OIDCConfig#

class gafaelfawr.config.OIDCConfig(client_id, client_secret, login_url, login_params, redirect_url, token_url, enrollment_url, scopes, issuer, audience, username_claim, uid_claim, gid_claim, groups_claim)#

Bases: object

Configuration for OpenID Connect authentication.

Parameters:

client_id (str) –
client_secret (str) –
login_url (str) –
login_params (Mapping[str, str]) –
redirect_url (str) –
token_url (str) –
enrollment_url (Optional[str]) –
scopes (tuple[str, ...]) –
issuer (str) –
audience (str) –
username_claim (str) –
uid_claim (str) –
gid_claim (Optional[str]) –
groups_claim (str) –

Attributes Summary

`audience`	Expected audience of the ID token.
`client_id`	Client ID for talking to the OpenID Connect provider.
`client_secret`	Secret for talking to the OpenID Connect provider.
`enrollment_url`	URL to which the user should be redirected if not enrolled.
`gid_claim`	Token claim from which to take the primary GID.
`groups_claim`	Token claim from which to take the group membership.
`issuer`	Expected issuer of the ID token.
`login_params`	Additional parameters to the login URL.
`login_url`	URL to which to send the user to initiate authentication.
`redirect_url`	Return URL to which the authentication provider should send the user.
`scopes`	Scopes to request from the authentication provider.
`token_url`	URL at which to redeem the authentication code for a token.
`uid_claim`	Token claim from which to take the UID.
`username_claim`	Token claim from which to take the username.

Attributes Documentation

audience: str#: Expected audience of the ID token.

client_id: str#: Client ID for talking to the OpenID Connect provider.

client_secret: str#: Secret for talking to the OpenID Connect provider.

enrollment_url: Optional[str]#

URL to which the user should be redirected if not enrolled.

If LDAP username lookup is configured (using ldap.username_base_dn) and the user could not be found, redirect the user, after login, to this URL so that they can register.

gid_claim: Optional[str]#: Token claim from which to take the primary GID.

groups_claim: str#: Token claim from which to take the group membership.

issuer: str#: Expected issuer of the ID token.

login_params: Mapping[str, str]#: Additional parameters to the login URL.

login_url: str#: URL to which to send the user to initiate authentication.

redirect_url: str#

Return URL to which the authentication provider should send the user.

This should be the full URL of the /login route of Gafaelfawr.

scopes: tuple[str, ...]#

Scopes to request from the authentication provider.

The openid scope will always be added and does not need to be specified.

token_url: str#: URL at which to redeem the authentication code for a token.

uid_claim: str#: Token claim from which to take the UID.

username_claim: str#: Token claim from which to take the username.