meet/docs/features/authentication.md

Authentication (OIDC)

La Suite Meet supports OIDC authentication using the Authorization Code Flow. Authentication relies on django-lasuite for OIDC integration, token validation, and user management.

OIDC Configuration

Option	Description	Default
Client Settings
OIDC_RP_CLIENT_ID	OIDC client identifier registered with your provider	meet
OIDC_RP_CLIENT_SECRET	OIDC client secret (keep confidential)	—
OIDC_CREATE_USER	Automatically create a local user if none exists	true
Security & Verification
OIDC_VERIFY_SSL	Verify SSL certificates when contacting the OIDC provider	true
OIDC_USE_NONCE	Use nonce to prevent replay attacks	true
OIDC_STORE_ID_TOKEN	Store the ID token returned by the OIDC provider (useful for backend validation)	true
OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION	Fallback to identifying users by email if sub claim does not match. Enable only if emails are unique.	false
Endpoints
OIDC_OP_JWKS_ENDPOINT	URL to retrieve JSON Web Key Sets (for token verification)	—
OIDC_OP_AUTHORIZATION_ENDPOINT	URL for authorization requests	—
OIDC_OP_TOKEN_ENDPOINT	URL to exchange authorization code for tokens	—
OIDC_OP_USER_ENDPOINT	URL to fetch user information	—
OIDC_OP_USER_ENDPOINT_FORMAT	Format of user endpoint response. Options: AUTO (detect automatically), JWT, or JSON	AUTO
OIDC_OP_LOGOUT_ENDPOINT	URL for logout requests	—
User Info Mapping
OIDC_USERINFO_FULLNAME_FIELDS	List of OIDC claims used to build user’s full name	["given_name", "usual_name"]
OIDC_USERINFO_SHORTNAME_FIELD	OIDC claim used for the user’s short name	given_name
OIDC_USERINFO_ESSENTIAL_CLAIMS	List of essential claims required from the provider	[]
Redirects & Scopes
OIDC_REDIRECT_REQUIRE_HTTPS	Require HTTPS for OIDC redirect URIs (recommended in production)	false
OIDC_REDIRECT_ALLOWED_HOSTS	Allowed hosts for OIDC redirects	[]
OIDC_REDIRECT_FIELD_NAME	Query parameter name used for redirect after login	returnTo
OIDC_RP_SCOPES	Scopes to request during authentication	openid email
LOGIN_REDIRECT_URL	URL to redirect after successful login	—
LOGIN_REDIRECT_URL_FAILURE	URL to redirect after failed login	—
LOGOUT_REDIRECT_URL	URL to redirect after logout	—
ALLOW_LOGOUT_GET_METHOD	Allow logout through HTTP GET (POST is recommended for security)	true
OIDC_AUTH_REQUEST_EXTRA_PARAMS	Extra parameters to include in OIDC authentication requests	{}
PKCE (Proof Key for Code Exchange)
OIDC_USE_PKCE	Enable PKCE for enhanced security (recommended)	false
OIDC_PKCE_CODE_CHALLENGE_METHOD	Method to generate PKCE code challenge (S256 recommended)	S256
OIDC_PKCE_CODE_VERIFIER_SIZE	Length of the random string used as PKCE code verifier (43–128 characters)	64
Other
FRONTEND_IS_SILENT_LOGIN_ENABLED	Silent login allows La Suite Meet to authenticate users automatically without showing a login prompt, providing a seamless experience when an active session already exists with the OIDC provider. It works by replaying the authentication request with prompt=none: if the user has a valid session, login succeeds silently; otherwise, it fails gracefully and redirects the user to the initial page. Silent login is optional and enabled by default in standard deployments. The app retries silent login after any 401 response, with at least a 30-second interval between attempts (not configurable via environment variables). Controlled by the backend parameter. /!\ Your OIDC provider must support prompt=none.	false

Sessions

• After login, users receive a Django session cookie to maintain authentication across requests.
• Default session duration is 12 hours (SESSION_COOKIE_AGE = 60 * 60 * 12).
• Ensure your session policy matches your security requirements.