mix ash_authentication_oauth2_server.install (ash_authentication_oauth2_server v0.1.0)

Copy Markdown View Source

Scaffolds an OAuth 2.1 authorization server

Scaffolds:

  • Four resources in the configured Ash domain — OauthClient, OauthAuthorizationCode, OauthRefreshToken, OauthConsent.
  • An Oauth2Server config module that pulls them together.
  • Three secret_for/4 clauses on the user's Secrets module (:issuer_url, :resource_url, :signing_secret) that read from application env, so prod overrides go in config/runtime.exs.
  • Localhost defaults in config/dev.exs for development.

After install, run mix ash.codegen --name add_oauth2_server to generate migrations for the new resources, then mix ecto.migrate.

The router macros are NOT auto-mounted. use the router module in your Phoenix router and add the scopes by hand — different apps want different paths/pipelines:

use AshAuthentication.Phoenix.Oauth2Server.Router

scope "/" do
  pipe_through :browser
  oauth2_server_consent_routes oauth2_server: MyApp.Oauth2Server
end

scope "/" do
  pipe_through :api
  oauth2_server_protocol_routes oauth2_server: MyApp.Oauth2Server
end

Then mount AshAuthentication.Phoenix.Oauth2Server.BearerPlug on whatever resource you want OAuth-protected.

Production config

The dev URLs written to config/dev.exs are placeholders. For prod, set the real values in config/runtime.exs:

config :my_app,
  oauth2_issuer_url: System.get_env("OAUTH2_ISSUER_URL"),
  oauth2_resource_url: System.get_env("OAUTH2_RESOURCE_URL"),
  oauth2_signing_secret: System.get_env("OAUTH2_SIGNING_SECRET")

oauth2_resource_url is the URL clients will reach your protected resource at. It's bound to the access token's aud claim.

Example

mix ash_authentication_oauth2_server.install

Options

  • --accounts, -a — Domain. Default: MyApp.Accounts.
  • --user, -u — User resource. Default: <Accounts>.User.
  • --server-module, -s — Where to put the Oauth2Server module. Default: MyApp.Oauth2Server.
  • --secrets-module — Module implementing AshAuthentication.Secret. Default: MyApp.Secrets.
  • --issuer-url — Issuer URL written to config/dev.exs. Default: http://localhost:4000.
  • --resource-url — Resource URL written to config/dev.exs. Default: same as --issuer-url.
  • --scope — Scope advertised in metadata. Default: example.scope (a placeholder to replace with whatever your protected resource actually uses).

Summary

Functions

igniter(igniter)

Callback implementation for Igniter.Mix.Task.igniter/1.

Functions

igniter(igniter)

Callback implementation for Igniter.Mix.Task.igniter/1.