Skip to main content

OpenID Connect client for CAERP

Project description

Pyramid Oidc client library for caerp

python setup.py install

Add a client in your OpenId Authentication (e.g: Keycloak)

To configure your open id connect client in a SSO server like Keycloak.

Host : https://caerp.mycae.coop

Important Create a custom realm (don't use the master realm, you'll face serious security problems : all users would have admin rights on Keycloak)

Add a client

For security reasons, always use HTTPS protocol in URLs. Certificates must be provided by well known authorities.

The REQUESTS_CA_BUNDLE environment variable may be used to specify your custom trusted certificates.

Retrieve the client secret

In the "Credentials" section of the keycloak client view, retrieve the client's secret (you need it to configure caerp)

Configure your client : caerp

In your caerp application's ini file

pyramid.includes = ...
                   caerp_oidc_client.models

Later in the same ini file

caerp.authentification_module=caerp_oidc_client

oidc.client_secret=<Secret token from the OIDC server>
oidc.client_id=caerp_client_id
oidc.scope=openid roles
oidc.auth_endpoint_url=<Keycloak auth endpoint url>
oidc.token_endpoint_url=<Keycloak id token endpoint url>
oidc.logout_endpoint_url=<Keycloak logout endpoint url>

JWKS Token validation

Due to backward compatibility, by default, caerp_oidc_client doesn't validate the JWT token using the JWKS encryption data.

JWKS validation is highly recommended and is mandatory for obvious security reasons when the JWT token is transmitted by a third_party (for example frontend or api gateway).

To configure JWKS Token validation, add the following lines :

oidc.jwks_service=caerp_oidc_client.services.JWKSService
oidc.jwks_endpoint_url=<Keycloak jwks endpoint url>
oidc.token_signature_algorithms=<use one of HS256 HS384 HS512 RS256 RS384 RS512>

Keycloak's url are in the form

https://keycloak/realms/**my custom realm name**/protocol/openid-connect/auth

https://keycloak/realms/**my custom realm name**/protocol/openid-connect/token

https://keycloak/realms/**my custom realm name**/protocol/openid-connect/logout

https://keycloak/realms/**my custom realm name**/protocol/openid-connect/certs

Some advices for security

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

caerp_oidc_client-2026.0.1.tar.gz (22.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

caerp_oidc_client-2026.0.1-py3-none-any.whl (21.5 kB view details)

Uploaded Python 3

File details

Details for the file caerp_oidc_client-2026.0.1.tar.gz.

File metadata

  • Download URL: caerp_oidc_client-2026.0.1.tar.gz
  • Upload date:
  • Size: 22.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for caerp_oidc_client-2026.0.1.tar.gz
Algorithm Hash digest
SHA256 4262e461b3fa8405bb863adb73865b23a820c05f360fd936a0d3a9154e352302
MD5 5e76fd4b099374d0377c33ec6fe20ffe
BLAKE2b-256 ac2ad68e5579f60abc52266f7da5abc23195def2e645d8de5a3f0f1107e04121

See more details on using hashes here.

File details

Details for the file caerp_oidc_client-2026.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for caerp_oidc_client-2026.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 34720d56db9ee452ffae30bf7f46393e06b993b4e386037ce7b02ce3d02b0b62
MD5 eb954c93eaa9c2c58c48a62e5d04be2a
BLAKE2b-256 9a38be44772a3486ead5c522f4c771a9a5ec902b30cfa380fdb337cb7eece817

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page