atoti_plus.user_service_client.oidc.security module#
- class atoti_plus.OidcSecurity#
Allows mapping roles granted by the authentication provider’s ID Token to the roles to use in the session.
Users who do not have the ROLE_USER session role will not be able to access the session.
Note
This requires
OidcConfigto be configured.Example
>>> import os >>> from atoti_plus import UserServiceClient >>> session = tt.Session( ... authentication=tt.OidcConfig( ... provider_id="auth0", ... issuer_url=os.environ["AUTH0_ISSUER"], ... client_id=os.environ["AUTH0_CLIENT_ID"], ... client_secret=os.environ["AUTH0_CLIENT_SECRET"], ... name_claim="email", ... scopes=["email", "profile", "username"], ... roles_claims=["https://activeviam:eu:auth0:com/roles"], ... ), ... port=1234, ... ) >>> client = UserServiceClient.from_session(session) >>> france_role = client.create_role( ... "ROLE_FRANCE", ... restrictions={("Restrictions example", "Country"): "France"}, ... ) >>> uk_role = client.create_role( ... "ROLE_UK", restrictions={("Restrictions example", "Country"): "UK"} ... )
Roles from the authentication provider’s ID Token can be mapped to roles in the session:
>>> client.oidc.role_mapping.update( ... {"atoti user": ["ROLE_USER"], "France": [france_role.name]} ... ) >>> client.oidc.role_mapping {'atoti user': {'ROLE_USER'}, 'France': {'ROLE_FRANCE'}}
Default roles can be given to users who had no individual or mapped roles granted.
>>> client.oidc.default_roles.add(uk_role.name) >>> client.oidc.default_roles {'ROLE_UK'}
- property default_roles: DefaultRoles#
- property role_mapping: RoleMapping#