Authentication Flow: Python (-API)

This guide provides detailed instructions for using the Authentication Flow for secure user authentication with and without library.

Table of content

/integration/user-identity-service/

1.0 Installation

Refer to User Identity Service for instruction on how-to install, configure, run and update the service.

3.0 CIBA Authentication

Authenticate with user username (OnesID).

3.1 Make CIBA request

To request a BC authentication, post the username like to:

$ curl -X POST -H "Content-Type: application/json" \
-d '{"login_hint": "firstname.lastname@onesid1", "login_message": "Authorize login to Ones", "resource": "http://localhost:8008"}' \
http://localhost:8010/auth/bc

## PENDING
{"auth_req_id":"Ev2GDedXbzRG4Rma6hldvk95gLMGUQzOzzOBR2C2pMB","expires_in":600}

Alternatively, you may define the required scope:

  • openid is mandatory
  • offline_access to receive a refresh token
  • contact and profile are optional
$ curl -X POST -H "Content-Type: application/json" \
-d '{"login_hint": "firstname.lastname@onesid1", "login_message": "Authorize login to OnesPHR", "scope": "openid offline_access contact profile", "resource": "https://your-domain.com"}' \
http://localhost:8010/auth/bc

## PENDING
{"auth_req_id":"Ev2GDedXbzRG4Rma6hldvk95gLMGUQzOzzOBR2C2pMB","expires_in":600}

To request the BC login status do:

$ curl http://localhost:8010/auth/bc/Ev2GDedXbzRG4Rma6hldvk95gLMGUQzOzzOBR2C2pMB

## PENDING
{"message":"authorization request is still pending as the end-user hasn't yet completed the user interaction steps","status":"pending"}

## EXPIRED
{"message":"backchannel authentication request is expired","status":"expired"}

## SUCCESS
{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6IlhWbHU1OTdTbnNqaVJJak90QmtYM3E2S1hoZ2cySDVRY2p3aFNQWC1EQWcifQ.eyJpZHBfcm9sZSI6Im1hc3RlciIsInVzZXJuYW1lIjoibWFzdGVyLnVzZXJAcGFudGhlcngub3JnIiwibWF0cml4X2lkIjoiQG1hc3Rlci51c2VyOmxvY2FsLmRldiIsImp0aSI6Im1pQVFFT2d5dTFyWTZNS0RRMzZEUSIsInN1YiI6IjUyZTI0MzY2LTBlMWQtNGVkMy1iNmFhLTcwYTExNWE3ZTY0NyIsImlhdCI6MTczNzA0NzY3NCwiZXhwIjoxNzM3MDU0ODc0LCJjbGllbnRfaWQiOiJiYWQxYjdiOS02ZTBiLTQ4OWYtYWM0OS0xMzI2MDMwZjQzOWMiLCJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjQwMDAvb2lkYyIsImF1ZCI6IjU1ZTU1YWQ2LTQxNDQtNDk1MS1iNzMzLWI0ZTgwNTg5YTZiNiJ9.AToGNbTyrMLi-H01lQ838zXm7wbD0DZWd3LhW41Bh7mFIj26EMjEjIm9wjT6NOM536kb2seQYNbVJAMDSlVDYU5WIFbbv5YIhdIt3T3qQGhBiV2YfdoNmTaa5ca5AZhJulxHaOcmmcNLZfOOPz2pMve_qxe7wmVyi_FSMCRxJFKQG76Q4Hp78vIBLBWg0tLVaJI2KSzXSrg2-BuQW6kotzejeWo2CGE4X_zGHU_o-rtZJR_HJBzvZf-1b7Fs3m_T0giGB3z8P1QyNSI3sWYpdd3fMLpxN_eT9R52fredWbThIFuGkaWSQvf9GCbA2eW4FFqdPJBbBBrvXxeoVqcQ4w","expires_in":7200,"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlhWbHU1OTdTbnNqaVJJak90QmtYM3E2S1hoZ2cySDVRY2p3aFNQWC1EQWcifQ.eyJzdWIiOiI1MmUyNDM2Ni0wZTFkLTRlZDMtYjZhYS03MGExMTVhN2U2NDciLCJlbWFpbCI6IkphbmExM0B5YWhvby5jb20iLCJwaG9uZSI6IjEtOTM5LTQzNy01OTU0IHg2NzU5IiwiZG9tYWluIjoicGFudGhlcngub3JnIiwidXNlcm5hbWUiOiJtYXN0ZXIudXNlckBwYW50aGVyeC5vcmciLCJ1c2VybmFtZVdpdGhvdXREb21haW4iOiJtYXN0ZXIudXNlciIsInRpdGxlIjoiTXIiLCJuYW1lIjoiTWFzdGVyIFVzZXIiLCJmaXJzdE5hbWUiOiJNYXN0ZXIiLCJsYXN0TmFtZSI6IlVzZXIiLCJsb2NhbGl6ZWRGaXJzdE5hbWUiOiJNYXN0ZXIiLCJsb2NhbGl6ZWRMYXN0TmFtZSI6IlVzZXIiLCJhdF9oYXNoIjoiRTU3TUkwYlNwZnFvX2FOSHlCTkYzUSIsInVybjpvcGVuaWQ6cGFyYW1zOmp3dDpjbGFpbTphdXRoX3JlcV9pZCI6IkV2MkdEZWRYYnpSRzRSbWE2aGxkdms5NWdMTUdVUXpPenpPQlIyQzJwTUIiLCJhdWQiOiJiYWQxYjdiOS02ZTBiLTQ4OWYtYWM0OS0xMzI2MDMwZjQzOWMiLCJleHAiOjE3MzcwNTEyNzQsImlhdCI6MTczNzA0NzY3NCwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo0MDAwL29pZGMifQ.2RkREWIo_nVp_jCaPtrGy7e52OPRycK6xaLBMCnXGrAxsyhsTpYG-WSSrE7RyEdUidRb0wW0_impx1lf-SMqc4y2YsAUwJSVOkCiQCUKKFeRkR-H8Hu7uCZ_zy1ZchBKN6iLXl-BNwDYGcNBFyoF_KlkGCmPKUSNaLuB8GSRolGXaBJfMqTKC-ksHi8Z8VO95KbWyDrIe7ikY8yFaTVe9YMNi36qxB-eSfbDaokwa4cNvurZRi20yvpgG2RpE5NnskEOcUnX28MlIWQm4mcrJwHsraMgkmvMtYm0dz2QA2yuxOz57gcR_SF6TILIjoNDvOPxjrKDyyKmtn4lVzDGLw","scope":"","token_type":"Bearer"}

4.0 QR Code Authentication

TODO: Work in progress

5.0 Refresh Session

If you have a access token, it’s easy to refresh the session:

$ curl -X POST -H "Content-Type: application/json" \
-d '{"access_token": "r7yn8oyCG3BTxe8GcGnTR1HhTboOusa4_INkjgTs6UV", "refresh_token": "UYJ8_lvjGbil9WWGqC65BaXkiexRN0ope1B2l4ocj_y"}' \
http://localhost:8010/auth/refresh

{"access_token":"PgRTtIPOOI9MzFvbqTV3HY0iRY1ZuoBo6Xslj-o8206","expires_in":3600,"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlhWbHU1OTdTbnNqaVJJak90QmtYM3E2S1hoZ2cySDVRY2p3aFNQWC1EQWcifQ.eyJzdWIiOiI1MmUyNDM2Ni0wZTFkLTRlZDMtYjZhYS03MGExMTVhN2U2NDciLCJhdF9oYXNoIjoiVFVtTGtIcV81UHJLU1l2WTVhaEo5USIsImF1ZCI6ImJhZDFiN2I5LTZlMGItNDg5Zi1hYzQ5LTEzMjYwMzBmNDM5YyIsImV4cCI6MTczNjE1OTc3MiwiaWF0IjoxNzM2MTU2MTcyLCJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjQwMDAvb2lkYyJ9.58CxXArBS1Dc0O0tVtAtho8hyYEq9Z1Yz3NfoMuHfYcPabOJ1oiVbNRyxPlnudIGYD6xPk7reZxm1SOUkyx-4nTsKC5Mo3SE6oICORXBVVGC6lh2XhrrDAsbXPQ6mfP1GkQ722R4-HWzL3_MkIqy9muHHv98T1YgZuqftU3zg8AKutju-5SIEK2wQqX1FtvF5AmCrpKNdeflXFaobNf_g-iUC24z6ZHT2URWhwJfU877iAuPkevp0w_vIpZgw44TnaFrMfJqdlBGSonaoTYLcMC7Wxg-ajVSpYSsEfXge_vf-n722JnxY1Yp5DueQN11osq2D-5W5JHE6QW3RQIwkg","refresh_token":"S3o33SE-PfxSrzqIdnybhbCpkjrFpNxzkaO7s2d7VqP","scope":"offline_access openid contact profile","token_type":"Bearer"}

6.0 Usage as library

from px_user_identity_service import CIBAAuthentication
ciba = CIBAAuthentication()
# LOGIN
login_res = ciba.login(login_hint_token, login_message)
# Status
status_res = ciba.status(login_res['auth_req_id])

7.0 Troubleshooting

Refer to User Identity Service.

Contact

Found a problem, or have a question related to Authentication Flow: Python (-API)?

ONES Now Documentation

© 2025 ONES Now Documentation | Author Franz Geffke