Settings¶
This document describes the Django settings that can be used to customize the configuration
of mozilla-django-oidc.
-
OIDC_OP_AUTHORIZATION_ENDPOINT¶ Default: No default URL of your OpenID Connect provider authorization endpoint.
-
OIDC_OP_TOKEN_ENDPOINT¶ Default: No default URL of your OpenID Connect provider token endpoint
-
OIDC_OP_USER_ENDPOINT¶ Default: No default URL of your OpenID Connect provider userinfo endpoint
-
OIDC_RP_CLIENT_ID¶ Default: No default OpenID Connect client ID provided by your OP
-
OIDC_RP_CLIENT_SECRET¶ Default: No default OpenID Connect client secret provided by your OP
-
OIDC_VERIFY_JWT¶ Default: TrueControls whether the OpenID Connect client verifies the signature of the JWT tokens
-
OIDC_VERIFY_KID¶ Default: TrueControls whether the OpenID Connect client verifies the KID field of the JWT tokens
-
OIDC_USE_NONCE¶ Default: TrueControls whether the OpenID Connect client uses nonce verification
-
OIDC_VERIFY_SSL¶ Default: TrueControls whether the OpenID Connect client verifies the SSL certificate of the OP responses
-
OIDC_TIMEOUT¶ Default: NoneDefines a timeout for all requests to the OpenID Connect provider (fetch JWS, retrieve JWT tokens, Userinfo Endpoint). The default is set to None which means the library will wait indefinitely. The time can be defined as seconds (integer). More information about possible configuration values, see Python requests: https://requests.readthedocs.io/en/master/user/quickstart/#timeouts
-
OIDC_PROXY¶ Default: NoneDefines a proxy for all requests to the OpenID Connect provider (fetch JWS, retrieve JWT tokens, Userinfo Endpoint). The default is set to None which means the library will not use a proxy and connect directly. For configuring a proxy check the Python requests documentation: https://requests.readthedocs.io/en/master/user/advanced/#proxies
-
OIDC_EXEMPT_URLS¶ Default: []This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the
SessionRefreshmiddleware.
-
OIDC_CREATE_USER¶ Default: TrueEnables or disables automatic user creation during authentication
-
OIDC_STATE_SIZE¶ Default: 32Sets the length of the random string used for OpenID Connect state verification
-
OIDC_NONCE_SIZE¶ Default: 32Sets the length of the random string used for OpenID Connect nonce verification
-
OIDC_MAX_STATES¶ Default: 50Sets the maximum number of State / Nonce combinations stored in the session. Multiple combinations are used when the user does multiple concurrent login sessions.
-
OIDC_REDIRECT_FIELD_NAME¶ Default: nextSets the GET parameter that is being used to define the redirect URL after succesful authentication
-
OIDC_CALLBACK_CLASS¶ Default: mozilla_django_oidc.views.OIDCAuthenticationCallbackViewAllows you to substitute a custom class-based view to be used as OpenID Connect callback URL.
Note
When using a custom callback view, it is generally a good idea to subclass the default
OIDCAuthenticationCallbackViewand override the methods you want to change.
-
OIDC_AUTHENTICATE_CLASS¶ Default: mozilla_django_oidc.views.OIDCAuthenticationRequestViewAllows you to substitute a custom class-based view to be used as OpenID Connect authenticate URL.
Note
When using a custom authenticate view, it is generally a good idea to subclass the default
OIDCAuthenticationRequestViewand override the methods you want to change.
-
OIDC_RP_SCOPES¶ Default: openid emailThe OpenID Connect scopes to request during login.
Warning
When using custom scopes consider overriding the claim verification method since the default one only works for the default
mozilla-django-oidcconfiguration.
-
OIDC_STORE_ACCESS_TOKEN¶ Default: FalseControls whether the OpenID Connect client stores the OIDC
access_tokenin the user session. The session key used to store the data isoidc_access_token.By default we want to store as few credentials as possible so this feature defaults to
Falseand it’s use is discouraged.Warning
This feature stores authentication information in the session. If used in combination with Django’s cookie-based session backend, those tokens will be visible in the browser’s cookie store.
-
OIDC_STORE_ID_TOKEN¶ Default: FalseControls whether the OpenID Connect client stores the OIDC
id_tokenin the user session. The session key used to store the data isoidc_id_token.
-
OIDC_AUTH_REQUEST_EXTRA_PARAMS¶ Default: {} Additional parameters to include in the initial authorization request.
-
OIDC_RP_SIGN_ALGO¶ Default: HS256Sets the algorithm the IdP uses to sign ID tokens.
-
OIDC_RP_IDP_SIGN_KEY¶ Default: NoneSets the key the IdP uses to sign ID tokens in the case of an RSA sign algorithm. Should be the signing key in PEM or DER format.
-
LOGIN_REDIRECT_URL¶ Default: /accounts/profilePath to redirect to on successful login. If you don’t specify this, the default Django value will be used.
-
LOGIN_REDIRECT_URL_FAILURE¶ Default: /Path to redirect to on an unsuccessful login attempt.
-
LOGOUT_REDIRECT_URL¶ Default: NoneAfter the logout view has logged the user out, it redirects to this url path.
-
OIDC_OP_LOGOUT_URL_METHOD¶ Default: ''(will useLOGOUT_REDIRECT_URL)Function path that returns a URL to redirect the user to after
auth.logout()is called.Changed in version 0.7.0: The function must now take a
requestparameter.
-
OIDC_AUTHENTICATION_CALLBACK_URL¶ Default: oidc_authentication_callbackURL pattern name for
OIDCAuthenticationCallbackView. Will be passed toreverse. The pattern can also include namespace in order to resolve included urls.
-
OIDC_ALLOW_UNSECURED_JWT¶ Default: FalseControls whether the authentication backend is going to allow unsecured JWT tokens (tokens with header
{"alg":"none"}). This needs to be set toTrueif OP is returning unsecured JWT tokens and RP wants to accept them.
-
OIDC_TOKEN_USE_BASIC_AUTH¶ Default: False Use HTTP Basic Authentication instead of sending the client secret in token request POST body.
-
ALLOW_LOGOUT_GET_METHOD¶ Default: False Allow using GET method to logout user