58cadb61d2398fed9ea412a38641d70a856b1db25db281f9057194f1ca"
            },
            "downloads": -1,
            "filename": "requests_auth-8.0.0-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "d3de0b02cfa8d1d999d38290e5eb207c",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.8",
            "size": 39432,
            "upload_time": "2024-06-18T18:50:02",
            "upload_time_iso_8601": "2024-06-18T18:50:02.733397Z",
            "url": "https://files.pythonhosted.org/packages/6d/c6/a586233b044203b9faec662ed147421730fcbd16040c72753445abd8dced/requests_auth-8.0.0-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "2bc73a1119e11477e789bf4a75cadf9c09cf3b6fd7df3c38011a71583346762b",
                "md5": "f20a96e6c1a647dad4bcfadf257f02dc",
                "sha256": "ca2f2126d8a41e1d1615faa8cf8d5d62ea01d705f9ee99f470b9a44abd5dee82"
            },
            "downloads": -1,
            "filename": "requests_auth-8.0.0.tar.gz",
            "has_sig": false,
            "md5_digest": "f20a96e6c1a647dad4bcfadf257f02dc",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.8",
            "size": 80146,
            "upload_time": "2024-06-18T18:50:05",
            "upload_time_iso_8601": "2024-06-18T18:50:05.014379Z",
            "url": "https://files.pythonhosted.org/packages/2b/c7/3a1119e11477e789bf4a75cadf9c09cf3b6fd7df3c38011a71583346762b/requests_auth-8.0.0.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-06-18 18:50:05",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "Colin-b",
    "github_project": "requests_auth",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": true,
    "lcname": "requests-auth"
}
        
Elapsed time: 0.26352s