authentik.common.oauth.constants

OAuth/OpenID Constants

View Source

 1"""OAuth/OpenID Constants"""
 2
 3from django.db import models
 4from django.utils.translation import gettext_lazy as _
 5
 6GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"
 7GRANT_TYPE_IMPLICIT = "implicit"
 8GRANT_TYPE_REFRESH_TOKEN = "refresh_token"  # nosec
 9GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
10GRANT_TYPE_PASSWORD = "password"  # nosec
11GRANT_TYPE_DEVICE_CODE = "urn:ietf:params:oauth:grant-type:device_code"
12
13QS_LOGIN_HINT = "login_hint"
14
15CLIENT_ASSERTION = "client_assertion"
16CLIENT_ASSERTION_TYPE = "client_assertion_type"
17CLIENT_ASSERTION_TYPE_JWT = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
18
19PROMPT_NONE = "none"
20PROMPT_CONSENT = "consent"
21PROMPT_LOGIN = "login"
22
23PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS = "goauthentik.io/providers/oauth2/iframe_sessions"
24
25SCOPE_OPENID = "openid"
26SCOPE_OPENID_PROFILE = "profile"
27SCOPE_OPENID_EMAIL = "email"
28SCOPE_OFFLINE_ACCESS = "offline_access"
29
30UI_LOCALES = "ui_locales"
31
32# https://www.iana.org/assignments/oauth-parameters/auth-parameters.xhtml#pkce-code-challenge-method
33PKCE_METHOD_PLAIN = "plain"
34PKCE_METHOD_S256 = "S256"
35
36TOKEN_TYPE = "Bearer"  # nosec
37
38SCOPE_AUTHENTIK_API = "goauthentik.io/api"
39
40# Read/write full user (including email)
41SCOPE_GITHUB_USER = "user"
42# Read user (without email)
43SCOPE_GITHUB_USER_READ = "read:user"
44# Read users email addresses
45SCOPE_GITHUB_USER_EMAIL = "user:email"
46# Read info about teams
47SCOPE_GITHUB_ORG_READ = "read:org"
48SCOPE_GITHUB = {
49    SCOPE_GITHUB_USER,
50    SCOPE_GITHUB_USER_READ,
51    SCOPE_GITHUB_USER_EMAIL,
52    SCOPE_GITHUB_ORG_READ,
53}
54
55ACR_AUTHENTIK_DEFAULT = "goauthentik.io/providers/oauth2/default"
56
57# https://datatracker.ietf.org/doc/html/draft-ietf-oauth-amr-values-06#section-2
58AMR_PASSWORD = "pwd"  # nosec
59AMR_MFA = "mfa"
60AMR_OTP = "otp"
61AMR_WEBAUTHN = "user"
62AMR_SMART_CARD = "sc"
63
64
65class SubModes(models.TextChoices):
66    """Mode after which 'sub' attribute is generated, for compatibility reasons"""
67
68    HASHED_USER_ID = "hashed_user_id", _("Based on the Hashed User ID")
69    USER_ID = "user_id", _("Based on user ID")
70    USER_UUID = "user_uuid", _("Based on user UUID")
71    USER_USERNAME = "user_username", _("Based on the username")
72    USER_EMAIL = (
73        "user_email",
74        _("Based on the User's Email. This is recommended over the UPN method."),
75    )
76    USER_UPN = (
77        "user_upn",
78        _(
79            "Based on the User's UPN, only works if user has a 'upn' attribute set. "
80            "Use this method only if you have different UPN and Mail domains."
81        ),
82    )

GRANT_TYPE_AUTHORIZATION_CODE = 'authorization_code'

GRANT_TYPE_IMPLICIT = 'implicit'

GRANT_TYPE_REFRESH_TOKEN = 'refresh_token'

GRANT_TYPE_CLIENT_CREDENTIALS = 'client_credentials'

GRANT_TYPE_PASSWORD = 'password'

GRANT_TYPE_DEVICE_CODE = 'urn:ietf:params:oauth:grant-type:device_code'

QS_LOGIN_HINT = 'login_hint'

CLIENT_ASSERTION = 'client_assertion'

CLIENT_ASSERTION_TYPE = 'client_assertion_type'

CLIENT_ASSERTION_TYPE_JWT = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'

PROMPT_NONE = 'none'

PROMPT_CONSENT = 'consent'

PROMPT_LOGIN = 'login'

PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS = 'goauthentik.io/providers/oauth2/iframe_sessions'

SCOPE_OPENID = 'openid'

SCOPE_OPENID_PROFILE = 'profile'

SCOPE_OPENID_EMAIL = 'email'

SCOPE_OFFLINE_ACCESS = 'offline_access'

UI_LOCALES = 'ui_locales'

PKCE_METHOD_PLAIN = 'plain'

PKCE_METHOD_S256 = 'S256'

TOKEN_TYPE = 'Bearer'

SCOPE_AUTHENTIK_API = 'goauthentik.io/api'

SCOPE_GITHUB_USER = 'user'

SCOPE_GITHUB_USER_READ = 'read:user'

SCOPE_GITHUB_USER_EMAIL = 'user:email'

SCOPE_GITHUB_ORG_READ = 'read:org'

SCOPE_GITHUB = {'read:user', 'user:email', 'user', 'read:org'}

ACR_AUTHENTIK_DEFAULT = 'goauthentik.io/providers/oauth2/default'

AMR_PASSWORD = 'pwd'

AMR_MFA = 'mfa'

AMR_OTP = 'otp'

AMR_WEBAUTHN = 'user'

AMR_SMART_CARD = 'sc'

class SubModes(django.db.models.enums.TextChoices): View Source

66class SubModes(models.TextChoices):
67    """Mode after which 'sub' attribute is generated, for compatibility reasons"""
68
69    HASHED_USER_ID = "hashed_user_id", _("Based on the Hashed User ID")
70    USER_ID = "user_id", _("Based on user ID")
71    USER_UUID = "user_uuid", _("Based on user UUID")
72    USER_USERNAME = "user_username", _("Based on the username")
73    USER_EMAIL = (
74        "user_email",
75        _("Based on the User's Email. This is recommended over the UPN method."),
76    )
77    USER_UPN = (
78        "user_upn",
79        _(
80            "Based on the User's UPN, only works if user has a 'upn' attribute set. "
81            "Use this method only if you have different UPN and Mail domains."
82        ),
83    )

Mode after which 'sub' attribute is generated, for compatibility reasons

HASHED_USER_ID = SubModes.HASHED_USER_ID

USER_ID = SubModes.USER_ID

USER_UUID = SubModes.USER_UUID

USER_USERNAME = SubModes.USER_USERNAME

USER_EMAIL = SubModes.USER_EMAIL

USER_UPN = SubModes.USER_UPN