atoti.security.oidc_security.OidcSecurity#
- final class atoti.security.oidc_security.OidcSecurity#
Manage OIDC security on the session.
Note
This requires
atoti.SecurityConfig.ssoto be an instance ofOidcConfig.Example
>>> import os >>> session_config = tt.SessionConfig( ... port=1234, ... security=tt.SecurityConfig( ... sso=tt.OidcConfig( ... provider_id="auth0", ... issuer_url=os.environ["AUTH0_ISSUER"], ... client_id=os.environ["AUTH0_CLIENT_ID"], ... client_secret=os.environ["AUTH0_CLIENT_SECRET"], ... name_claim="email", ... scopes={"openid", "email", "profile", "username"}, ... roles_claims={"https://activeviam.com/roles"}, ... ), ... ), ... ) >>> session = tt.Session.start(session_config) >>> table = session.create_table( ... "Restrictions example", ... data_types={"Country": "String"}, ... ) >>> session.security.restrictions.update( ... { ... "ROLE_FRANCE": table["Country"] == "France", ... "ROLE_UK": table["Country"] == "UK", ... } ... )
Roles from the authentication provider’s ID Token can be mapped to roles in the session:
>>> session.security.oidc.role_mapping.update( ... {"atoti user": {"ROLE_USER"}, "France": {"ROLE_FRANCE"}} ... ) >>> session.security.oidc.role_mapping {'atoti user': frozenset({'ROLE_USER'}), 'France': frozenset({'ROLE_FRANCE'})}
Default roles can be given to users who have been granted no individual and mapped roles:
>>> session.security.oidc.default_roles.add("ROLE_UK") >>> session.security.oidc.default_roles {'ROLE_UK'}
Note that the name claim is required in the access token to identify the user for any client application.
The role mapping is done with the roles included in the ID Token sent by the authentication provider. |