authentik.common.oauth.constants

OAuth/OpenID Constants

View Source

 1"""OAuth/OpenID Constants"""
 2
 3from django.db import models
 4from django.utils.translation import gettext_lazy as _
 5
 6GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"
 7GRANT_TYPE_IMPLICIT = "implicit"
 8GRANT_TYPE_HYBRID = "hybrid"
 9GRANT_TYPE_REFRESH_TOKEN = "refresh_token"  # nosec
10GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
11GRANT_TYPE_PASSWORD = "password"  # nosec
12GRANT_TYPE_DEVICE_CODE = "urn:ietf:params:oauth:grant-type:device_code"
13
14QS_LOGIN_HINT = "login_hint"
15
16CLIENT_ASSERTION = "client_assertion"
17CLIENT_ASSERTION_TYPE = "client_assertion_type"
18CLIENT_ASSERTION_TYPE_JWT = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
19
20PROMPT_NONE = "none"
21PROMPT_CONSENT = "consent"
22PROMPT_LOGIN = "login"
23
24PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS = "goauthentik.io/providers/oauth2/iframe_sessions"
25PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI = "goauthentik.io/providers/oauth2/post_logout_redirect_uri"
26
27OAUTH2_BINDING = "redirect"
28
29SCOPE_OPENID = "openid"
30SCOPE_OPENID_PROFILE = "profile"
31SCOPE_OPENID_EMAIL = "email"
32SCOPE_OFFLINE_ACCESS = "offline_access"
33
34UI_LOCALES = "ui_locales"
35
36# https://www.iana.org/assignments/oauth-parameters/auth-parameters.xhtml#pkce-code-challenge-method
37PKCE_METHOD_PLAIN = "plain"
38PKCE_METHOD_S256 = "S256"
39
40TOKEN_TYPE = "Bearer"  # nosec
41
42SCOPE_AUTHENTIK_API = "goauthentik.io/api"
43
44# URI schemes that are forbidden for redirect URIs
45FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
46
47# Read/write full user (including email)
48SCOPE_GITHUB_USER = "user"
49# Read user (without email)
50SCOPE_GITHUB_USER_READ = "read:user"
51# Read users email addresses
52SCOPE_GITHUB_USER_EMAIL = "user:email"
53# Read info about teams
54SCOPE_GITHUB_ORG_READ = "read:org"
55SCOPE_GITHUB = {
56    SCOPE_GITHUB_USER,
57    SCOPE_GITHUB_USER_READ,
58    SCOPE_GITHUB_USER_EMAIL,
59    SCOPE_GITHUB_ORG_READ,
60}
61
62ACR_AUTHENTIK_DEFAULT = "goauthentik.io/providers/oauth2/default"
63
64# https://datatracker.ietf.org/doc/html/draft-ietf-oauth-amr-values-06#section-2
65AMR_PASSWORD = "pwd"  # nosec
66AMR_MFA = "mfa"
67AMR_OTP = "otp"
68AMR_WEBAUTHN = "user"
69AMR_SMART_CARD = "sc"
70
71
72class SubModes(models.TextChoices):
73    """Mode after which 'sub' attribute is generated, for compatibility reasons"""
74
75    HASHED_USER_ID = "hashed_user_id", _("Based on the Hashed User ID")
76    USER_ID = "user_id", _("Based on user ID")
77    USER_UUID = "user_uuid", _("Based on user UUID")
78    USER_USERNAME = "user_username", _("Based on the username")
79    USER_EMAIL = (
80        "user_email",
81        _("Based on the User's Email. This is recommended over the UPN method."),
82    )
83    USER_UPN = (
84        "user_upn",
85        _(
86            "Based on the User's UPN, only works if user has a 'upn' attribute set. "
87            "Use this method only if you have different UPN and Mail domains."
88        ),
89    )

GRANT_TYPE_AUTHORIZATION_CODE = 'authorization_code'

GRANT_TYPE_IMPLICIT = 'implicit'

GRANT_TYPE_HYBRID = 'hybrid'

GRANT_TYPE_REFRESH_TOKEN = 'refresh_token'

GRANT_TYPE_CLIENT_CREDENTIALS = 'client_credentials'

GRANT_TYPE_PASSWORD = 'password'

GRANT_TYPE_DEVICE_CODE = 'urn:ietf:params:oauth:grant-type:device_code'

QS_LOGIN_HINT = 'login_hint'

CLIENT_ASSERTION = 'client_assertion'

CLIENT_ASSERTION_TYPE = 'client_assertion_type'

CLIENT_ASSERTION_TYPE_JWT = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'

PROMPT_NONE = 'none'

PROMPT_CONSENT = 'consent'

PROMPT_LOGIN = 'login'

PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS = 'goauthentik.io/providers/oauth2/iframe_sessions'

PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI = 'goauthentik.io/providers/oauth2/post_logout_redirect_uri'

OAUTH2_BINDING = 'redirect'

SCOPE_OPENID = 'openid'

SCOPE_OPENID_PROFILE = 'profile'

SCOPE_OPENID_EMAIL = 'email'

SCOPE_OFFLINE_ACCESS = 'offline_access'

UI_LOCALES = 'ui_locales'

PKCE_METHOD_PLAIN = 'plain'

PKCE_METHOD_S256 = 'S256'

TOKEN_TYPE = 'Bearer'

SCOPE_AUTHENTIK_API = 'goauthentik.io/api'

FORBIDDEN_URI_SCHEMES = {'data', 'javascript', 'vbscript'}

SCOPE_GITHUB_USER = 'user'

SCOPE_GITHUB_USER_READ = 'read:user'

SCOPE_GITHUB_USER_EMAIL = 'user:email'

SCOPE_GITHUB_ORG_READ = 'read:org'

SCOPE_GITHUB = {'read:user', 'user:email', 'user', 'read:org'}

ACR_AUTHENTIK_DEFAULT = 'goauthentik.io/providers/oauth2/default'

AMR_PASSWORD = 'pwd'

AMR_MFA = 'mfa'

AMR_OTP = 'otp'

AMR_WEBAUTHN = 'user'

AMR_SMART_CARD = 'sc'

class SubModes(django.db.models.enums.TextChoices): View Source

73class SubModes(models.TextChoices):
74    """Mode after which 'sub' attribute is generated, for compatibility reasons"""
75
76    HASHED_USER_ID = "hashed_user_id", _("Based on the Hashed User ID")
77    USER_ID = "user_id", _("Based on user ID")
78    USER_UUID = "user_uuid", _("Based on user UUID")
79    USER_USERNAME = "user_username", _("Based on the username")
80    USER_EMAIL = (
81        "user_email",
82        _("Based on the User's Email. This is recommended over the UPN method."),
83    )
84    USER_UPN = (
85        "user_upn",
86        _(
87            "Based on the User's UPN, only works if user has a 'upn' attribute set. "
88            "Use this method only if you have different UPN and Mail domains."
89        ),
90    )

Mode after which 'sub' attribute is generated, for compatibility reasons

HASHED_USER_ID = SubModes.HASHED_USER_ID

USER_ID = SubModes.USER_ID

USER_UUID = SubModes.USER_UUID

USER_USERNAME = SubModes.USER_USERNAME

USER_EMAIL = SubModes.USER_EMAIL

USER_UPN = SubModes.USER_UPN