OIDC (OpenID Connect)¶
The OIDC backend allows authentication against a generic OIDC provider. The backend class is OpenIdConnectAuth with name oidc. A minimum configuration is:
SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = 'https://.....'
SOCIAL_AUTH_OIDC_KEY = '<client_id>'
SOCIAL_AUTH_OIDC_SECRET = '<client_secret>'
The remaining configuration will be auto-detected, by fetching:
<SOCIAL_AUTH_OIDC_OIDC_ENDPOINT>/.well-known/openid-configuration
This class can be used standalone, but is also the base class for some other backends.
Authentication Request Parameters¶
All this parameters are optional and they might not be supported by the OIDC provider.
Prompt¶
This informs the OIDC provider whether the OIDC provider prompts the user for reauthentication and consent.
SOCIAL_AUTH_OIDC_PROMPT = '<prompt> ...'
Defined values are
none
login
consent
select_account
Username¶
The OIDC backend will check for a preferred_username
key in the values
returned by the server. If the username is under a different key, this can
be overridden:
SOCIAL_AUTH_OIDC_USERNAME_KEY = 'nickname'
This setting indicates that the username should be populated by the
nickname
claim instead.
Scopes¶
The default set of scopes requested are “openid”, “profile” and “email”. You can request additional claims, for example:
SOCIAL_AUTH_OIDC_SCOPE = ['groups']
and you can prevent the inclusion of the default scopes using:
SOCIAL_AUTH_OIDC_IGNORE_DEFAULT_SCOPE = True