atoti.config.authentication.oidc module

class atoti.config.authentication.oidc.OidcConfig(provider_id, issuer_url, client_id, client_secret, name_claim=None, paths_to_authorities=None, roles_claims=None, scopes=None, role_mapping=None)

The configuration to connect to an OpenID Connect authentication provider (Auth0, Google, Keycloak, etc.).


>>> config = {
...     "authentication": {
...         "oidc": {
...             "provider_id": "auth0",
...             "issuer_url": "",
...             "client_id": "some client ID",
...             "client_secret": "some client secret",
...             "name_claim": "email",
...             "scopes": ["email", "profile"],
...             "roles_claims": [
...                 "https://example:com/roles",
...                 ["other", "path", "to", "roles"],
...             ],
...             "role_mapping": {
...                 "dev_team": {"ROLE_USER", "ROLE_DEV"},
...                 "admin": {"ROLE_ADMIN"},
...             },
...         }
...     }
... }
client_id: str

The app’s client ID, obtained from the authentication provider.

client_secret: str

The app’s client secret, obtained from the authentication provider.

issuer_url: str

The issuer URL parameter from the provider’s OpenID Connect configuration endpoint.

name_claim: Optional[str] = None

The name of the claim in the ID token to use as the name of the user.

paths_to_authorities: Optional[Sequence[str]] = None

The path to the authorities to use in atoti in the returned access token or ID token.

This configuration option is deprecated, roles_claims should be used instead.

provider_id: str

The name of the provider.

It is used to build the redirect URL: f"{session_url}/login/oauth2/code/{provider_id}".

role_mapping: Optional[Mapping[str, Sequence[str]]] = None

The mapping between the roles returned by the authentication provider and the roles to grant in atoti.

Users without the role ROLE_USER will not have access to the application.

roles_claims: Optional[Sequence[Union[str, Sequence[str]]]] = None

The claims of the ID token from which to extract roles to use as keys in the role_mapping.

When the elements of the sequence are also sequences, the inner elements will be used as a path pointing to a nested value in the token.

scopes: Optional[Sequence[str]] = None

The scopes to request from the authentication provider.