mirror of
https://github.com/team-alembic/ash_authentication.git
synced 2024-09-19 04:43:04 +12:00
improvement(OIDC): Adjust dsl of OIDC reflect assent requirements (#538)
The OIDC implementation of assent requires the base_url to be set and ignores the different *_url attributes. At favours the returned configuration from the openid_configuration_uri. To not configure some unused attributes they're removed.
This commit is contained in:
parent
bcab91e745
commit
8721c01b4c
5 changed files with 19 additions and 16 deletions
|
@ -76,10 +76,8 @@ all the same configuration options should you need them.
|
|||
| Name | Type | Default | Docs |
|
||||
|------|------|---------|------|
|
||||
| [`client_id`](#authentication-strategies-oidc-client_id){: #authentication-strategies-oidc-client_id .spark-required} | `(any, any -> any) \| module \| String.t` | | The OAuth2 client ID. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
|
||||
| [`authorize_url`](#authentication-strategies-oidc-authorize_url){: #authentication-strategies-oidc-authorize_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to the OAuth2 authorize endpoint, relative to `site`, e.g `authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
|
||||
| [`token_url`](#authentication-strategies-oidc-token_url){: #authentication-strategies-oidc-token_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to access the token endpoint, relative to `site`, e.g `token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
|
||||
| [`base_url`](#authentication-strategies-oidc-base_url){: #authentication-strategies-oidc-base_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The base URL of the OAuth2 server - including the leading protocol (ie `https://`). Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
|
||||
| [`redirect_uri`](#authentication-strategies-oidc-redirect_uri){: #authentication-strategies-oidc-redirect_uri .spark-required} | `(any, any -> any) \| module \| String.t` | | The callback URI *base*. Not the whole URI back to the callback endpoint, but the URI to your `AuthPlug`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
|
||||
| [`base_url`](#authentication-strategies-oidc-base_url){: #authentication-strategies-oidc-base_url } | `(any, any -> any) \| module \| String.t` | | The base URL of the OAuth2 server - including the leading protocol (ie `https://`). Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
|
||||
| [`site`](#authentication-strategies-oidc-site){: #authentication-strategies-oidc-site } | `(any, any -> any) \| module \| String.t` | | Deprecated: Use `base_url` instead. |
|
||||
| [`auth_method`](#authentication-strategies-oidc-auth_method){: #authentication-strategies-oidc-auth_method } | `nil \| :client_secret_basic \| :client_secret_post \| :client_secret_jwt \| :private_key_jwt` | `:client_secret_post` | The authentication strategy used, optional. If not set, no authentication will be used during the access token request. |
|
||||
| [`client_secret`](#authentication-strategies-oidc-client_secret){: #authentication-strategies-oidc-client_secret } | `(any, any -> any) \| module \| String.t` | | The OAuth2 client secret. Required if :auth_method is `:client_secret_basic`, `:client_secret_post` or `:client_secret_jwt`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. |
|
||||
|
|
|
@ -84,12 +84,18 @@ defmodule AshAuthentication.Strategy.OAuth2.Plug do
|
|||
|> Map.take(@raw_config_attrs)
|
||||
|> Map.put(:http_adapter, {Finch, supervisor: AshAuthentication.Finch})
|
||||
|
||||
with {:ok, config} <- add_secret_value(config, strategy, :authorize_url),
|
||||
{:ok, config} <- add_secret_value(config, strategy, :client_id),
|
||||
{:ok, config} <- add_secret_value(config, strategy, :client_secret),
|
||||
{:ok, config} <- add_secret_value(config, strategy, :base_url),
|
||||
{:ok, config} <- add_secret_value(config, strategy, :token_url),
|
||||
{:ok, config} <- add_secret_value(config, strategy, :user_url, !!strategy.authorize_url),
|
||||
with {:ok, config} <- add_secret_value(config, strategy, :base_url),
|
||||
{:ok, config} <- add_secret_value(config, strategy, :authorize_url, !!strategy.base_url),
|
||||
{:ok, config} <- add_secret_value(config, strategy, :client_id, !!strategy.base_url),
|
||||
{:ok, config} <- add_secret_value(config, strategy, :client_secret, !!strategy.base_url),
|
||||
{:ok, config} <- add_secret_value(config, strategy, :token_url, !!strategy.base_url),
|
||||
{:ok, config} <-
|
||||
add_secret_value(
|
||||
config,
|
||||
strategy,
|
||||
:user_url,
|
||||
!!strategy.authorize_url || !!strategy.base_url
|
||||
),
|
||||
{:ok, redirect_uri} <- build_redirect_uri(strategy),
|
||||
{:ok, jwt_algorithm} <-
|
||||
Info.authentication_tokens_signing_algorithm(strategy.resource) do
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
defmodule AshAuthentication.Strategy.Oidc.Dsl do
|
||||
@moduledoc false
|
||||
|
||||
import Spark.Options.Helpers, only: [make_required!: 2]
|
||||
|
||||
alias AshAuthentication.Strategy.{Custom, OAuth2}
|
||||
|
||||
@doc false
|
||||
|
@ -24,6 +26,9 @@ defmodule AshAuthentication.Strategy.Oidc.Dsl do
|
|||
defp patch_schema do
|
||||
OAuth2.dsl()
|
||||
|> Map.get(:schema, [])
|
||||
|> make_required!(:base_url)
|
||||
|> Keyword.delete(:authorize_url)
|
||||
|> Keyword.delete(:token_url)
|
||||
|> Keyword.delete(:user_url)
|
||||
|> Keyword.merge(
|
||||
openid_configuration_uri: [
|
||||
|
|
|
@ -9,13 +9,9 @@ defmodule AshAuthentication.Strategy.Oidc.Verifier do
|
|||
@doc false
|
||||
@spec verify(OAuth2.t(), map) :: :ok | {:error, Exception.t()}
|
||||
def verify(strategy, _dsl_state) do
|
||||
with :ok <- validate_secret(strategy, :authorize_url),
|
||||
:ok <- validate_secret(strategy, :client_id),
|
||||
with :ok <- validate_secret(strategy, :client_id),
|
||||
:ok <- validate_secret(strategy, :client_secret),
|
||||
:ok <- validate_secret(strategy, :redirect_uri),
|
||||
:ok <- validate_secret(strategy, :base_url),
|
||||
:ok <- validate_secret(strategy, :token_url),
|
||||
:ok <- validate_secret(strategy, :user_url, [nil]),
|
||||
:ok <- validate_secret(strategy, :nonce, [true, false]) do
|
||||
if strategy.auth_method == :private_key_jwt do
|
||||
validate_secret(strategy, :private_key)
|
||||
|
|
|
@ -245,12 +245,10 @@ defmodule Example.User do
|
|||
|
||||
oidc do
|
||||
authorization_params scope: "openid profile email phone address"
|
||||
authorize_url &get_config/2
|
||||
client_id &get_config/2
|
||||
client_secret &get_config/2
|
||||
redirect_uri &get_config/2
|
||||
base_url &get_config/2
|
||||
token_url &get_config/2
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue