atoti.config.authentication.oidc module¶

class atoti.config.authentication.oidc.OidcConfig(provider_id, issuer_url, client_id, client_secret, use_client_secret_as_certificate=False, name_claim=None, paths_to_authorities=None, roles_claims=(), scopes=(), role_mapping=None)¶

The configuration to connect to an OpenID Connect authentication provider (Auth0, Google, Keycloak, etc.).

The user’s roles are defined using OidcSecurity.

Example

>>> config = {
...     "authentication": {
...         "oidc": {
...             "provider_id": "auth0",
...             "issuer_url": "https://example.auth0.com",
...             "client_id": "some client ID",
...             "client_secret": "some client secret",
...             "name_claim": "email",
...             "scopes": ["email", "profile"],
...             "roles_claims": [
...                 "https://example:com/roles",
...                 ["other", "path", "to", "roles"],
...             ],
...         }
...     }
... }

client_id: str¶: The app’s client ID, obtained from the authentication provider.

client_secret: str¶: The app’s client secret, obtained from the authentication provider.

issuer_url: str¶: The issuer URL parameter from the provider’s OpenID Connect configuration endpoint.

name_claim: Optional[str] = None¶: The name of the claim in the ID token to use as the name of the user.

paths_to_authorities: Optional[Iterable[str]] = None¶: The path to the authorities to use in atoti in the returned access token or ID token.

Warning

This configuration option is deprecated. Use roles_claims instead.

provider_id: str¶

The name of the provider.

It is used to build the redirect URL: f"{session_url}/login/oauth2/code/{provider_id}".

role_mapping: Optional[Mapping[str, Iterable[str]]] = None¶

The mapping between the roles returned by the authentication provider and the roles to grant in atoti.

Users without the role ROLE_USER will not have access to the application.

Warning

This configuration option is deprecated. Use atoti_plus.security.OidcSecurity.role_mapping instead.

roles_claims: Iterable[Union[str, Iterable[str]]] = ()¶

The claims of the ID token from which to extract roles to use as keys in the role_mapping.

When the elements of the sequence are also sequences, the inner elements will be used as a path pointing to a nested value in the token.

scopes: Iterable[str] = ()¶: The scopes to request from the authentication provider.

use_client_secret_as_certificate: bool = False¶: If True, the passed client_secret must be a client certificate instead of a random secret. This client certificate will be passed in the X-Cert header of the request made to the OIDC provider to retrieve an access token.