OIDC (OpenID Connect)

The OIDC backend allows authentication against a generic OIDC provider. The backend class is OpenIdConnectAuth with name oidc. A minimum configuration is:

SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = 'https://.....'
SOCIAL_AUTH_OIDC_KEY = '<client_id>'
SOCIAL_AUTH_OIDC_SECRET = '<client_secret>'

The remaining configuration will be auto-detected, by fetching:

<SOCIAL_AUTH_OIDC_OIDC_ENDPOINT>/.well-known/openid-configuration

This class can be used standalone, but is also the base class for some other backends.

Username

The OIDC backend will check for a preferred_username key in the values returned by the server. If the username is under a different key, this can be overridden:

SOCIAL_AUTH_OIDC_USERNAME_KEY = 'nickname'

This setting indicates that the username should be populated by the nickname claim instead.

Scopes

The default set of scopes requested are “openid”, “profile” and “email”. You can request additional claims, for example:

SOCIAL_AUTH_OIDC_SCOPE = ['groups']

and you can prevent the inclusion of the default scopes using:

SOCIAL_AUTH_OIDC_IGNORE_DEFAULT_SCOPE = True