> ## Documentation Index
> Fetch the complete documentation index at: https://docs.activeviam.com/llms.txt
> Use this file to discover all available pages before exploring further.

# atoti.OidcConfig

### *final class* atoti.OidcConfig

The config to delegate authentication to an [OpenID Connect](https://openid.net/connect/) provider (Auth0, Google, Keycloak, etc.).

The user’s roles are defined using [`atoti.security.Security.oidc`](./atoti.security.Security.oidc#atoti.security.Security.oidc) and [`individual_roles`](./atoti.security.Security.individual_roles#atoti.security.Security.individual_roles).

### Example

```pycon theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
>>> config = tt.OidcConfig(
...     provider_id="auth0",
...     issuer_url="https://example.auth0.com",
...     client_id="some client ID",
...     client_secret="some client secret",
...     name_claim="email",
...     scopes={"openid", "email", "profile"},
...     roles_claims={
...         "https://example.com/roles",
...         ("other", "path", "to", "roles"),
...     },
... )
```

#### access\_token\_format *: [Literal](https://docs.python.org/3/library/typing.html#typing.Literal)\['jwt', 'opaque']* *= 'jwt'*

The format of the access tokens delivered by the OIDC provider.

Opaque tokens involve another request to the OIDC provider’s user info endpoint to retrieve the user details.
The URL of this user info endpoint will be fetched from the `f"{issuer_url}/.well-known/openid-configuration"` endpoint.

<Callout icon="link">
  **See also**:
  Opaque tokens can be used with [`atoti.OAuth2ResourceOwnerPasswordAuthentication`](./atoti.authentication.oauth2_resource_owner_password_authentication#atoti.OAuth2ResourceOwnerPasswordAuthentication).
</Callout>

#### client\_id *: [str](https://docs.python.org/3/library/stdtypes.html#str)*

#### client\_secret *: [str](https://docs.python.org/3/library/stdtypes.html#str)*

#### issuer\_url *: [str](https://docs.python.org/3/library/stdtypes.html#str)*

#### name\_claim *: [str](https://docs.python.org/3/library/stdtypes.html#str)* *= 'sub'*

The name of the claim in the ID token (or userinfo) to use as the name of the user.

#### provider\_id *: [str](https://docs.python.org/3/library/stdtypes.html#str)*

The name of the provider.

It is used to build the redirect URL: `f"{session_url}/login/oauth2/code/{provider_id}"`.

#### roles\_claims *: [Set](https://docs.python.org/3/library/collections.abc.html#collections.abc.Set)\[[str](https://docs.python.org/3/library/stdtypes.html#str) | [tuple](https://docs.python.org/3/library/stdtypes.html#tuple)\[[str](https://docs.python.org/3/library/stdtypes.html#str), ...]]* *= frozenset(\{})*

The claims of the ID token from which to extract roles to use as keys in the [`role_mapping`](./atoti.security.oidc_security.OidcSecurity.role_mapping#atoti.security.oidc_security.OidcSecurity.role_mapping).

When an element of the set is a tuple, the tuple elements will be interpreted as the parts of a path leading to a nested value in the token.

#### scopes *: [Set](https://docs.python.org/3/library/collections.abc.html#collections.abc.Set)\[[str](https://docs.python.org/3/library/stdtypes.html#str)]* *= frozenset(\{})*

The scopes to request from the authentication provider.

The `"openid"` scope is required as per the OIDC specification.

#### use\_client\_secret\_as\_certificate *: [bool](https://docs.python.org/3/library/functions.html#bool)* *= False*

If `True`, the passed [`client_secret`](#atoti.OidcConfig.client_secret) must be a client certificate.

This client certificate will be passed in the `X-Cert` header of the HTTP request made to the OIDC provider to retrieve an access token.
