atoti.security.oidc_security.OidcSecurity#

final class atoti.security.oidc_security.OidcSecurity#

Manage OIDC security on the session.

Note

This requires atoti.SecurityConfig.sso to be an instance of OidcConfig.

Example

>>> import os
>>> session = tt.Session.start(
...     tt.SessionConfig(
...         port=1234,
...         security=tt.SecurityConfig(
...             sso=tt.OidcConfig(
...                 provider_id="auth0",
...                 issuer_url=os.environ["AUTH0_ISSUER"],
...                 client_id=os.environ["AUTH0_CLIENT_ID"],
...                 client_secret=os.environ["AUTH0_CLIENT_SECRET"],
...                 name_claim="email",
...                 scopes={"email", "profile", "username"},
...                 roles_claims={"https://activeviam.com/roles"},
...             ),
...         ),
...     )
... )
>>> table = session.create_table(
...     "Restrictions example", types={"Country": tt.STRING}
... )
>>> session.security.restrictions.update(
...     {
...         "ROLE_FRANCE": table["Country"] == "France",
...         "ROLE_UK": table["Country"] == "UK",
...     }
... )

Roles from the authentication provider’s ID Token can be mapped to roles in the session:

>>> session.security.oidc.role_mapping.update(
...     {"atoti user": {"ROLE_USER"}, "France": {"ROLE_FRANCE"}}
... )
>>> session.security.oidc.role_mapping
{'atoti user': frozenset({'ROLE_USER'}), 'France': frozenset({'ROLE_FRANCE'})}

Default roles can be given to users who have been granted no individual and mapped roles:

>>> session.security.oidc.default_roles.add("ROLE_UK")
>>> session.security.oidc.default_roles
{'ROLE_UK'}

default_roles

role_mapping

The role mapping is done with the roles included in the ID Token sent by the authentication provider.