OIDCConfig¶

class gafaelfawr.config.OIDCConfig(client_id, client_secret, login_url, login_params, redirect_url, token_url, enrollment_url, scopes, issuer, audience, username_claim, uid_claim, gid_claim, groups_claim)¶

Bases: object

Configuration for OpenID Connect authentication.

Parameters:

client_id (str)
client_secret (str)
login_url (str)
login_params (Mapping[str, str])
redirect_url (str)
token_url (str)
enrollment_url (str | None)
scopes (tuple[str, ...])
issuer (str)
audience (str)
username_claim (str)
uid_claim (str)
gid_claim (str | None)
groups_claim (str)

Attributes Summary

`audience`	Expected audience of the ID token.
`client_id`	Client ID for talking to the OpenID Connect provider.
`client_secret`	Secret for talking to the OpenID Connect provider.
`enrollment_url`	URL to which the user should be redirected if not enrolled.
`gid_claim`	Token claim from which to take the primary GID.
`groups_claim`	Token claim from which to take the group membership.
`issuer`	Expected issuer of the ID token.
`login_params`	Additional parameters to the login URL.
`login_url`	URL to which to send the user to initiate authentication.
`redirect_url`	Return URL to which the authentication provider should send the user.
`scopes`	Scopes to request from the authentication provider.
`token_url`	URL at which to redeem the authentication code for a token.
`uid_claim`	Token claim from which to take the UID.
`username_claim`	Token claim from which to take the username.

Attributes Documentation

audience: str¶: Expected audience of the ID token.

client_id: str¶: Client ID for talking to the OpenID Connect provider.

client_secret: str¶: Secret for talking to the OpenID Connect provider.

enrollment_url: str | None¶

URL to which the user should be redirected if not enrolled.

If LDAP username lookup is configured (using ldap.username_base_dn) and the user could not be found, redirect the user, after login, to this URL so that they can register.

gid_claim: str | None¶: Token claim from which to take the primary GID.

groups_claim: str¶: Token claim from which to take the group membership.

issuer: str¶: Expected issuer of the ID token.

login_params: Mapping[str, str]¶: Additional parameters to the login URL.

login_url: str¶: URL to which to send the user to initiate authentication.

redirect_url: str¶

Return URL to which the authentication provider should send the user.

This should be the full URL of the /login route of Gafaelfawr.

scopes: tuple[str, ...]¶

Scopes to request from the authentication provider.

The openid scope will always be added and does not need to be specified.

token_url: str¶: URL at which to redeem the authentication code for a token.

uid_claim: str¶: Token claim from which to take the UID.

username_claim: str¶: Token claim from which to take the username.