OIDCConfig

pydantic settings gafaelfawr.config.OIDCConfig

Configuration for a generic OpenID Connect authentication provider.

Parameters:

• _case_sensitive (bool | None, default: None)

• _env_prefix (str | None, default: None)

• _env_file (Union[Path, str, List[Union[str, Path]], Tuple[Union[Path, str], ...], None], default: PosixPath('.'))

• _env_file_encoding (str | None, default: None)

• _env_ignore_empty (bool | None, default: None)

• _env_nested_delimiter (str | None, default: None)

• _env_parse_none_str (str | None, default: None)

• _secrets_dir (str | Path | None, default: None)

• values (Any)

Fields:

• audience (str)

• clientId (str)

• clientSecret (pydantic.types.SecretStr)

• enrollmentUrl (str | None)

• issuer (str)

• loginParams (dict[str, str])

• loginUrl (str)

• redirectUrl (str)

• scopes (list[str])

• tokenUrl (str)

• usernameClaim (str)

Validators:

• _validate_audience » audience

field audience: str [Required]

Value of audience (aud) claim to expect. If not set, defaults to the client ID.

Validated by:

• _validate_audience

field clientId: str [Required] (name 'client_id')

Client ID for talking to the OpenID Connect provider

field clientSecret: SecretStr [Required] (name 'client_secret')

Secret for talking to the OpenID Connect provider

field enrollmentUrl: HttpUrlString | None = None (name 'enrollment_url')

If LDAP username lookup is configured (using ldap.username_base_dn) and the user could not be found, redirect the user, after login, to this URL so that they can register

field issuer: str [Required]

Expected issuer claim (iss) of the ID token

field loginParams: dict[str, str] = {} (name 'login_params')

Additional parameters to the login URL

field loginUrl: HttpUrlString [Required] (name 'login_url')

URL to which to send the user to initiate authentication

field redirectUrl: HttpUrlString [Required] (name 'redirect_url')

Where the user should be sent after authentication. This must match the URL registered with CILogon. It should be the full URL of the /login route.

field scopes: list[str] = []

Scopes to request from the authentication provider. The openid scope will always be added and does not need to be specified.

field tokenUrl: HttpUrlString [Required] (name 'token_url')

URL from which to redeem the authentication code for a token

field usernameClaim: str = 'uid' (name 'username_claim')

OpenID Connect ID token claim containing the username