Assent v0.1.4 Assent.Strategy.OIDC View Source
OpenID Connect strategy.
This is built upon the Assent.Strategy.OAuth2
strategy with added OpenID
Connect capabilities.
Configuration
:client_id
- The client id, required:site
- The OIDC issuer, required:openid_configuration_uri
- The URI for OpenID Provider, optional, defaults to/.well-known/openid-configuration
:client_authentication_method
- The Client Authentication method to use, optional, defaults toclient_secret_basic
:openid_configuration
- The OpenID configuration, optional, the configuration will be fetched from:openid_configuration_uri
if this is not defined:id_token_ttl_seconds
- The number of seconds fromiat
that an ID Token will be considered valid, optional, defaults to nil
See Assent.Strategy.OAuth2
for more configuration options.
Usage
config = [
client_id: "REPLACE_WITH_CLIENT_ID",
site: "https://server.example.com",
authorization_params: [scope: "user:read user:write"]
]
{:ok, {url: url, session_params: session_params}} =
config
|> Assent.Config.put(:redirect_uri, "http://localhost:4000/auth/callback")
|> Assent.Strategy.OIDC.authorize_url()
{:ok, %{user: user, token: token}} =
config
|> Assent.Config.put(:session_params, session_params)
|> Assent.Strategy.OIDC.callback(params)
Link to this section Summary
Functions
Generates an authorization URL for request phase.
Callback phase for generating access token and fetch user data.
Link to this section Functions
Generates an authorization URL for request phase.
The authorization url will be fetched from the OpenID configuration URI.
openid
will automatically be added to the :scope
in :authorization_params
.
Add :nonce
to the config to pass it with the authorization request. The
nonce will be returned in :session_params
. The nonce MUST be session based
and unguessable. A cryptographic hash of a cryptographically random value
could be stored in a HttpOnly session cookie.
See Assent.Strategy.OAuth2.authorize_url/1
for more.
Callback phase for generating access token and fetch user data.
The token url will be fetched from the OpenID configuration URI.
If the returned ID Token is signed with a symmetric key, :client_secret
will be required and used to verify the ID Token. If it was signed with a
private key, the appropriate public key will be fetched from the jwks_uri
setting in the OpenID configuration to verify the ID Token.
The userinfo will be fetched from the userinfo_endpoint
if it exists in the
OpenID Configuration, otherwise the claims in the ID Token is used.
The ID Token will be validated per OpenID Connect Core 1.0 rules.
See Assent.Strategy.OAuth2.callback/3
for more.