atoti.config.authentication.oidc_config module

class atoti.OidcConfig

The configuration to connect to an OpenID Connect authentication provider (Auth0, Google, Keycloak, etc.).

The user’s roles are defined using OidcSecurity.


>>> auth_config = tt.OidcConfig(
...     provider_id="auth0",
...     issuer_url="",
...     client_id="some client ID",
...     client_secret="some client secret",
...     name_claim="email",
...     scopes=["email", "profile"],
...     roles_claims=[
...         "https://example:com/roles",
...         ["other", "path", "to", "roles"],
...     ],
... )
access_token_format: Literal['jwt', 'opaque'] = 'jwt'

The format of the access tokens delivered by the OIDC provider.

Opaque tokens involve another request to the OIDC provider’s user info endpoint to retrieve the user details. The URL of this user info endpoint will be fetched from the f"{issuer_url}/.well-known/openid-configuration" endpoint.

See also

Opaque tokens can be used with atoti_query.OAuth2ResourceOwnerPasswordAuthentication.

client_id: str

The app’s client ID, obtained from the authentication provider.

client_secret: str

The app’s client secret, obtained from the authentication provider.

issuer_url: str

The issuer URL parameter from the provider’s OpenID Connect configuration endpoint.

name_claim: Optional[str] = None

The name of the claim in the ID token to use as the name of the user.

paths_to_authorities: Optional[Iterable[str]] = None

The path to the authorities to use in atoti in the returned access token or ID token.


This configuration option is deprecated. Use roles_claims instead.

provider_id: str

The name of the provider.

It is used to build the redirect URL: f"{session_url}/login/oauth2/code/{provider_id}".

role_mapping: Optional[Mapping[str, Iterable[str]]] = None

The mapping between the roles returned by the authentication provider and the roles to grant in atoti.

Users without the role ROLE_USER will not have access to the application.


This configuration option is deprecated. Use instead.

roles_claims: Iterable[Union[str, Iterable[str]]] = ()

The claims of the ID token from which to extract roles to use as keys in the role_mapping.

When the elements of the sequence are also sequences, the inner elements will be used as a path pointing to a nested value in the token.

scopes: Iterable[str] = ()

The scopes to request from the authentication provider.

use_client_secret_as_certificate: bool = False

If True, the passed client_secret must be a client certificate instead of a random secret. This client certificate will be passed in the X-Cert header of the request made to the OIDC provider to retrieve an access token.