OIDC
The Forge ID is the service currently used to authenticate users on the Forge. It provides a single sign-on service for all Forge services and is based on the OpenID Connect protocol.
OpenID Connect is available for everyone to use, the public test client is provided below and if you wish to use it for your own application, please make a request to get your own client using the Forge contact.
Please note that we may not give you access to all the scopes and claims listed below. In order to preserve the privacy of our users, we may ask you to justify why you need access to a given scope or claim.
We keep the right to refuse to give you access to a scope or claim if we deem that it is not necessary for your application to work.
We also keep the right to revoke your access to the Forge ID if we deem that your application is not respecting the privacy of our users.
Public test client
The public test client can be used with the following crendentials :
- Client ID:
125070 - Secret key:
f6ff8d394e6185d41834b19210979b897852680cf34700ae4ecb24ea
The OIDC configuration can be found at the following URL: https://cri.epita.fr/.well-known/openid-configuration
This test client supports the following redirect URIs, please make sure to check that the redirect URI you are using is in this list:
http://localhost/accounts/complete/epita/http://localhost/complete/epita/http://localhost/login/oauth2/code/epitahttp://localhost:8000/accounts/complete/epita/http://localhost:8000/complete/epita/http://localhost:8000/login/oauth2/code/epitahttp://localhost:8080/accounts/complete/epita/http://localhost:8080/complete/epita/http://localhost:8080/login/oauth2/code/epitahttp://127.0.0.1:8000/accounts/complete/epita/http://127.0.0.1:8000/complete/epita/http://127.0.0.1:8000/login/oauth2/code/epitahttp://127.0.0.1:8080/accounts/complete/epita/http://127.0.0.1:8080/complete/epita/http://127.0.0.1:8080/login/oauth2/code/epitahttp://[::1]:8000/complete/epita/http://[::1]:8080/complete/epita/https://localhost:8000/complete/epita/https://localhost:8080/complete/epita/https://127.0.0.1:8000/complete/epita/https://127.0.0.1:8080/complete/epita/https://[::1]:8000/complete/epita/https://[::1]:8080/complete/epita/
Scopes and claims
The Forge ID OIDC provider gives you access to the following claims, sorted by scopes:
Summary
| Scope | Claim | Type | Empty |
|---|---|---|---|
profile | name | string | ❌ |
given_name | string | ✅ | |
family_name | string | ❌ | |
preferred_username | string | ❌ | |
zoneinfo | string | ❌ | |
email | email | string | |
email_verified | boolean | ❌ | |
phone | phone_number | string | ✅ |
phone_number_verified | boolean | ❌ | |
birthdate | birthdate | string | ✅ |
legal_identity | legal_first_name | string | ✅ |
legal_last_name | string | ✅ | |
epita | uid | integer | ❌ |
gid | integer | ❌ | |
groups | list | ✅ | |
campuses | list | ✅ | |
graduation_years | list | ✅ | |
roles | roles | list | ✅ |
related_accounts | old_logins | list | ✅ |
new_login | list | ✅ |
profile scope
name: the user's full name as a string (example: "Xavier Loginard").given_name: the user first name, may be empty (example: "Xavier").family_name: the user last name (example: "Loginard").preferred_username: the user login (example: "xavier.loginard").zoneinfo: always "Europe/Paris".
picture scope
At this date, users gained the ability to choose whether or not they want to show their picture publicly, internally or not at all.
Hence, we do not give access to the user picture if the user has not allowed it.
The consequence is that the picture scope does not present a priority for us
to maintain, even for public pictures.
Please note that if you were using this scope, the claims will either be empty or contain unusable data.
email scope
email: the user EPITA mail address, may be empty (example: "xavier.loginard@epita.fr").email_verified: true when the email is set, false otherwise.
phone scope
phone_number: the user mobile phone number, may be empty.phone_number_verified: always false since no phone verification is currently done.
birthdate scope
birthdate: the user birthdate as a YYYY-MM-DD string, may be empty (example: "1884-01-01").
legal_identity scope
legal_first_name: the user first as written on official documents, may be empty.legal_last_name: the user first as written on official documents, may be empty.
epita scope
The 'groups' claim is a list of groups the user is a member of. Each group is represented as an object (mapping is given below) instead of a string.
uid: the user ID, as an integer.gid: the user primary group ID, as an integer.groups: the list of groups the user is a member of, may be empty. Each group appears as a mapping containing the following fields :slugnamegidkindprivate
campuses: the list of the campuses of the user, may be empty. Each campus appears as the slug of the corresponding group.graduation_years: the list of graduation years (promo) associated with the user, may be empty.
roles scope
roles: the list of the user roles as specified in the client configuration, may be empty.
related_accounts scope
old_logins: list of the user previous accounts username, in case of username update, as a list, may be empty.new_login: the user new account username, may be empty.