Ingot.Auth.OIDC (Ingot v0.1.0)

View Source

OpenID Connect (OIDC) authentication provider.

Supports multiple OIDC providers including Auth0, Okta, and Keycloak. This is a stub implementation suitable for testing and development. Production deployments should integrate with a real OIDC library.

Configuration

OIDC configuration should include:

config = %{
  provider: "https://auth.example.com",
  client_id: "your_client_id",
  client_secret: "your_client_secret",
  redirect_uri: "https://your-app.com/auth/callback",
  scopes: ["openid", "email", "profile"]
}

Supported Providers

  • Auth0 (auth0.com)
  • Okta (okta.com)
  • Keycloak (keycloak.org)
  • Generic OIDC-compliant providers

Examples

# Generate authorization URL
config = %{provider: "https://auth.example.com", client_id: "client_123", ...}
url = OIDC.authorization_url(config, "random_state")

# Exchange authorization code for tokens
{:ok, tokens} = OIDC.exchange_code(config, "auth_code_123")

# Verify and extract claims from ID token
{:ok, claims} = OIDC.verify_id_token(config, tokens["id_token"])

Summary

Types

claims()
config()
token_response()

Functions

authorization_url(config, state)

Generate OIDC authorization URL.

exchange_code(config, code)

Exchange authorization code for tokens.

provider_configs()

Get provider-specific endpoint configurations.

verify_id_token(config, id_token)

Verify ID token and extract claims.

Types

claims()

@type claims() :: %{required(String.t()) => term()}

config()

@type config() :: %{
  provider: String.t(),
  client_id: String.t(),
  client_secret: String.t(),
  redirect_uri: String.t(),
  scopes: [String.t()]
}

token_response()

@type token_response() :: %{required(String.t()) => String.t()}

Functions

authorization_url(config, state)

@spec authorization_url(config(), String.t()) :: String.t()

Generate OIDC authorization URL.

Returns a URL that the user should be redirected to for authentication.

Parameters

  • config - OIDC configuration map
  • state - Random state parameter for CSRF protection

Examples

iex> config = %{provider: "https://auth.example.com", client_id: "client_123", redirect_uri: "https://app/callback", scopes: ["openid"]}
iex> url = OIDC.authorization_url(config, "state_xyz")
iex> String.contains?(url, "client_id=client_123")
true

exchange_code(config, code)

@spec exchange_code(config(), String.t()) ::
  {:ok, token_response()} | {:error, atom()}

Exchange authorization code for tokens.

This is a stub implementation that returns mock tokens. In production, this would make an HTTP request to the token endpoint.

Parameters

  • config - OIDC configuration map
  • code - Authorization code from callback

Examples

iex> config = %{provider: "https://auth.example.com", client_id: "client_123", client_secret: "secret", redirect_uri: "https://app/callback"}
iex> {:ok, tokens} = OIDC.exchange_code(config, "auth_code_123")
iex> Map.has_key?(tokens, "access_token")
true

provider_configs()

@spec provider_configs() :: %{required(atom()) => map()}

Get provider-specific endpoint configurations.

Returns a map of known OIDC providers and their endpoint URLs.

Examples

iex> configs = OIDC.provider_configs()
iex> Map.has_key?(configs, :auth0)
true

verify_id_token(config, id_token)

@spec verify_id_token(config(), String.t()) ::
  {:ok, claims()} | {:error, :invalid_token}

Verify ID token and extract claims.

This is a stub implementation that returns mock claims. In production, this would verify the JWT signature and extract claims.

Parameters

  • config - OIDC configuration map
  • id_token - ID token from token response

Examples

iex> config = %{provider: "https://auth.example.com"}
iex> {:ok, claims} = OIDC.verify_id_token(config, "mock.jwt.token")
iex> Map.has_key?(claims, "sub")
true