atoti.config.authentication.oidc module

class atoti.config.authentication.oidc.OidcConfig(provider_id, issuer_url, client_id, client_secret, use_client_secret_as_certificate=False, name_claim=None, paths_to_authorities=None, roles_claims=(), scopes=(), role_mapping=None)

The configuration to connect to an OpenID Connect authentication provider (Auth0, Google, Keycloak, etc.).

The user’s roles are defined using OidcSecurity.


>>> config = {
...     "authentication": {
...         "oidc": {
...             "provider_id": "auth0",
...             "issuer_url": "",
...             "client_id": "some client ID",
...             "client_secret": "some client secret",
...             "name_claim": "email",
...             "scopes": ["email", "profile"],
...             "roles_claims": [
...                 "https://example:com/roles",
...                 ["other", "path", "to", "roles"],
...             ],
...         }
...     }
... }
client_id: str

The app’s client ID, obtained from the authentication provider.

client_secret: str

The app’s client secret, obtained from the authentication provider.

issuer_url: str

The issuer URL parameter from the provider’s OpenID Connect configuration endpoint.

name_claim: Optional[str] = None

The name of the claim in the ID token to use as the name of the user.

paths_to_authorities: Optional[Iterable[str]] = None

The path to the authorities to use in atoti in the returned access token or ID token.


This configuration option is deprecated. Use roles_claims instead.

provider_id: str

The name of the provider.

It is used to build the redirect URL: f"{session_url}/login/oauth2/code/{provider_id}".

role_mapping: Optional[Mapping[str, Iterable[str]]] = None

The mapping between the roles returned by the authentication provider and the roles to grant in atoti.

Users without the role ROLE_USER will not have access to the application.


This configuration option is deprecated. Use instead.

roles_claims: Iterable[Union[str, Iterable[str]]] = ()

The claims of the ID token from which to extract roles to use as keys in the role_mapping.

When the elements of the sequence are also sequences, the inner elements will be used as a path pointing to a nested value in the token.

scopes: Iterable[str] = ()

The scopes to request from the authentication provider.

use_client_secret_as_certificate: bool = False

If True, the passed client_secret must be a client certificate instead of a random secret. This client certificate will be passed in the X-Cert header of the request made to the OIDC provider to retrieve an access token.