"""RP configuration, read from the environment with sensible local defaults. Every value can be overridden with an OIDC_RP_* environment variable. The defaults assume porchlight is running locally on :8000 and this RP on :9000. """ from __future__ import annotations import os from dataclasses import dataclass @dataclass(frozen=True) class Config: # The OP's issuer URL. Discovery is derived from this: # {issuer}/.well-known/openid-configuration issuer: str = os.environ.get("OIDC_RP_ISSUER", "http://localhost:8000") # Credentials for the client registered in porchlight.toml. See README. client_id: str = os.environ.get("OIDC_RP_CLIENT_ID", "showcase-rp") client_secret: str = os.environ.get("OIDC_RP_CLIENT_SECRET", "change-me") # Where the OP redirects back to after authentication. Must exactly match # one of the redirect_uris registered for the client. redirect_uri: str = os.environ.get( "OIDC_RP_REDIRECT_URI", "http://localhost:9000/callback" ) # Scopes we request. offline_access is what makes the OP issue a refresh # token (porchlight gates it behind this scope). scope: str = os.environ.get("OIDC_RP_SCOPE", "openid profile email offline_access") # Secret used to sign the session-id cookie (NOT the OIDC client_secret). session_secret: str = os.environ.get( "OIDC_RP_SESSION_SECRET", "dev-only-rp-session-secret-change-me" ) # Allowed clock skew (seconds) when validating exp/iat. leeway: int = int(os.environ.get("OIDC_RP_LEEWAY", "30"))