OIDCServerConfig

pydantic settings gafaelfawr.config.OIDCServerConfig

Configuration for the OpenID Connect server.

Parameters:

data (Any)

Fields:

• clients (list[gafaelfawr.config.OIDCClient])

• dataRightsMapping (dict[str, list[str]])

• enabled (bool)

• issuer (pydantic_core._pydantic_core.Url)

• key (pydantic.types.SecretStr)

• keyId (str)

field clients: list[OIDCClient] [Required]

Registered OpenID Connect clients

field dataRightsMapping: dict[str, list[str]] = {} (name 'data_rights_mapping')

Mapping of group names to keywords for data releases, indicating membership in that group grants access to that data release. Used to construct the data_rights claim, which can be requested by asking for the rubin scope.

field enabled: bool = False

Whether to enable the internal OpenID Connect server

field issuer: HttpsUrl [Required]

Issuer (iss) claim in issued JWT tokens

Constraints:

• max_length = 2083

• allowed_schemes = [‘https’]

• host_required = True

field key: SecretStr [Required]

RSA private key used to sign issued JWTs

field keyId: str = 'gafaelfawr' (name 'key_id')

Key ID (kid) claim in issued JWT tokens, which will also be used to provide the key from the metadata endpoints. Note that Gafaelfawr does not (yet) support key rotation, so while this key ID can be changed, Gafaelfawr has no mechanism to serve the old key as well as the new one with different key IDs.

model_post_init(context, /)

This function is meant to behave like a BaseModel method to initialise private attributes.

It takes context as an argument since that’s what pydantic-core passes when calling it.

Args:

self: The BaseModel instance. context: The context.

Parameters:

• self (BaseModel)

• context (Any)

Return type:

None

property keypair: RSAKeyPair

RSA key pair used for signing JWTs.