Settings
This document describes the Django settings that can be used to customize the configuration
of mozilla-django-oidc
.
- OIDC_OP_AUTHORIZATION_ENDPOINT
- Default:
No default
URL of your OpenID Connect provider authorization endpoint.
- OIDC_OP_TOKEN_ENDPOINT
- Default:
No default
URL of your OpenID Connect provider token endpoint
- OIDC_OP_USER_ENDPOINT
- Default:
No default
URL of your OpenID Connect provider userinfo endpoint
- OIDC_OP_JWKS_ENDPOINT
- Default:
No default
URL of your OpenID Connect provider JWKS (JSON Web Key Sets) endpoint. Used in JWT verification with PKI when
OIDC_RP_IDP_SIGN_KEY
is not provided.
- OIDC_RP_CLIENT_ID
- Default:
No default
OpenID Connect client ID provided by your OP
- OIDC_RP_CLIENT_SECRET
- Default:
No default
OpenID Connect client secret provided by your OP
- OIDC_VERIFY_JWT
- Default:
True
Controls whether the OpenID Connect client verifies the signature of the JWT tokens
- OIDC_VERIFY_KID
- Default:
True
Controls whether the OpenID Connect client verifies the KID field of the JWT tokens
- OIDC_USE_NONCE
- Default:
True
Controls whether the OpenID Connect client uses nonce verification
- OIDC_VERIFY_SSL
- Default:
True
Controls whether the OpenID Connect client verifies the SSL certificate of the OP responses
- OIDC_TIMEOUT
- Default:
None
Defines a timeout for all requests to the OpenID Connect provider (fetch JWS, retrieve JWT tokens, Userinfo Endpoint). The default is set to None which means the library will wait indefinitely. The time can be defined as seconds (integer). More information about possible configuration values, see Python requests: https://requests.readthedocs.io/en/master/user/quickstart/#timeouts
- OIDC_PROXY
- Default:
None
Defines a proxy for all requests to the OpenID Connect provider (fetch JWS, retrieve JWT tokens, Userinfo Endpoint). The default is set to None which means the library will not use a proxy and connect directly. For configuring a proxy check the Python requests documentation: https://requests.readthedocs.io/en/master/user/advanced/#proxies
- OIDC_EXEMPT_URLS
- Default:
[]
This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the
SessionRefresh
middleware.
- OIDC_CREATE_USER
- default:
True
Enables or disables automatic user creation during authentication
- OIDC_USERNAME_ALGO
- Default:
None
It enables using a custom method to generate the django username from the user’s email and OIDC claims.
- OIDC_STATE_SIZE
- Default:
32
Sets the length of the random string used for OpenID Connect state verification
- OIDC_NONCE_SIZE
- Default:
32
Sets the length of the random string used for OpenID Connect nonce verification
- OIDC_MAX_STATES
- Default:
50
Sets the maximum number of State / Nonce combinations stored in the session. Multiple combinations are used when the user does multiple concurrent login sessions.
- OIDC_REDIRECT_FIELD_NAME
- Default:
next
Sets the GET parameter that is being used to define the redirect URL after succesful authentication
- OIDC_CALLBACK_CLASS
- Default:
mozilla_django_oidc.views.OIDCAuthenticationCallbackView
Allows you to substitute a custom class-based view to be used as OpenID Connect callback URL.
Note
When using a custom callback view, it is generally a good idea to subclass the default
OIDCAuthenticationCallbackView
and override the methods you want to change.
- OIDC_AUTHENTICATE_CLASS
- Default:
mozilla_django_oidc.views.OIDCAuthenticationRequestView
Allows you to substitute a custom class-based view to be used as OpenID Connect authenticate URL.
Note
When using a custom authenticate view, it is generally a good idea to subclass the default
OIDCAuthenticationRequestView
and override the methods you want to change.
- OIDC_RP_SCOPES
- Default:
openid email
The OpenID Connect scopes to request during login.
Warning
When using custom scopes consider overriding the claim verification method since the default one only works for the default
mozilla-django-oidc
configuration.
- OIDC_STORE_ACCESS_TOKEN
- Default:
False
Controls whether the OpenID Connect client stores the OIDC
access_token
in the user session. The session key used to store the data isoidc_access_token
.By default we want to store as few credentials as possible so this feature defaults to
False
and it’s use is discouraged.Warning
This feature stores authentication information in the session. If used in combination with Django’s cookie-based session backend, those tokens will be visible in the browser’s cookie store.
- OIDC_STORE_ID_TOKEN
- Default:
False
Controls whether the OpenID Connect client stores the OIDC
id_token
in the user session. The session key used to store the data isoidc_id_token
.
- OIDC_AUTH_REQUEST_EXTRA_PARAMS
- Default:
{}
Additional parameters to include in the initial authorization request.
- OIDC_RP_SIGN_ALGO
- Default:
HS256
Sets the algorithm the IdP uses to sign ID tokens.
- OIDC_RP_IDP_SIGN_KEY
- Default:
None
Sets the key the IdP uses to sign ID tokens in the case of an RSA sign algorithm. Should be the signing key in PEM or DER format.
- LOGIN_REDIRECT_URL
- Default:
/accounts/profile
Path to redirect to on successful login. If you don’t specify this, the default Django value will be used.
- LOGIN_REDIRECT_URL_FAILURE
- Default:
/
Path to redirect to on an unsuccessful login attempt.
- LOGOUT_REDIRECT_URL
- Default:
None
After the logout view has logged the user out, it redirects to this url path.
- OIDC_OP_LOGOUT_URL_METHOD
- Default:
''
(will useLOGOUT_REDIRECT_URL
)
Function path that returns a URL to redirect the user to after
auth.logout()
is called.Changed in version 0.7.0: The function must now take a
request
parameter.
- OIDC_AUTHENTICATION_CALLBACK_URL
- Default:
oidc_authentication_callback
URL pattern name for
OIDCAuthenticationCallbackView
. Will be passed toreverse
. The pattern can also include namespace in order to resolve included urls.
- OIDC_ALLOW_UNSECURED_JWT
- Default:
False
Controls whether the authentication backend is going to allow unsecured JWT tokens (tokens with header
{"alg":"none"}
). This needs to be set toTrue
if OP is returning unsecured JWT tokens and RP wants to accept them.
- OIDC_TOKEN_USE_BASIC_AUTH
- Default:
False
Use HTTP Basic Authentication instead of sending the client secret in token request POST body.
- ALLOW_LOGOUT_GET_METHOD
- Default:
False
Allow using GET method to logout user
- OIDC_USE_PKCE
- Default:
False
Controls whether the authentication backend uses PKCE (Proof Key For Code Exchange) during the authorization code flow.
- OIDC_PKCE_CODE_CHALLENGE_METHOD
- Default:
S256
Sets the method used to generate the PKCE code challenge.
Supported methods are:
- plain:
code_challenge = code_verifier
- S256:
code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
Note
This only has an effect if
OIDC_USE_PKCE
isTrue
.
- OIDC_PKCE_CODE_VERIFIER_SIZE
- Default:
64
Sets the length of the random string used for the PKCE code verifier. Must be between
43
and128
inclusive.Note
This only has an effect if
OIDC_USE_PKCE
isTrue
.