Assent

v0.1.4

Assent v0.1.4 Assent.Strategy.OIDC View Source

OpenID Connect strategy.

This is built upon the Assent.Strategy.OAuth2 strategy with added OpenID Connect capabilities.

Configuration

  • :client_id - The client id, required
  • :site - The OIDC issuer, required
  • :openid_configuration_uri - The URI for OpenID Provider, optional, defaults to /.well-known/openid-configuration
  • :client_authentication_method - The Client Authentication method to use, optional, defaults to client_secret_basic
  • :openid_configuration - The OpenID configuration, optional, the configuration will be fetched from :openid_configuration_uri if this is not defined
  • :id_token_ttl_seconds - The number of seconds from iat that an ID Token will be considered valid, optional, defaults to nil

See Assent.Strategy.OAuth2 for more configuration options.

Usage 

config =  [
  client_id: "REPLACE_WITH_CLIENT_ID",
  site: "https://server.example.com",
  authorization_params: [scope: "user:read user:write"]
]

{:ok, {url: url, session_params: session_params}} =
  config
  |> Assent.Config.put(:redirect_uri, "http://localhost:4000/auth/callback")
  |> Assent.Strategy.OIDC.authorize_url()

{:ok, %{user: user, token: token}} =
  config
  |> Assent.Config.put(:session_params, session_params)
  |> Assent.Strategy.OIDC.callback(params)

Link to this section Summary

Functions

authorize_url(config)

Generates an authorization URL for request phase.

callback(config, params, strategy \\ __MODULE__)

Callback phase for generating access token and fetch user data.

Link to this section Functions

Link to this function

authorize_url(config)

View Source 
authorize_url(Assent.Config.t()) ::
  {:ok,
   %{
     session_params: %{state: binary()} | %{state: binary(), nonce: binary()},
     url: binary()
   }}
  | {:error, term()}

Generates an authorization URL for request phase.

The authorization url will be fetched from the OpenID configuration URI.

openid will automatically be added to the :scope in :authorization_params.

Add :nonce to the config to pass it with the authorization request. The nonce will be returned in :session_params. The nonce MUST be session based and unguessable. A cryptographic hash of a cryptographically random value could be stored in a HttpOnly session cookie.

See Assent.Strategy.OAuth2.authorize_url/1 for more.

Link to this function

callback(config, params, strategy \\ __MODULE__)

View Source 
callback(Assent.Config.t(), map(), atom()) ::
  {:ok, %{user: map(), token: map()}} | {:error, term()}

Callback phase for generating access token and fetch user data.

The token url will be fetched from the OpenID configuration URI.

If the returned ID Token is signed with a symmetric key, :client_secret will be required and used to verify the ID Token. If it was signed with a private key, the appropriate public key will be fetched from the jwks_uri setting in the OpenID configuration to verify the ID Token.

The userinfo will be fetched from the userinfo_endpoint if it exists in the OpenID Configuration, otherwise the claims in the ID Token is used.

The ID Token will be validated per OpenID Connect Core 1.0 rules.

See Assent.Strategy.OAuth2.callback/3 for more.