class gafaelfawr.services.userinfo.OIDCUserInfoService(*, config, ldap, firestore, forgerock, logger)

Bases: UserInfoService

Retrieve user metadata from external systems for OIDC authentication.

This is a specialization of UserInfoService when the upstream authentication provider is OpenID Connect. It adds additional methods to extract user information from the OpenID Connect ID token.

  • config (Config) – Gafaelfawr configuration.

  • ldap (LDAPService | None) – LDAP service for user metadata, if LDAP was configured.

  • firestore (FirestoreService | None) – Service for Firestore UID/GID lookups, if Firestore was configured.

  • forgerock (ForgeRockStorage | None) – Service for ForgeRock Identity Management service queries, if ForgeRock was configured.

  • logger (BoundLogger) – Logger to use.

Methods Summary


Return the metadata for a given user.

Methods Documentation

async get_user_info_from_oidc_token(token)

Return the metadata for a given user.

Determine the user’s username, numeric UID, and groups. These may come from LDAP, from Firestore, or some combination, depending on configuration. This is the data that we’ll store with the token data in Redis. It therefore only includes that data if it comes statically from the OIDC tokens of the upstream authentication provider, not if they’re read dynamically from LDAP or generated via Firestore.


token (OIDCVerifiedToken) – The verified ID token from the OpenID Connect provider.


User information derived from external data sources and the provided token.

Return type:


  • LDAPError – Gafaelfawr was configured to get user groups, username, or numeric UID from LDAP, but the attempt failed due to some error.

  • VerifyTokenError – The token is missing required claims, or those claims are invalid.