> ## Documentation Index
> Fetch the complete documentation index at: https://docs.activeviam.com/llms.txt
> Use this file to discover all available pages before exploring further.

# atoti.security.oidc_security.OidcSecurity

### *final class* atoti.security.oidc\_security.OidcSecurity

Manage OIDC security on the session.

<Note>
  This requires [`atoti.SecurityConfig.sso`](./atoti.config.security.security_config#atoti.SecurityConfig.sso) to be an instance of [`OidcConfig`](./atoti.config.security.oidc_config#atoti.OidcConfig).
</Note>

### Example

```pycon theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
>>> import os
>>> session_config = tt.SessionConfig(
...     port=1234,
...     security=tt.SecurityConfig(
...         sso=tt.OidcConfig(
...             provider_id="auth0",
...             issuer_url=os.environ["AUTH0_ISSUER"],
...             client_id=os.environ["AUTH0_CLIENT_ID"],
...             client_secret=os.environ["AUTH0_CLIENT_SECRET"],
...             name_claim="email",
...             scopes={"openid", "email", "profile", "username"},
...             roles_claims={"https://activeviam.com/roles"},
...         ),
...     ),
... )
>>> session = tt.Session.start(session_config)
>>> table = session.create_table(
...     "Restrictions example",
...     data_types={"Country": "String"},
... )
>>> session.tables.restrictions.update(
...     {
...         "ROLE_FRANCE": table["Country"] == "France",
...         "ROLE_UK": table["Country"] == "UK",
...     }
... )
```

Roles from the authentication provider’s ID Token can be mapped to roles in the session:

```pycon theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
>>> session.security.oidc.role_mapping.update(
...     {"atoti user": {"ROLE_USER"}, "France": {"ROLE_FRANCE"}}
... )
>>> session.security.oidc.role_mapping
{'France': frozenset({'ROLE_FRANCE'}), 'atoti user': frozenset({'ROLE_USER'})}
```

Default roles can be given to users who have been granted no individual and mapped roles:

```pycon theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
>>> session.security.oidc.default_roles.add("ROLE_UK")
>>> session.security.oidc.default_roles
{'ROLE_UK'}
```

Note that the name claim is required in the access token to identify the user for any client application.

```pycon theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
>>> session.security.oidc.role_mapping.clear()
>>> session.security.oidc.role_mapping
{}
```

| [`default_roles`](./atoti.security.oidc_security.OidcSecurity.default_roles#atoti.security.oidc_security.OidcSecurity.default_roles) |                                                                                                       |
| ------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------- |
| [`role_mapping`](./atoti.security.oidc_security.OidcSecurity.role_mapping#atoti.security.oidc_security.OidcSecurity.role_mapping)    | The role mapping is done with the roles included in the ID Token sent by the authentication provider. |
