django-oidc-provider/docs/sections/settings.rst

152 lines
4.4 KiB
ReStructuredText
Raw Normal View History

2016-02-11 20:24:34 +00:00
.. _settings:
Settings
########
Customize your provider so fit your project needs.
LOGIN_URL
=========
2016-02-12 19:22:47 +00:00
REQUIRED. ``str``. Used to log the user in. `Read more in Django docs <https://docs.djangoproject.com/en/1.7/ref/settings/#login-url>`_
2016-02-11 20:24:34 +00:00
``str``. Default is ``/accounts/login/``.
2016-05-26 20:05:16 +00:00
SITE_URL
========
OPTIONAL. ``str``. The OP server url.
If not specified will be automatically generated using ``request.scheme`` and ``request.get_host()``.
For example ``http://localhost:8000``.
2016-02-11 20:24:34 +00:00
OIDC_AFTER_USERLOGIN_HOOK
=========================
2016-02-12 19:22:47 +00:00
OPTIONAL. ``str``. A string with the location of your function. Provide a way to plug into the process after the user has logged in, typically to perform some business logic.
2016-02-11 20:24:34 +00:00
Default is::
def default_hook_func(request, user, client):
return None
Return ``None`` if you want to continue with the flow.
The typical situation will be checking some state of the user or maybe redirect him somewhere.
With request you have access to all OIDC parameters. Remember that if you redirect the user to another place then you need to take him back to the authorize endpoint (use ``request.get_full_path()`` as the value for a "next" parameter).
OIDC_CODE_EXPIRE
================
2016-02-12 19:22:47 +00:00
OPTIONAL. ``int``. Code object expiration after been delivered.
2016-02-11 20:24:34 +00:00
2016-02-12 19:22:47 +00:00
Expressed in seconds. Default is ``60*10``.
2016-02-11 20:24:34 +00:00
OIDC_EXTRA_SCOPE_CLAIMS
=======================
2016-05-30 16:28:07 +00:00
OPTIONAL. ``str``. A string with the location of your class. Default is ``oidc_provider.lib.claims.ScopeClaims``.
2016-02-11 20:24:34 +00:00
2016-05-30 16:28:07 +00:00
Used to add extra scopes specific for your app. This class MUST inherit ``ScopeClaims``.
2016-02-11 20:24:34 +00:00
OpenID Connect Clients will use scope values to specify what access privileges are being requested for Access Tokens.
`Here <http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims>`_ you have the standard scopes defined by the protocol.
Check out an example of how to implement it::
2016-05-30 16:28:07 +00:00
from oidc_provider.lib.claims import ScopeClaims
2016-02-11 20:24:34 +00:00
2016-05-30 16:28:07 +00:00
class MyAppScopeClaims(ScopeClaims):
2016-02-11 20:24:34 +00:00
2016-05-30 16:28:07 +00:00
def scope_books(self):
# Here, for example, you can search books for this user.
# self.user - Django user instance.
# self.userinfo - Instance of your custom OIDC_USERINFO class.
# self.scopes - List of scopes requested.
2016-02-11 20:24:34 +00:00
dic = {
'books_readed': books_readed_count,
}
return dic
You can create our own scopes using the convention:
2016-05-30 16:28:07 +00:00
``def scope_somename(self):``
2016-02-11 20:24:34 +00:00
If a field is empty or ``None`` will be cleaned from the response.
OIDC_IDTOKEN_EXPIRE
===================
2016-02-12 19:22:47 +00:00
OPTIONAL. ``int``. Token object expiration after been delivered.
2016-02-11 20:24:34 +00:00
2016-02-12 19:22:47 +00:00
Expressed in seconds. Default is ``60*10``.
OIDC_IDTOKEN_PROCESSING_HOOK
============================
OPTIONAL. ``str`` or ``(list, tuple)``.
A string with the location of your function hook or ``list`` or ``tuple`` with hook functions.
Here you can add extra dictionary values specific for your app into id_token.
The ``list`` or ``tuple`` is useful when You want to set multiple hooks, i.e. one for permissions and second for some special field.
The function receives a ``id_token`` dictionary and ``user`` instance
and returns it with additional fields.
Default is::
def default_idtoken_processing_hook(id_token, user):
2016-02-18 13:17:04 +00:00
return id_token
2016-02-11 20:24:34 +00:00
OIDC_IDTOKEN_SUB_GENERATOR
==========================
2016-02-12 19:22:47 +00:00
OPTIONAL. ``str``. A string with the location of your function. ``sub`` is a locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client.
2016-02-11 20:24:34 +00:00
The function receives a ``user`` object and returns a unique ``string`` for the given user.
Default is::
def default_sub_generator(user):
return str(user.id)
OIDC_SKIP_CONSENT_ALWAYS
========================
2016-02-12 19:22:47 +00:00
OPTIONAL. ``bool``. If enabled, the Server will NEVER ask the user for consent.
2016-02-11 20:24:34 +00:00
2016-02-12 19:22:47 +00:00
Default is ``False``.
2016-02-11 20:24:34 +00:00
OIDC_SKIP_CONSENT_ENABLE
========================
2016-02-12 19:22:47 +00:00
OPTIONAL. ``bool``. If enabled, the Server will save the user consent given to a specific client, so that user won't be prompted for the same authorization multiple times.
2016-02-11 20:24:34 +00:00
2016-02-12 19:22:47 +00:00
Default is ``True``.
2016-02-11 20:24:34 +00:00
OIDC_SKIP_CONSENT_EXPIRE
========================
2016-02-12 19:22:47 +00:00
OPTIONAL. ``int``. User consent expiration after been granted.
2016-02-11 20:24:34 +00:00
2016-02-12 19:22:47 +00:00
Expressed in days. Default is ``30*3``.
2016-02-11 20:24:34 +00:00
OIDC_TOKEN_EXPIRE
=================
2016-02-12 19:22:47 +00:00
OPTIONAL. ``int``. Token object expiration after been created.
2016-02-11 20:24:34 +00:00
2016-02-12 19:22:47 +00:00
Expressed in seconds. Default is ``60*60``.
2016-02-11 20:24:34 +00:00
OIDC_USERINFO
=============
2016-02-12 19:22:47 +00:00
OPTIONAL. ``str``. A string with the location of your class. Read **Standard Claims** section.