atoti.config.authentication.oidc module¶
- class atoti.config.authentication.oidc.OidcConfig(provider_id, issuer_url, client_id, client_secret, name_claim=None, paths_to_authorities=None, roles_claims=None, scopes=None, role_mapping=None)¶
The configuration to connect to an OpenID Connect authentication provider (Auth0, Google, Keycloak, etc.).
The user’s roles are defined using :class:~atoti_plus.security.OidcSecurity`.
Example
>>> config = { ... "authentication": { ... "oidc": { ... "provider_id": "auth0", ... "issuer_url": "https://example.auth0.com", ... "client_id": "some client ID", ... "client_secret": "some client secret", ... "name_claim": "email", ... "scopes": ["email", "profile"], ... "roles_claims": [ ... "https://example:com/roles", ... ["other", "path", "to", "roles"], ... ], ... } ... } ... }
- issuer_url: str¶
The issuer URL parameter from the provider’s OpenID Connect configuration endpoint.
- name_claim: Optional[str] = None¶
The name of the claim in the ID token to use as the name of the user.
- paths_to_authorities: Optional[Iterable[str]] = None¶
The path to the authorities to use in atoti in the returned access token or ID token.
Warning
This configuration option is deprecated. Use
roles_claims
instead.
- provider_id: str¶
The name of the provider.
It is used to build the redirect URL:
f"{session_url}/login/oauth2/code/{provider_id}"
.
- role_mapping: Optional[Mapping[str, Iterable[str]]] = None¶
The mapping between the roles returned by the authentication provider and the roles to grant in atoti.
Users without the role ROLE_USER will not have access to the application.
Warning
This configuration option is deprecated. Use
atoti_plus.security.OidcSecurity.role_mapping
instead.
- roles_claims: Optional[Iterable[Union[str, Iterable[str]]]] = None¶
The claims of the ID token from which to extract roles to use as keys in the
role_mapping
.When the elements of the sequence are also sequences, the inner elements will be used as a path pointing to a nested value in the token.