39 lines
1.5 KiB
Python
39 lines
1.5 KiB
Python
"""RP configuration, read from the environment with sensible local defaults.
|
|
|
|
Every value can be overridden with an OIDC_RP_* environment variable. The
|
|
defaults assume porchlight is running locally on :8000 and this RP on :9000.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import os
|
|
from dataclasses import dataclass
|
|
|
|
|
|
@dataclass(frozen=True)
|
|
class Config:
|
|
# The OP's issuer URL. Discovery is derived from this:
|
|
# {issuer}/.well-known/openid-configuration
|
|
issuer: str = os.environ.get("OIDC_RP_ISSUER", "http://localhost:8000")
|
|
|
|
# Credentials for the client registered in porchlight.toml. See README.
|
|
client_id: str = os.environ.get("OIDC_RP_CLIENT_ID", "showcase-rp")
|
|
client_secret: str = os.environ.get("OIDC_RP_CLIENT_SECRET", "change-me")
|
|
|
|
# Where the OP redirects back to after authentication. Must exactly match
|
|
# one of the redirect_uris registered for the client.
|
|
redirect_uri: str = os.environ.get(
|
|
"OIDC_RP_REDIRECT_URI", "http://localhost:9000/callback"
|
|
)
|
|
|
|
# Scopes we request. offline_access is what makes the OP issue a refresh
|
|
# token (porchlight gates it behind this scope).
|
|
scope: str = os.environ.get("OIDC_RP_SCOPE", "openid profile email offline_access")
|
|
|
|
# Secret used to sign the session-id cookie (NOT the OIDC client_secret).
|
|
session_secret: str = os.environ.get(
|
|
"OIDC_RP_SESSION_SECRET", "dev-only-rp-session-secret-change-me"
|
|
)
|
|
|
|
# Allowed clock skew (seconds) when validating exp/iat.
|
|
leeway: int = int(os.environ.get("OIDC_RP_LEEWAY", "30"))
|