atoti.security.oidc_security.OidcSecurity#
- final class atoti.security.oidc_security.OidcSecurity#
Manage OIDC security on the session.
Note
This requires
atoti.SecurityConfig.sso
to be an instance ofOidcConfig
.Example
>>> import os >>> session = tt.Session.start( ... tt.SessionConfig( ... port=1234, ... security=tt.SecurityConfig( ... sso=tt.OidcConfig( ... provider_id="auth0", ... issuer_url=os.environ["AUTH0_ISSUER"], ... client_id=os.environ["AUTH0_CLIENT_ID"], ... client_secret=os.environ["AUTH0_CLIENT_SECRET"], ... name_claim="email", ... scopes={"email", "profile", "username"}, ... roles_claims={"https://activeviam.com/roles"}, ... ), ... ), ... ) ... ) >>> table = session.create_table( ... "Restrictions example", types={"Country": tt.STRING} ... ) >>> session.security.restrictions.update( ... { ... "ROLE_FRANCE": table["Country"] == "France", ... "ROLE_UK": table["Country"] == "UK", ... } ... )
Roles from the authentication provider’s ID Token can be mapped to roles in the session:
>>> session.security.oidc.role_mapping.update( ... {"atoti user": {"ROLE_USER"}, "France": {"ROLE_FRANCE"}} ... ) >>> session.security.oidc.role_mapping {'atoti user': frozenset({'ROLE_USER'}), 'France': frozenset({'ROLE_FRANCE'})}
Default roles can be given to users who have been granted no individual and mapped roles:
>>> session.security.oidc.default_roles.add("ROLE_UK") >>> session.security.oidc.default_roles {'ROLE_UK'}
The role mapping is done with the roles included in the ID Token sent by the authentication provider. |