atoti_plus.user_service_client.oidc.security module#

class atoti_plus.OidcSecurity#

Allows mapping roles granted by the authentication provider’s ID Token to the roles to use in the session.

Users who do not have the ROLE_USER session role will not be able to access the session.

Note

This requires OidcConfig to be configured.

Example

>>> import os
>>> from atoti_plus import UserServiceClient
>>> session = tt.Session(
...     authentication=tt.OidcConfig(
...         provider_id="auth0",
...         issuer_url=os.environ["AUTH0_ISSUER"],
...         client_id=os.environ["AUTH0_CLIENT_ID"],
...         client_secret=os.environ["AUTH0_CLIENT_SECRET"],
...         name_claim="email",
...         scopes=["email", "profile", "username"],
...         roles_claims=["https://activeviam.com/roles"],
...     ),
...     port=1234,
... )
>>> client = UserServiceClient.from_session(session)
>>> france_role = client.create_role(
...     "ROLE_FRANCE",
...     restrictions={("Restrictions example", "Country"): "France"},
... )
>>> uk_role = client.create_role(
...     "ROLE_UK", restrictions={("Restrictions example", "Country"): "UK"}
... )

Roles from the authentication provider’s ID Token can be mapped to roles in the session:

>>> client.oidc.role_mapping.update(
...     {"atoti user": ["ROLE_USER"], "France": [france_role.name]}
... )
>>> client.oidc.role_mapping
{'atoti user': {'ROLE_USER'}, 'France': {'ROLE_FRANCE'}}

Default roles can be given to users who had no individual or mapped roles granted.

>>> client.oidc.default_roles.add(uk_role.name)
>>> client.oidc.default_roles
{'ROLE_UK'}
property default_roles: DefaultRoles#
property role_mapping: RoleMapping#