Skip to main content

OpenID Connect client for CAERP

Project description

Pyramid Oidc client library for caerp

python setup.py install

Add a client in your OpenId Authentication (e.g: Keycloak)

To configure your open id connect client in a SSO server like Keycloak.

Host : https://caerp.mycae.coop

Important Create a custom realm (don't use the master realm, you'll face serious security problems : all users would have admin rights on Keycloak)

Add a client

For security reasons, always use HTTPS protocol in URLs. Certificates must be provided by well known authorities.

The REQUESTS_CA_BUNDLE environment variable may be used to specify your custom trusted certificates.

Retrieve the client secret

In the "Credentials" section of the keycloak client view, retrieve the client's secret (you need it to configure caerp)

Configure your client : caerp

In your caerp application's ini file

pyramid.includes = ...
                   caerp_oidc_client.models

Later in the same ini file

caerp.authentification_module=caerp_oidc_client

oidc.client_secret=<Secret token from the OIDC server>
oidc.client_id=caerp_client_id
oidc.scope=openid roles
oidc.auth_endpoint_url=<Keycloak auth endpoint url>
oidc.token_endpoint_url=<Keycloak id token endpoint url>
oidc.logout_endpoint_url=<Keycloak logout endpoint url>

JWKS Token validation

Due to backward compatibility, by default, caerp_oidc_client doesn't validate the JWT token using the JWKS encryption data.

JWKS validation is highly recommended and is mandatory for obvious security reasons when the JWT token is transmitted by a third_party (for example frontend or api gateway).

To configure JWKS Token validation, add the following lines :

oidc.jwks_service=caerp_oidc_client.services.JWKSService
oidc.jwks_endpoint_url=<Keycloak jwks endpoint url>
oidc.token_signature_algorithms=<use one of HS256 HS384 HS512 RS256 RS384 RS512>

Keycloak's url are in the form

https://keycloak/realms/**my custom realm name**/protocol/openid-connect/auth

https://keycloak/realms/**my custom realm name**/protocol/openid-connect/token

https://keycloak/realms/**my custom realm name**/protocol/openid-connect/logout

https://keycloak/realms/**my custom realm name**/protocol/openid-connect/certs

Some advices for security

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

caerp_oidc_client-2026.0.0.tar.gz (22.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

caerp_oidc_client-2026.0.0-py3-none-any.whl (21.4 kB view details)

Uploaded Python 3

File details

Details for the file caerp_oidc_client-2026.0.0.tar.gz.

File metadata

  • Download URL: caerp_oidc_client-2026.0.0.tar.gz
  • Upload date:
  • Size: 22.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for caerp_oidc_client-2026.0.0.tar.gz
Algorithm Hash digest
SHA256 bd969e2588cf557a2ab1962bb943e75d7d8a0dbc62370d48cd71961d268527f4
MD5 b7933b67ec8901f49affdc0b22e25d25
BLAKE2b-256 edc99f3515a727a808c58e6ead32cdf5eac647c1befac9ab2bee6bad0d1a99cd

See more details on using hashes here.

File details

Details for the file caerp_oidc_client-2026.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for caerp_oidc_client-2026.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 8d49a58d1f053c87b8f37ea444ff1dfcbb8afadbecb614cf3e0ab5104b0a73c0
MD5 0cc6cdce154dfede3130ab2b0a77e59c
BLAKE2b-256 7fee95fc0b082a3f6ba628c39cc19f083b05e9fef678f05abb2d46ac0ea97282

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page