OIDCConfig

pydantic settings gafaelfawr.config.OIDCConfig

Configuration for a generic OpenID Connect authentication provider.

Parameters:

• _case_sensitive (bool | None, default: None)

• _nested_model_default_partial_update (bool | None, default: None)

• _env_prefix (str | None, default: None)

• _env_file (Union[Path, str, Sequence[Union[Path, str]], None], default: PosixPath('.'))

• _env_file_encoding (str | None, default: None)

• _env_ignore_empty (bool | None, default: None)

• _env_nested_delimiter (str | None, default: None)

• _env_parse_none_str (str | None, default: None)

• _env_parse_enums (bool | None, default: None)

• _cli_prog_name (str | None, default: None)

• _cli_parse_args (bool | list[str] | tuple[str, ...] | None, default: None)

• _cli_settings_source (Optional[CliSettingsSource[Any]], default: None)

• _cli_parse_none_str (str | None, default: None)

• _cli_hide_none_type (bool | None, default: None)

• _cli_avoid_json (bool | None, default: None)

• _cli_enforce_required (bool | None, default: None)

• _cli_use_class_docs_for_groups (bool | None, default: None)

• _cli_exit_on_error (bool | None, default: None)

• _cli_prefix (str | None, default: None)

• _cli_flag_prefix_char (str | None, default: None)

• _cli_implicit_flags (bool | None, default: None)

• _cli_ignore_unknown_args (bool | None, default: None)

• _cli_kebab_case (bool | None, default: None)

• _secrets_dir (Union[Path, str, Sequence[Union[Path, str]], None], default: None)

• values (Any)

Fields:

• audience (str)

• clientId (str)

• clientSecret (pydantic.types.SecretStr)

• enrollmentUrl (pydantic.networks.HttpUrl | None)

• issuer (str)

• loginParams (dict[str, str])

• loginUrl (pydantic.networks.HttpUrl)

• redirectUrl (pydantic.networks.HttpUrl)

• scopes (list[str])

• tokenUrl (pydantic.networks.HttpUrl)

• usernameClaim (str)

Validators:

• _validate_audience » audience

field audience: str [Required]

Value of audience (aud) claim to expect. If not set, defaults to the client ID.

Validated by:

• _validate_audience

field clientId: str [Required] (name 'client_id')

Client ID for talking to the OpenID Connect provider

field clientSecret: SecretStr [Required] (name 'client_secret')

Secret for talking to the OpenID Connect provider

field enrollmentUrl: HttpUrl | None = None (name 'enrollment_url')

If LDAP username lookup is configured (using ldap.username_base_dn) and the user could not be found, redirect the user, after login, to this URL so that they can register

field issuer: str [Required]

Expected issuer claim (iss) of the ID token

field loginParams: dict[str, str] = {} (name 'login_params')

Additional parameters to the login URL

field loginUrl: HttpUrl [Required] (name 'login_url')

URL to which to send the user to initiate authentication

field redirectUrl: HttpUrl [Required] (name 'redirect_url')

Where the user should be sent after authentication. This must match the URL registered with CILogon. It should be the full URL of the /login route.

field scopes: list[str] = []

Scopes to request from the authentication provider. The openid scope will always be added and does not need to be specified.

field tokenUrl: HttpUrl [Required] (name 'token_url')

URL from which to redeem the authentication code for a token

field usernameClaim: str = 'uid' (name 'username_claim')

OpenID Connect ID token claim containing the username