Python client library for ID4me protocol - Relying Party side. See:

pip install id4me-rp-client==0.0.24



Python Relying Party client library for ID4me protocol. For details of the protocol, please visit:

Library offers Relying Party functionality for authentication with Identity Authority and claim request from the Identity Agent..

Specification reference

  • Version: 1.0
  • Revision: 02


pip install id4me-rp-client


Register the client and authorize with Identity Authority

from id4me_rp_client import *

# these imports are just needed in this example
from builtins import input
import json
import uuid

registrations = dict()

# a routine to save client registration at authority
def save_authority_registration(auth_name, auth_content):
    registrations[auth_name] = auth_content

# a routine to load client registration at authority
def load_authority_registration(auth_name):
    return registrations[auth_name]

# create client object with basic parameters of your app
client = ID4meClient(
    client_name='Foo app',

    # make a discovery of identity authority and register if needed
    # find_authority and save_authority are optional, but when missing client will be registered each time anew
    ctx = client.get_rp_context(

    # get a link to login routine
    link = client.get_consent_url(
       ID4meClaimRequestProperties(reason='To call you by name'),
       ID4meClaimRequestProperties(essential=True, reason='To be able to contact you'),
                OIDCClaim.email_verified: ID4meClaimRequestProperties(reason='To know if your E-mail was verified'),
    print('Please open the link:\n{}'.format(link))

    # Normally code will arrive as query param on client.validateUrl
    code = input('Please enter code: ')
    # Get ID token
    id_token = client.get_idtoken(context=ctx, code=code)
    print('ID Token:\n{}'.format(json.dumps(id_token, sort_keys=True, indent=4)))
    # Get User Info
    userinfo = client.get_user_info(context=ctx)
    print('User Info:\n{}'.format(json.dumps(userinfo, sort_keys=True, indent=4)))    
except ID4meException as e:
    print('Exception: {}'.format(e))


Resolving ""
Checking TXT record "v=OID1;;"
identity_authority =
registering with new identity authority (
destination =
Please open the link:
Please enter code: >? 9jNXCX9OZ4HQLr2YZWKisw.5mSDkoR-5YJQoTp3f1vuxg
User Info:
    "aud": "hmkzay2riyon4", 
    "email": "", 
    "email_verified": true, 
    "exp": 1538762218, 
    "iat": 1538761918, 
    "id4me.identifier": "", 
    "id4me.identity": "", 
    "iss": "", 
    "nbf": 1538761918, 
    "sub": "uiw3pTRRLVaKJqbnbSwr4EVuhEPTHvRgci91RbhYU2rab/YVDqDmqTKzTVAdDMm+", 
    "updated_at": 1538564738

Requesting custom claims

In order to request a custom claim, it's enough to pass its name as a key in userinfo_claims or id_token_claims parameters of ID4meClient.get_consent_url method.


        link = client.get_consent_url(
           ID4meClaimRequestProperties(essential=True, reason='Test other confusing reason'),
                    'id4me.custom': ID4meClaimRequestProperties(essential=True, reason='Custom claim reason')


version date changes
0.0.24 2019-11-26 NEW FEATURE: Support "none" as "alg" of id_tokenNEW FEATURE: allow override of authority lookupNEW FEATURE: userinfo_signing_required now can be configured in client codeNEW FEATURE: RS384 and RS512 added as supported signature optionsREFACTORING: cleaned up the code of dynamic client registrationBUGFIX: using 'none' algorithms only if supported
0.0.23 2019-10-04 NEW FEATURE: plain JSON user info support addedNEW FEATURE: use of scope parameter instead of claims if not supported by IdPNEW: example code included
0.0.22 2019-07-29 BUGFIX: id4me_rp_client.helper not exported to the release library
0.0.21 2019-07-29 BUGFIX: YXDOMAIN case not properly handledBUGFIX: avoid trying to resolve empty domain namesBUGFIX: added better handling when state is emptyLOGGING: added logging of all exceptions (debug level)
0.0.20 2019-05-23 NEW FEATURE: E-mail address hashing as per spec change proposed in CHANGE: finally deprecated preferred_client_id from registrationNEW FEATURE: timeout configurable via NetworkConfig
0.0.19 2019-03-24 TEST: added Kopano to the integration testBUGFIX: leeway to re-register set to 5 minutes istead of 2 hoursTEST: added password to mojeid test account
0.0.18 2019-03-23 NEW FEATURE: added support for E-mail like identifiers (just replace @ with .)NEW FEATURE: requesting claims with scopeWORKAROUND: accepting token_type as 'Bearer' and 'bearer'BUGFIX: 'tos_uri' assigned properly
0.0.17 2019-03-19 SECURITY FIX: Limited timeouts and size of downloaded data (DOS prevention)SECURITY FIX: Limited recoursion level of distributed claims (DOS prevention)
0.0.16 2019-03-11 MAJOR CHANGE: removed back-compatibility with old _openid record format
0.0.15 2019-02-27 - NEW FEATURE: Automatically re-register expired client registration - explicit parameter to enable/block automatic client registration
0.0.14 2019-02-25 No functional changes. Example code in README fixed
0.0.13 2019-02-25 No functional changes. TEST & EXAMPLE for custom claims added
0.0.12 2019-02-21 BUGFIX: Exception when no encryption used but private key missing
0.0.11 2019-02-21 BUGFIX, error when serializing ID4meContext
0.0.10 2019-02-18 API BREAKING CHANGE: client configuration loading callback moved to client object in order to remove secret data from the ID4meContext which can be in some frameworks sent over cookies