# `AshAuthentication.Strategy.Oidc`
[🔗](https://github.com/team-alembic/ash_authentication/blob/main/lib/ash_authentication/strategies/oidc.ex#L5)

Strategy for authentication using an [OpenID
Connect](https://openid.net/connect/) compatible server as the source of
truth.

This strategy builds on-top of `AshAuthentication.Strategy.OAuth2` and
[`assent`](https://hex.pm/packages/assent).

In order to use OIDC you need to provide the following minimum configuration:

- `client_id` - The client id, required
- `site` - The OIDC issuer, required
- `openid_configuration_uri` - The URI for OpenID Provider, optional, defaults
  to `/.well-known/openid-configuration`
- `client_authentication_method` - The Client Authentication method to use,
  optional, defaults to `client_secret_basic`
- `client_secret` - The client secret, required if
  `:client_authentication_method` is `:client_secret_basic`,
  `:client_secret_post`, or `:client_secret_jwt`
- `openid_configuration` - The OpenID configuration, optional, the
  configuration will be fetched from `:openid_configuration_uri` if this is
  not defined
- `id_token_signed_response_alg` - The `id_token_signed_response_alg`
  parameter sent by the Client during Registration, defaults to `RS256`
- `id_token_ttl_seconds` - The number of seconds from `iat` that an ID Token
  will be considered valid, optional, defaults to nil
- `nonce` - The nonce to use for authorization request, optional, MUST be
  session based and unguessable.

## Nonce
`nonce` can be set in the provider config. The `nonce` will be returned in the
`session_params` along with `state`. You can use this to store the value in
the current session e.g. a httpOnly session cookie.

A random value generator can look like this:

```elixir
16
|> :crypto.strong_rand_bytes()
|> Base.encode64(padding: false)
```

AshAuthentication will dynamically generate one for the session if `nonce` is
set to `true`.

## More documentation:
- The [OAuth2 documentation](`AshAuthentication.Strategy.OAuth2`)

# `transform`

# `verify`

---

*Consult [api-reference.md](api-reference.md) for complete listing*