Strategy for authenticating against arbitrary OpenID Connect providers whose configuration lives in a database table rather than in your application's compile-time DSL.
This is the building block for B2B/multi-tenant SSO patterns: each row in
your OidcConnection resource is one customer's IdP configuration
(base_url, client_id, client_secret, plus optional UI metadata).
At sign-in time the strategy queries the resource — typically scoped by
the current Ash tenant — and runs the standard OIDC flow against the
matched row.
Setup
First, define a connection resource using
AshAuthentication.OidcConnection:
defmodule MyApp.Accounts.OidcConnection do
use Ash.Resource,
data_layer: AshPostgres.DataLayer,
extensions: [AshAuthentication.OidcConnection],
domain: MyApp.Accounts
oidc_connection do
domain MyApp.Accounts
end
postgres do
table "oidc_connections"
repo MyApp.Repo
end
endThen add the strategy to your user resource:
authentication do
strategies do
dynamic_oidc :sso do
connection_resource MyApp.Accounts.OidcConnection
identity_resource MyApp.Accounts.UserIdentity
redirect_uri MyApp.Secrets
end
end
endURL shape
The strategy generates two routes:
GET /<subject>/<strategy_name>/:connection_id/request— initiate sign-in for a specific connection (the user/UI is responsible for knowing which connection_id to send to).GET /<subject>/<strategy_name>/callback— single, shared callback URL. Each customer's IdP admin only ever needs to register this URL as their redirect URI. The connection_id is remembered between request and callback via the user's session.
Tenant context
If your connection resource is multitenant, the strategy will scope the
lookup using the tenant set on the conn (Ash.PlugHelpers.set_tenant/2).
Set the tenant upstream of the auth router — typically in a Phoenix
plug that maps subdomain or header to your tenant. If no tenant is set
and the resource is multitenant, the lookup will fail.
Non-multitenant connection resources are also supported — the strategy simply queries globally.
More documentation
AshAuthentication.OidcConnection— the resource extension this strategy depends on.AshAuthentication.Strategy.Oidc— the underlying compile-time OIDC strategy. The runtime behaviour is identical aside from where the config comes from.
authentication.strategies.dynamic_oidc
dynamic_oidc name \\ :dynamic_oidcAn OpenID Connect strategy whose connection details (base_url,
client_id, client_secret) are loaded at request time from a
database resource extended with AshAuthentication.OidcConnection.
This is the building block for data-driven multi-tenant SSO: each row
in the connection resource is one customer's IdP configuration, and
the strategy looks up the right row based on the request path
(:connection_id segment) plus the current Ash tenant.
More documentation:
AshAuthentication.OidcConnection— the resource extension this strategy depends onAshAuthentication.Strategy.Oidc— the underlying compile-time OIDC strategy
Arguments
| Name | Type | Default | Docs |
|---|---|---|---|
name | atom | Uniquely identifies the strategy. |
Options
| Name | Type | Default | Docs |
|---|---|---|---|
redirect_uri | (any, any -> any) | module | String.t | The callback URI base. Not the whole URI back to the callback endpoint, but the URI to your AuthPlug. Takes either a module which implements the AshAuthentication.Secret behaviour, a 2 arity anonymous function or a string. | |
connection_resource | module | The Ash resource (extended with AshAuthentication.OidcConnection) that stores per-tenant OIDC client configuration. | |
site | (any, any -> any) | module | String.t | Deprecated: Use base_url instead. | |
prevent_hijacking? | boolean | true | Requires a confirmation add_on to be present if the password strategy is used with the same identity_field. |
auth_method | nil | :client_secret_basic | :client_secret_post | :client_secret_jwt | :private_key_jwt | :client_secret_post | The authentication strategy used, optional. If not set, no authentication will be used during the access token request. |
trusted_audiences | (any, any -> any) | module | list(any) | nil | A list of audiences which are trusted. Takes either a module which implements the AshAuthentication.Secret behaviour, a 2 arity anonymous function or a string. | |
code_verifier | boolean | false | Boolean to generate and use a random 128 byte long url safe code verifier for PKCE flow, optional, defaults to false. When set to true the session params will contain :code_verifier, :code_challenge, and :code_challenge_method params |
registration_enabled? | boolean | true | If enabled, new users will be able to register for your site when authenticating and not already present. If not, only existing users will be able to authenticate. |
register_action_name | atom | The name of the action to use to register a user, if registration_enabled? is true. Defaults to register_with_<name> See the "Registration and Sign-in" section of the strategy docs for more. | |
sign_in_action_name | atom | The name of the action to use to sign in an existing user, if sign_in_enabled? is true. Defaults to sign_in_with_<strategy>, which is generated for you by default. See the "Registration and Sign-in" section of the strategy docs for more information. | |
identity_resource | module | false | false | The resource used to store user identities, or false to disable. See the User Identities section of the strategy docs for more. |
identity_relationship_name | atom | :identities | Name of the relationship to the provider identities resource |
identity_relationship_user_id_attribute | atom | :user_id | The name of the destination (user_id) attribute on your provider identity resource. Only necessary if you've changed the user_id_attribute_name option of the provider identity. |
openid_configuration_uri | (any, any -> any) | module | String.t | "/.well-known/openid-configuration" | The URI for the OpenID provider |
client_authentication_method | "client_secret_basic" | "client_secret_post" | "client_secret_jwt" | "private_key_jwt" | "none" | "client_secret_basic" | The client authentication method to use. |
openid_configuration | nil | %{optional(String.t) => any} | The OpenID configuration. If not set, the configuration will be retrieved from openid_configuration_uri. | |
id_token_signed_response_alg | "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "PS256" | "PS384" | "PS512" | "Ed25519" | "Ed25519ph" | "Ed448" | "Ed448ph" | "EdDSA" | "RS256" | The id_token_signed_response_alg parameter sent by the Client during Registration. |
id_token_ttl_seconds | nil | pos_integer | The number of seconds from iat that an ID Token will be considered valid. | |
nonce | boolean | (any, any -> any) | module | String.t | true | A function for generating the session nonce, true to automatically generate it with AshAuthentication.Strategy.Oidc.NonceGenerator, or false to disable. |
authorization_params | (any, any -> any) | module | keyword | nil | [scope: "profile email"] | Any additional parameters to encode in the request phase. eg: authorization_params scope: "openid profile email" |