.. _oidc:

**************
OpenID Connect
**************


Public test client credentials
==============================

The following credentials are available for development purpose only:

  - ``ACCESS_KEY=125070``
  - ``SECRET_KEY=f6ff8d394e6185d41834b19210979b897852680cf34700ae4ecb24ea``

This client is allowed to request any scope, the following URI are accepted as
``redirect_uri``:

  - http://localhost:8000/complete/epita/
  - http://localhost:8080/complete/epita/
  - http://127.0.0.1:8000/complete/epita/
  - http://127.0.0.1:8080/complete/epita/
  - http://[::1]:8000/complete/epita/
  - http://[::1]:8080/complete/epita/
  - https://localhost:8000/complete/epita/
  - https://localhost:8080/complete/epita/
  - https://127.0.0.1:8000/complete/epita/
  - https://127.0.0.1:8080/complete/epita/
  - https://[::1]:8000/complete/epita/
  - https://[::1]:8080/complete/epita/


Available scopes and claims
===========================

The CRI intranet OIDC provider give you access to the following claims, sorted
by scope:

  - **profile**

    - ``name``: the user full name as a string (example: "Xavier Loginard").
    - ``given_name``: the user first name, may be empty (example: "Xavier").
    - ``family_name``: the user last name (example: "Loginard").
    - ``preferred_username``: the user login (example: "xavier.loginard").
    - ``zoneinfo``: always "Europe/Paris".

  - **picture**

    - ``picture``: URI of the user picture, may be empty.
    - ``picture_square``: URI of the user picture as a square centered on the
      face, may be empty.
    - ``picture_thumb``: URI the user picture thumbnail, may be empty.

  - **email**

    - ``email``: the user EPITA mail address, may be empty (example:
      "xavier.loginard@epita.fr").
    - ``email_verified``: true when the email is set, false otherwise.

  - **phone**

    - ``phone_number``: the user mobile phone number, may be empty.
    - ``phone_number_verified``: always false since no phone verification is
      ever done.

  - **birthdate**

    - ``birthdate``: the user birthdate as a YYYY-MM-DD string, may be empty
      (example: "1884-01-01").

  - **legal_identity**

    - ``legal_first_name``: the user first as written on official documents,
      may be empty.
    - ``legal_last_name``: the user first as written on official documents, may
      be empty.

  - **epita**

    - ``uid``: the user ID, as an integer.
    - ``gid``: the user primary group ID, as an integer.
    - ``old_logins``: list of the user previous accounts username, in case of
      username update, as a list, may be empty.
    - ``new_login``: the user new account username, may be empty.
    - ``groups``: the list of groups the user is a member of, may be empty.
      Each group appears as a mapping containing the following fields :
      ``slug``, ``name``, ``gid``, ``kind``, ``private``.
    - ``campuses``: the list of the campuses of the user, may be empty. Each
      campus appears as the slug of the corresponding group.
    - ``graduation_years``: the list of graduation years (promo) associated
      with the user, may be empty.

  - **roles**

    - ``roles``: the list of the user roles as specified in the client
      configuration, may be empty.


This list is summarized in the tables below:

+--------------------+----------------+----------------+-----------------------+
| profile            | picture        | email          | phone                 |
+====================+================+================+=======================+
| name               | picture        | email          | phone_number          |
+--------------------+----------------+----------------+-----------------------+
| given_name         | picture_square | email_verified | phone_number_verified |
+--------------------+----------------+----------------+-----------------------+
| family_name        | picture_thumb  |                |                       |
+--------------------+----------------+----------------+-----------------------+
| preferred_username |                |                |                       |
+--------------------+----------------+----------------+-----------------------+
| picture            |                |                |                       |
+--------------------+----------------+----------------+-----------------------+
| zoneinfo           |                |                |                       |
+--------------------+----------------+----------------+-----------------------+

+-----------+------------------+------------------+------------------+
| birthdate | legal_identity   | epita            | roles            |
+===========+==================+==================+==================+
| birthdate | legal_first_name | uid              | roles            |
+-----------+------------------+------------------+------------------+
|           | legal_last_name  | gid              |                  |
+-----------+------------------+------------------+------------------+
|           |                  | groups           |                  |
+-----------+------------------+------------------+------------------+
|           |                  | campuses         |                  |
+-----------+------------------+------------------+------------------+
|           |                  | graduation_years |                  |
+-----------+------------------+------------------+------------------+

+------------------+
| related_accounts |
+==================+
| old_logins       |
+------------------+
| new_login        |
+------------------+