OIDCAuthorization

pydantic model gafaelfawr.models.oidc.OIDCAuthorization

Represents an authorization for an OpenID Connect client.

This is the object created during login and stored in Redis. The returned authorization code points to it and allows it to be retrieved so that an OpenID Connect client can redeem the code for a JWT.

Notes

The authorization code is represented by the OIDCAuthorizationCode class, which functions the same as, and has the same security properties as, a Token.

The underlying user data is not stored directly in the entry for the code. Instead, it stores the user’s token for which the code was issued, and from which the user’s data can be retrieved.

Parameters:

data (Any)

Show JSON schema

{
   "title": "OIDCAuthorization",
   "description": "Represents an authorization for an OpenID Connect client.\n\nThis is the object created during login and stored in Redis.  The returned\nauthorization code points to it and allows it to be retrieved so that an\nOpenID Connect client can redeem the code for a JWT.\n\nNotes\n-----\nThe authorization code is represented by the `OIDCAuthorizationCode`\nclass, which functions the same as, and has the same security properties\nas, a `~gafaelfawr.models.token.Token`.\n\nThe underlying user data is not stored directly in the entry for the code.\nInstead, it stores the user's token for which the code was issued, and\nfrom which the user's data can be retrieved.",
   "type": "object",
   "properties": {
      "code": {
         "$ref": "#/$defs/OIDCAuthorizationCode",
         "title": "The authorization code"
      },
      "client_id": {
         "title": "The client that is allowed to use this authorization",
         "type": "string"
      },
      "redirect_uri": {
         "title": "The redirect URI for which this authorization is intended",
         "type": "string"
      },
      "token": {
         "$ref": "#/$defs/Token",
         "title": "The underlying authentication token for the user"
      },
      "created_at": {
         "$ref": "#/$defs/Timestamp",
         "title": "When the authorization was created"
      },
      "scopes": {
         "default": [
            "openid"
         ],
         "items": {
            "$ref": "#/$defs/OIDCScope"
         },
         "title": "Requested scopes",
         "type": "array"
      },
      "nonce": {
         "anyOf": [
            {
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "description": "Nonce to include in the issued ID token for either replay protection or to bind the ID token to a client session",
         "title": "Client-provided nonce"
      }
   },
   "$defs": {
      "OIDCAuthorizationCode": {
         "description": "An OpenID Connect authorization code.\n\nVery similar to a `~gafaelfawr.models.token.Token` in behavior, but with a\ndifferent serialization and a different type.",
         "properties": {
            "key": {
               "title": "Key",
               "type": "string"
            },
            "secret": {
               "title": "Secret",
               "type": "string"
            }
         },
         "title": "OIDCAuthorizationCode",
         "type": "object"
      },
      "OIDCScope": {
         "description": "A recognized OpenID Connect scope.\n\nThis should not be directly exposed in the model of any endpoint. Instead,\nthe `str` scope parameter should be parsed with the ``parse_scopes`` class\nmethod to yield a list of `OIDCScope` objects.",
         "enum": [
            "openid",
            "profile",
            "email",
            "rubin"
         ],
         "title": "OIDCScope",
         "type": "string"
      },
      "Timestamp": {
         "$ref": "#/$defs/UtcDatetime"
      },
      "Token": {
         "description": "An opaque token.\n\nNotes\n-----\nA token consists of two parts, a semi-public key that is used as the Redis\nkey, and a secret that is only present in the token returned to the user\nand the encrypted session in Redis.\n\nThe serialized form of a token always starts with ``gt-``, short for\nGafaelfawr token, to make it easier to identify these tokens in logs.\n\nThe serialized form encodes the secret in URL-safe base64 with the padding\nstripped off (because equal signs can be parsed oddly in cookies).",
         "properties": {
            "key": {
               "title": "Key",
               "type": "string"
            },
            "secret": {
               "title": "Secret",
               "type": "string"
            }
         },
         "title": "Token",
         "type": "object"
      },
      "UtcDatetime": {
         "format": "date-time",
         "type": "string"
      }
   },
   "required": [
      "client_id",
      "redirect_uri",
      "token"
   ]
}

Fields:

• client_id (str)

• code (gafaelfawr.models.oidc.OIDCAuthorizationCode)

• created_at (Timestamp)

• nonce (str | None)

• redirect_uri (str)

• scopes (list[gafaelfawr.models.oidc.OIDCScope])

• token (gafaelfawr.models.token.Token)

field client_id: str [Required]

field code: OIDCAuthorizationCode [Optional]

field created_at: Timestamp [Optional]

field nonce: str | None = None

Nonce to include in the issued ID token for either replay protection or to bind the ID token to a client session

field redirect_uri: str [Required]

field scopes: list[OIDCScope] = [OIDCScope.openid]

field token: Token [Required]

property lifetime: int

The object lifetime in seconds.