Anvil.Auth.OIDC behaviour (Anvil v0.1.1)

View Source

OIDC (OpenID Connect) authentication behaviour for Anvil.

Defines interface for authenticating labelers via OIDC tokens from identity providers like Auth0, Okta, Keycloak, Google, etc.

Implementations should verify JWT signatures, check expiration, validate issuer, and extract standard OIDC claims.

Summary

Types

error_reason()
opts()
token()

Callbacks

authenticate(token, opts)

Authenticates a labeler using an OIDC token.

verify_token(token)

Verifies OIDC token and extracts claims.

Types

error_reason()

@type error_reason() ::
  :invalid_token | :expired_token | :invalid_issuer | :missing_claims

opts()

@type opts() :: keyword()

token()

@type token() :: String.t()

Callbacks

authenticate(token, opts)

@callback authenticate(token(), opts()) ::
  {:ok, Anvil.Auth.OIDC.Labeler.t()} | {:error, error_reason()}

Authenticates a labeler using an OIDC token.

Returns labeler identity with external_id, email, tenant_id, and default role. Implements just-in-time provisioning - creates labeler on first login.

Options

  • :tenant_id - Override tenant_id from token claims
  • :role - Override default role (:labeler)

verify_token(token)

@callback verify_token(token()) :: {:ok, map()} | {:error, error_reason()}

Verifies OIDC token and extracts claims.

Should verify:

  • JWT signature using provider's public key
  • Token expiration (exp claim)
  • Issuer matches expected value (iss claim)
  • Audience matches client ID (aud claim)