OIDCConfig

pydantic settings gafaelfawr.config.OIDCConfig

Configuration for a generic OpenID Connect authentication provider.

Parameters:
Fields:
Validators:
field audience: str [Required]

Value of audience (aud) claim to expect. If not set, defaults to the client ID.

Validated by:
  • _validate_audience

field clientId: str [Required] (name 'client_id')

Client ID for talking to the OpenID Connect provider

field clientSecret: SecretStr [Required] (name 'client_secret')

Secret for talking to the OpenID Connect provider

field enrollmentUrl: HttpUrl | None = None (name 'enrollment_url')

If LDAP username lookup is configured (using ldap.username_base_dn) and the user could not be found, redirect the user, after login, to this URL so that they can register

field issuer: str [Required]

Expected issuer claim (iss) of the ID token

field loginParams: dict[str, str] = {} (name 'login_params')

Additional parameters to the login URL

field loginUrl: HttpUrl [Required] (name 'login_url')

URL to which to send the user to initiate authentication

Constraints:
  • max_length = 2083

  • allowed_schemes = [‘http’, ‘https’]

field redirectUrl: HttpUrl [Required] (name 'redirect_url')

Where the user should be sent after authentication. This must match the URL registered with CILogon. It should be the full URL of the /login route.

Constraints:
  • max_length = 2083

  • allowed_schemes = [‘http’, ‘https’]

field scopes: list[str] = []

Scopes to request from the authentication provider. The openid scope will always be added and does not need to be specified.

field tokenUrl: HttpUrl [Required] (name 'token_url')

URL from which to redeem the authentication code for a token

Constraints:
  • max_length = 2083

  • allowed_schemes = [‘http’, ‘https’]

field usernameClaim: str = 'uid' (name 'username_claim')

OpenID Connect ID token claim containing the username