Source code for canaille.oidc.configuration

from pydantic import BaseModel


[docs] class JWTMappingSettings(BaseModel): """Mapping between the user model and the JWT fields. Fields are evaluated with jinja. A ``user`` var is available. """ SUB: str | None = "{{ user.user_name }}" NAME: str | None = ( "{% if user.formatted_name %}{{ user.formatted_name }}{% endif %}" ) PHONE_NUMBER: str | None = ( "{% if user.phone_numbers %}{{ user.phone_numbers[0] }}{% endif %}" ) EMAIL: str | None = ( "{% if user.preferred_email %}{{ user.preferred_email }}{% endif %}" ) GIVEN_NAME: str | None = "{% if user.given_name %}{{ user.given_name }}{% endif %}" FAMILY_NAME: str | None = ( "{% if user.family_name %}{{ user.family_name }}{% endif %}" ) PREFERRED_USERNAME: str | None = ( "{% if user.display_name %}{{ user.display_name }}{% endif %}" ) LOCALE: str | None = ( "{% if user.preferred_language %}{{ user.preferred_language }}{% endif %}" ) ADDRESS: str | None = ( "{% if user.formatted_address %}{{ user.formatted_address }}{% endif %}" ) PICTURE: str | None = ( "{% if user.photo %}{{ url_for('core.account.photo', user=user, field='photo', _external=True) }}{% endif %}" ) WEBSITE: str | None = "{% if user.profile_url %}{{ user.profile_url }}{% endif %}"
[docs] class JWTSettings(BaseModel): """JSON Web Token settings. Belong in the ``CANAILLE_OIDC.JWT`` namespace. You can generate a RSA keypair with:: openssl genrsa -out private.pem 4096 openssl rsa -in private.pem -pubout -outform PEM -out public.pem """ PRIVATE_KEY: str | None = None """The private key. If :py:data:`None` and debug mode is enabled, then an in-memory key will be used. """ PUBLIC_KEY: str | None = None """The public key. If :py:data:`None` and debug mode is enabled, then an in-memory key will be used. """ ISS: str | None = None """The URI of the identity provider.""" KTY: str = "RSA" """The key type.""" ALG: str = "RS256" """The key algorithm.""" EXP: int = 3600 """The time the JWT will be valid, in seconds.""" MAPPING: JWTMappingSettings | None = JWTMappingSettings()
[docs] class OIDCSettings(BaseModel): """OpenID Connect settings. Belong in the ``CANAILLE_OIDC`` namespace. """ DYNAMIC_CLIENT_REGISTRATION_OPEN: bool = False """Whether a token is needed for the RFC7591 dynamical client registration. If :py:data:`True`, no token is needed to register a client. If :py:data:`False`, dynamical client registration needs a token defined in :attr:`DYNAMIC_CLIENT_REGISTRATION_TOKENS`. """ DYNAMIC_CLIENT_REGISTRATION_TOKENS: list[str] | None = None """A list of tokens that can be used for dynamic client registration.""" REQUIRE_NONCE: bool = True """Force the nonce exchange during the authentication flows. This adds security but may not be supported by all clients. """ JWT: JWTSettings = JWTSettings() """JSON Web Token settings."""