ash-project/ash_authentication
1
0
Fork 0
mirror of https://github.com/team-alembic/ash_authentication.git synced 2024-09-19 21:03:23 +12:00
Code Issues Projects Releases Packages Wiki Activity

chore(deps): Bump ash from 2.17.10 to 2.17.12 (#524)

Browse source 
* chore(deps): Bump ash from 2.17.10 to 2.17.12

Bumps [ash](https://github.com/ash-project/ash) from 2.17.10 to 2.17.12.
- [Release notes](https://github.com/ash-project/ash/releases)
- [Changelog](https://github.com/ash-project/ash/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ash-project/ash/compare/v2.17.10...v2.17.12)

---
updated-dependencies:
- dependency-name: ash
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* docs: Update Spark DSL docs.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Harton <james@harton.nz>
This commit is contained in:
dependabot[bot] 2023-12-15 09:07:32 +13:00 committed by James Harton
parent 6cbee07afa
commit b05526908e
Signed by: james
GPG key ID: 90E82DAA13F624F4
23 changed files with 2629 additions and 7195 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

428
documentation/dsls/DSL:-AshAuthentication.AddOn.Confirmation.cheatmd
View file

@ -1,428 +0,0 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.AddOn.Confirmation
Confirmation support.
Sometimes when creating a new user, or changing a sensitive attribute (such as
their email address) you may want to wait for the user to confirm by way of
sending them a confirmation token to prove that it was really them that took
the action.
In order to add confirmation to your resource, it must been the following
minimum requirements:
1. Have a primary key
2. Have at least one attribute you wish to confirm
3. Tokens must be enabled
## Example
```elixir
defmodule MyApp.Accounts.User do
use Ash.Resource,
extensions: [AshAuthentication]
attributes do
uuid_primary_key :id
attribute :email, :ci_string, allow_nil?: false
end
authentication do
api MyApp.Accounts
add_ons do
confirmation :confirm do
monitor_fields [:email]
sender MyApp.ConfirmationSender
end
end
strategies do
# ...
end
end
identities do
identity :email, [:email] do
eager_check_with MyApp.Accounts
end
end
end
```
## Attributes
A `confirmed_at` attribute will be added to your resource if it's not already
present (see `confirmed_at_field` in the DSL documentation).
## Actions
By default confirmation will add an action which updates the `confirmed_at`
attribute as well as retrieving previously stored changes and applying them to
the resource.
If you wish to perform the confirm action directly from your code you can do
so via the `AshAuthentication.Strategy` protocol.
### Example
iex> strategy = Info.strategy!(Example.User, :confirm)
...> {:ok, user} = Strategy.action(strategy, :confirm, %{"confirm" => confirmation_token()})
...> user.confirmed_at >= one_second_ago()
true
## Plugs
Confirmation provides a single endpoint for the `:confirm` phase. If you wish
to interact with the plugs directly, you can do so via the
`AshAuthentication.Strategy` protocol.
### Example
iex> strategy = Info.strategy!(Example.User, :confirm)
...> conn = conn(:get, "/user/confirm", %{"confirm" => confirmation_token()})
...> conn = Strategy.plug(strategy, :confirm, conn)
...> {_conn, {:ok, user}} = Plug.Helpers.get_authentication_result(conn)
...> user.confirmed_at >= one_second_ago()
true
## DSL Documentation
User confirmation flow
* `:name` (`t:atom/0`) - Required. Uniquely identifies the add-on.
* `:token_lifetime` - How long should the confirmation token be valid.
If no unit is provided, then hours is assumed.
Defaults to 3 days. The default value is `{3, :days}`.
* `:monitor_fields` (list of `t:atom/0`) - Required. A list of fields to monitor for changes (eg `[:email, :phone_number]`).
The confirmation will only be sent when one of these fields are changed.
* `:confirmed_at_field` (`t:atom/0`) - The name of a field to store the time that the last confirmation took
place.
This attribute will be dynamically added to the resource if not already
present. The default value is `:confirmed_at`.
* `:confirm_on_create?` (`t:boolean/0`) - Generate and send a confirmation token when a new resource is created?
Will only trigger when a create action is executed _and_ one of the
monitored fields is being set. The default value is `true`.
* `:confirm_on_update?` (`t:boolean/0`) - Generate and send a confirmation token when a resource is changed?
Will only trigger when an update action is executed _and_ one of the
monitored fields is being set. The default value is `true`.
* `:inhibit_updates?` (`t:boolean/0`) - Wait until confirmation is received before actually changing a monitored
field?
If a change to a monitored field is detected, then the change is stored
in the token resource and the changeset updated to not make the
requested change. When the token is confirmed, the change will be
applied.
This could be potentially weird for your users, but useful in the case
of a user changing their email address or phone number where you want
to verify that the new contact details are reachable. The default value is `true`.
* `:sender` - Required. How to send the confirmation instructions to the user.
Allows you to glue sending of confirmation instructions to
[swoosh](https://hex.pm/packages/swoosh),
[ex_twilio](https://hex.pm/packages/ex_twilio) or whatever notification
system is appropriate for your application.
Accepts a module, module and opts, or a function that takes a record,
reset token and options.
The options will be a keyword list containing the original
changeset, before any changes were inhibited. This allows you
to send an email to the user's new email address if it is being
changed for example.
See `AshAuthentication.Sender` for more information.
* `:confirm_action_name` (`t:atom/0`) - The name of the action to use when performing confirmation.
If this action is not already present on the resource, it will be
created for you. The default value is `:confirm`.
## authentication.add_ons.confirmation
```elixir
confirmation name \ :confirm
```
User confirmation flow
### Arguments
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="authentication-add_ons-confirmation-name" href="#authentication-add_ons-confirmation-name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
name
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
Uniquely identifies the add-on.
</td>
</tr>
</tbody>
</table>
### Options
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="authentication-add_ons-confirmation-monitor_fields" href="#authentication-add_ons-confirmation-monitor_fields">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
monitor_fields
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">list(atom)</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
A list of fields to monitor for changes (eg `[:email, :phone_number]`).
The confirmation will only be sent when one of these fields are changed.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-add_ons-confirmation-sender" href="#authentication-add_ons-confirmation-sender">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
sender
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any, any -> any) | module</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
How to send the confirmation instructions to the user.
Allows you to glue sending of confirmation instructions to
[swoosh](https://hex.pm/packages/swoosh),
[ex_twilio](https://hex.pm/packages/ex_twilio) or whatever notification
system is appropriate for your application.
Accepts a module, module and opts, or a function that takes a record,
reset token and options.
The options will be a keyword list containing the original
changeset, before any changes were inhibited. This allows you
to send an email to the user's new email address if it is being
changed for example.
See `AshAuthentication.Sender` for more information.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-add_ons-confirmation-token_lifetime" href="#authentication-add_ons-confirmation-token_lifetime">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
token_lifetime
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">pos_integer | {pos_integer, :days | :hours | :minutes | :seconds}</code>
</td>
<td style="text-align: left">
<code class="inline">{3, :days}</code>
</td>
<td style="text-align: left" colspan=2>
How long should the confirmation token be valid.
If no unit is provided, then hours is assumed.
Defaults to 3 days.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-add_ons-confirmation-confirmed_at_field" href="#authentication-add_ons-confirmation-confirmed_at_field">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
confirmed_at_field
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:confirmed_at</code>
</td>
<td style="text-align: left" colspan=2>
The name of a field to store the time that the last confirmation took
place.
This attribute will be dynamically added to the resource if not already
present.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-add_ons-confirmation-confirm_on_create?" href="#authentication-add_ons-confirmation-confirm_on_create?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
confirm_on_create?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">true</code>
</td>
<td style="text-align: left" colspan=2>
Generate and send a confirmation token when a new resource is created?
Will only trigger when a create action is executed _and_ one of the
monitored fields is being set.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-add_ons-confirmation-confirm_on_update?" href="#authentication-add_ons-confirmation-confirm_on_update?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
confirm_on_update?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">true</code>
</td>
<td style="text-align: left" colspan=2>
Generate and send a confirmation token when a resource is changed?
Will only trigger when an update action is executed _and_ one of the
monitored fields is being set.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-add_ons-confirmation-inhibit_updates?" href="#authentication-add_ons-confirmation-inhibit_updates?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
inhibit_updates?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">true</code>
</td>
<td style="text-align: left" colspan=2>
Wait until confirmation is received before actually changing a monitored
field?
If a change to a monitored field is detected, then the change is stored
in the token resource and the changeset updated to not make the
requested change. When the token is confirmed, the change will be
applied.
This could be potentially weird for your users, but useful in the case
of a user changing their email address or phone number where you want
to verify that the new contact details are reachable.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-add_ons-confirmation-confirm_action_name" href="#authentication-add_ons-confirmation-confirm_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
confirm_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:confirm</code>
</td>
<td style="text-align: left" colspan=2>
The name of the action to use when performing confirmation.
If this action is not already present on the resource, it will be
created for you.
</td>
</tr>
</tbody>
</table>
### Introspection
Target: `AshAuthentication.AddOn.Confirmation`

195
documentation/dsls/DSL:-AshAuthentication.AddOn.Confirmation.md Normal file
View file

@ -0,0 +1,195 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.AddOn.Confirmation
Confirmation support.
Sometimes when creating a new user, or changing a sensitive attribute (such as
their email address) you may want to wait for the user to confirm by way of
sending them a confirmation token to prove that it was really them that took
the action.
In order to add confirmation to your resource, it must been the following
minimum requirements:
1. Have a primary key
2. Have at least one attribute you wish to confirm
3. Tokens must be enabled
## Example
```elixir
defmodule MyApp.Accounts.User do
use Ash.Resource,
extensions: [AshAuthentication]
attributes do
uuid_primary_key :id
attribute :email, :ci_string, allow_nil?: false
end
authentication do
api MyApp.Accounts
add_ons do
confirmation :confirm do
monitor_fields [:email]
sender MyApp.ConfirmationSender
end
end
strategies do
# ...
end
end
identities do
identity :email, [:email] do
eager_check_with MyApp.Accounts
end
end
end
```
## Attributes
A `confirmed_at` attribute will be added to your resource if it's not already
present (see `confirmed_at_field` in the DSL documentation).
## Actions
By default confirmation will add an action which updates the `confirmed_at`
attribute as well as retrieving previously stored changes and applying them to
the resource.
If you wish to perform the confirm action directly from your code you can do
so via the `AshAuthentication.Strategy` protocol.
### Example
iex> strategy = Info.strategy!(Example.User, :confirm)
...> {:ok, user} = Strategy.action(strategy, :confirm, %{"confirm" => confirmation_token()})
...> user.confirmed_at >= one_second_ago()
true
## Plugs
Confirmation provides a single endpoint for the `:confirm` phase. If you wish
to interact with the plugs directly, you can do so via the
`AshAuthentication.Strategy` protocol.
### Example
iex> strategy = Info.strategy!(Example.User, :confirm)
...> conn = conn(:get, "/user/confirm", %{"confirm" => confirmation_token()})
...> conn = Strategy.plug(strategy, :confirm, conn)
...> {_conn, {:ok, user}} = Plug.Helpers.get_authentication_result(conn)
...> user.confirmed_at >= one_second_ago()
true
## DSL Documentation
User confirmation flow
* `:name` (`t:atom/0`) - Required. Uniquely identifies the add-on.
* `:token_lifetime` - How long should the confirmation token be valid.
If no unit is provided, then hours is assumed.
Defaults to 3 days. The default value is `{3, :days}`.
* `:monitor_fields` (list of `t:atom/0`) - Required. A list of fields to monitor for changes (eg `[:email, :phone_number]`).
The confirmation will only be sent when one of these fields are changed.
* `:confirmed_at_field` (`t:atom/0`) - The name of a field to store the time that the last confirmation took
place.
This attribute will be dynamically added to the resource if not already
present. The default value is `:confirmed_at`.
* `:confirm_on_create?` (`t:boolean/0`) - Generate and send a confirmation token when a new resource is created?
Will only trigger when a create action is executed _and_ one of the
monitored fields is being set. The default value is `true`.
* `:confirm_on_update?` (`t:boolean/0`) - Generate and send a confirmation token when a resource is changed?
Will only trigger when an update action is executed _and_ one of the
monitored fields is being set. The default value is `true`.
* `:inhibit_updates?` (`t:boolean/0`) - Wait until confirmation is received before actually changing a monitored
field?
If a change to a monitored field is detected, then the change is stored
in the token resource and the changeset updated to not make the
requested change. When the token is confirmed, the change will be
applied.
This could be potentially weird for your users, but useful in the case
of a user changing their email address or phone number where you want
to verify that the new contact details are reachable. The default value is `true`.
* `:sender` - Required. How to send the confirmation instructions to the user.
Allows you to glue sending of confirmation instructions to
[swoosh](https://hex.pm/packages/swoosh),
[ex_twilio](https://hex.pm/packages/ex_twilio) or whatever notification
system is appropriate for your application.
Accepts a module, module and opts, or a function that takes a record,
reset token and options.
The options will be a keyword list containing the original
changeset, before any changes were inhibited. This allows you
to send an email to the user's new email address if it is being
changed for example.
See `AshAuthentication.Sender` for more information.
* `:confirm_action_name` (`t:atom/0`) - The name of the action to use when performing confirmation.
If this action is not already present on the resource, it will be
created for you. The default value is `:confirm`.
## authentication.add_ons.confirmation
```elixir
confirmation name \\ :confirm
```
User confirmation flow
### Arguments
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`name`](#authentication-add_ons-confirmation-name){: #authentication-add_ons-confirmation-name .spark-required} | `atom` | | Uniquely identifies the add-on. |
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`monitor_fields`](#authentication-add_ons-confirmation-monitor_fields){: #authentication-add_ons-confirmation-monitor_fields .spark-required} | `list(atom)` | | A list of fields to monitor for changes (eg `[:email, :phone_number]`). The confirmation will only be sent when one of these fields are changed. |
| [`sender`](#authentication-add_ons-confirmation-sender){: #authentication-add_ons-confirmation-sender .spark-required} | `(any, any, any -> any) \| module` | | How to send the confirmation instructions to the user. Allows you to glue sending of confirmation instructions to [swoosh](https://hex.pm/packages/swoosh), [ex_twilio](https://hex.pm/packages/ex_twilio) or whatever notification system is appropriate for your application. Accepts a module, module and opts, or a function that takes a record, reset token and options. The options will be a keyword list containing the original changeset, before any changes were inhibited. This allows you to send an email to the user's new email address if it is being changed for example. See `AshAuthentication.Sender` for more information. |
| [`token_lifetime`](#authentication-add_ons-confirmation-token_lifetime){: #authentication-add_ons-confirmation-token_lifetime } | `pos_integer \| {pos_integer, :days \| :hours \| :minutes \| :seconds}` | `{3, :days}` | How long should the confirmation token be valid. If no unit is provided, then hours is assumed. Defaults to 3 days. |
| [`confirmed_at_field`](#authentication-add_ons-confirmation-confirmed_at_field){: #authentication-add_ons-confirmation-confirmed_at_field } | `atom` | `:confirmed_at` | The name of a field to store the time that the last confirmation took place. This attribute will be dynamically added to the resource if not already present. |
| [`confirm_on_create?`](#authentication-add_ons-confirmation-confirm_on_create?){: #authentication-add_ons-confirmation-confirm_on_create? } | `boolean` | `true` | Generate and send a confirmation token when a new resource is created? Will only trigger when a create action is executed _and_ one of the monitored fields is being set. |
| [`confirm_on_update?`](#authentication-add_ons-confirmation-confirm_on_update?){: #authentication-add_ons-confirmation-confirm_on_update? } | `boolean` | `true` | Generate and send a confirmation token when a resource is changed? Will only trigger when an update action is executed _and_ one of the monitored fields is being set. |
| [`inhibit_updates?`](#authentication-add_ons-confirmation-inhibit_updates?){: #authentication-add_ons-confirmation-inhibit_updates? } | `boolean` | `true` | Wait until confirmation is received before actually changing a monitored field? If a change to a monitored field is detected, then the change is stored in the token resource and the changeset updated to not make the requested change. When the token is confirmed, the change will be applied. This could be potentially weird for your users, but useful in the case of a user changing their email address or phone number where you want to verify that the new contact details are reachable. |
| [`confirm_action_name`](#authentication-add_ons-confirmation-confirm_action_name){: #authentication-add_ons-confirmation-confirm_action_name } | `atom` | `:confirm` | The name of the action to use when performing confirmation. If this action is not already present on the resource, it will be created for you. |
### Introspection
Target: `AshAuthentication.AddOn.Confirmation`
<style type="text/css">.spark-required::after { content: "*"; color: red !important; }</style>

860
documentation/dsls/DSL:-AshAuthentication.Strategy.Auth0.cheatmd
View file

@ -1,860 +0,0 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.Strategy.Auth0
Strategy for authenticating using [Auth0](https://auth0.com).
This strategy builds on-top of `AshAuthentication.Strategy.OAuth2` and
[`assent`](https://hex.pm/packages/assent).
In order to use Auth0 you need to provide the following minimum configuration:
- `client_id`
- `redirect_uri`
- `client_secret`
- `site`
See the [Auth0 quickstart guide](/documentation/tutorials/auth0-quickstart.md)
for more information.
## DSL Documentation
Provides a pre-configured authentication strategy for [Auth0](https://auth0.com/).
This strategy is built using the `:oauth2` strategy, and thus provides all the same
configuration options should you need them.
For more information see the [Auth0 Quick Start Guide](/documentation/tutorials/auth0-quickstart.md)
in our documentation.
#### Strategy defaults:
The following defaults are applied:
* `:authorize_url` is set to `"/authorize"`.
* `:token_url` is set to `"/oauth/token"`.
* `:user_url` is set to `"/userinfo"`.
* `:authorization_params` is set to `[scope: "openid profile email"]`.
* `:auth_method` is set to `:client_secret_post`.
#### Schema:
* `:name` (`t:atom/0`) - Required. Uniquely identifies the strategy.
* `:client_id` - Required. The OAuth2 client ID.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
client_id fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_client_id)
end
```
* `:base_url` - The base URL of the OAuth2 server - including the leading protocol
(ie `https://`).
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
base_url fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:site` - Deprecated: Use `base_url` instead.
* `:auth_method` - The authentication strategy used, optional. If not set, no
authentication will be used during the access token request. The
value may be one of the following:
* `:client_secret_basic`
* `:client_secret_post`
* `:client_secret_jwt`
* `:private_key_jwt`
Valid values are nil, :client_secret_basic, :client_secret_post, :client_secret_jwt, :private_key_jwt The default value is `:client_secret_post`.
* `:client_secret` - The OAuth2 client secret.
Required if :auth_method is `:client_secret_basic`,
`:client_secret_post` or `:client_secret_jwt`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
site fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:authorize_url` - Required. The API url to the OAuth2 authorize endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end
```
* `:token_url` - Required. The API url to access the token endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end
```
* `:user_url` - Required. The API url to access the user endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end
```
* `:private_key` - The private key to use if `:auth_method` is `:private_key_jwt`
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:redirect_uri` - Required. The callback URI base.
Not the whole URI back to the callback endpoint, but the URI to your
`AuthPlug`. We can generate the rest.
Whilst not particularly secret, it seemed prudent to allow this to be
configured dynamically so that you can use different URIs for
different environments.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:authorization_params` (`t:keyword/0`) - Any additional parameters to encode in the request phase.
eg: `authorization_params scope: "openid profile email"` The default value is `[]`.
* `:registration_enabled?` (`t:boolean/0`) - Is registration enabled for this provider?
If this option is enabled, then new users will be able to register for
your site when authenticating and not already present.
If not, then only existing users will be able to authenticate. The default value is `true`.
* `:register_action_name` (`t:atom/0`) - The name of the action to use to register a user.
Only needed if `registration_enabled?` is `true`.
Because we we don't know the response format of the server, you must
implement your own registration action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name eg:
`register_with_#{name}`.
* `:sign_in_action_name` (`t:atom/0`) - The name of the action to use to sign in an existing user.
Only needed if `registration_enabled?` is `false`.
Because we don't know the response format of the server, you must
implement your own sign-in action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name, eg:
`sign_in_with_#{name}`.
* `:identity_resource` - The resource used to store user identities.
Given that a user can be signed into multiple different
authentication providers at once we use the
`AshAuthentication.UserIdentity` resource to build a mapping
between users, providers and that provider's uid.
See the Identities section of the module documentation for more
information.
Set to `false` to disable. The default value is `false`.
* `:identity_relationship_name` (`t:atom/0`) - Name of the relationship to the provider identities resource The default value is `:identities`.
* `:identity_relationship_user_id_attribute` (`t:atom/0`) - The name of the destination (user_id) attribute on your provider
identity resource.
The only reason to change this would be if you changed the
`user_id_attribute_name` option of the provider identity. The default value is `:user_id`.
* `:icon` (`t:atom/0`) - The name of an icon to use in any potential UI.
This is a *hint* for UI generators to use, and not in any way canonical. The default value is `:oauth2`.
## authentication.strategies.auth0
```elixir
auth0 name \ :auth0
```
Provides a pre-configured authentication strategy for [Auth0](https://auth0.com/).
This strategy is built using the `:oauth2` strategy, and thus provides all the same
configuration options should you need them.
For more information see the [Auth0 Quick Start Guide](/documentation/tutorials/auth0-quickstart.md)
in our documentation.
###### Strategy defaults:
The following defaults are applied:
* `:authorize_url` is set to `"/authorize"`.
* `:token_url` is set to `"/oauth/token"`.
* `:user_url` is set to `"/userinfo"`.
* `:authorization_params` is set to `[scope: "openid profile email"]`.
* `:auth_method` is set to `:client_secret_post`.
###### Schema:
### Arguments
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-name" href="#authentication-strategies-auth0-name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
name
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
Uniquely identifies the strategy.
</td>
</tr>
</tbody>
</table>
### Options
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-client_id" href="#authentication-strategies-auth0-client_id">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
client_id
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The OAuth2 client ID.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
client_id fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_client_id)
end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-authorize_url" href="#authentication-strategies-auth0-authorize_url">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
authorize_url
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The API url to the OAuth2 authorize endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-token_url" href="#authentication-strategies-auth0-token_url">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
token_url
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The API url to access the token endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-user_url" href="#authentication-strategies-auth0-user_url">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
user_url
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The API url to access the user endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-redirect_uri" href="#authentication-strategies-auth0-redirect_uri">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
redirect_uri
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The callback URI base.
Not the whole URI back to the callback endpoint, but the URI to your
`AuthPlug`. We can generate the rest.
Whilst not particularly secret, it seemed prudent to allow this to be
configured dynamically so that you can use different URIs for
different environments.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-base_url" href="#authentication-strategies-auth0-base_url">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
base_url
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The base URL of the OAuth2 server - including the leading protocol
(ie `https://`).
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
base_url fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-site" href="#authentication-strategies-auth0-site">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
site
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
Deprecated: Use `base_url` instead.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-auth_method" href="#authentication-strategies-auth0-auth_method">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
auth_method
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">nil | :client_secret_basic | :client_secret_post | :client_secret_jwt | :private_key_jwt</code>
</td>
<td style="text-align: left">
<code class="inline">:client_secret_post</code>
</td>
<td style="text-align: left" colspan=2>
The authentication strategy used, optional. If not set, no
authentication will be used during the access token request. The
value may be one of the following:
* `:client_secret_basic`
* `:client_secret_post`
* `:client_secret_jwt`
* `:private_key_jwt`
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-client_secret" href="#authentication-strategies-auth0-client_secret">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
client_secret
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The OAuth2 client secret.
Required if :auth_method is `:client_secret_basic`,
`:client_secret_post` or `:client_secret_jwt`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
site fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-private_key" href="#authentication-strategies-auth0-private_key">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
private_key
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The private key to use if `:auth_method` is `:private_key_jwt`
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-authorization_params" href="#authentication-strategies-auth0-authorization_params">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
authorization_params
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">Keyword.t</code>
</td>
<td style="text-align: left">
<code class="inline">[]</code>
</td>
<td style="text-align: left" colspan=2>
Any additional parameters to encode in the request phase.
eg: `authorization_params scope: "openid profile email"`
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-registration_enabled?" href="#authentication-strategies-auth0-registration_enabled?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
registration_enabled?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">true</code>
</td>
<td style="text-align: left" colspan=2>
Is registration enabled for this provider?
If this option is enabled, then new users will be able to register for
your site when authenticating and not already present.
If not, then only existing users will be able to authenticate.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-register_action_name" href="#authentication-strategies-auth0-register_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
register_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The name of the action to use to register a user.
Only needed if `registration_enabled?` is `true`.
Because we we don't know the response format of the server, you must
implement your own registration action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name eg:
`register_with_#{name}`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-sign_in_action_name" href="#authentication-strategies-auth0-sign_in_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
sign_in_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The name of the action to use to sign in an existing user.
Only needed if `registration_enabled?` is `false`.
Because we don't know the response format of the server, you must
implement your own sign-in action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name, eg:
`sign_in_with_#{name}`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-identity_resource" href="#authentication-strategies-auth0-identity_resource">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
identity_resource
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">module | false</code>
</td>
<td style="text-align: left">
<code class="inline">false</code>
</td>
<td style="text-align: left" colspan=2>
The resource used to store user identities.
Given that a user can be signed into multiple different
authentication providers at once we use the
`AshAuthentication.UserIdentity` resource to build a mapping
between users, providers and that provider's uid.
See the Identities section of the module documentation for more
information.
Set to `false` to disable.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-identity_relationship_name" href="#authentication-strategies-auth0-identity_relationship_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
identity_relationship_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:identities</code>
</td>
<td style="text-align: left" colspan=2>
Name of the relationship to the provider identities resource
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-identity_relationship_user_id_attribute" href="#authentication-strategies-auth0-identity_relationship_user_id_attribute">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
identity_relationship_user_id_attribute
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:user_id</code>
</td>
<td style="text-align: left" colspan=2>
The name of the destination (user_id) attribute on your provider
identity resource.
The only reason to change this would be if you changed the
`user_id_attribute_name` option of the provider identity.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-auth0-icon" href="#authentication-strategies-auth0-icon">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
icon
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:oauth2</code>
</td>
<td style="text-align: left" colspan=2>
The name of an icon to use in any potential UI.
This is a *hint* for UI generators to use, and not in any way canonical.
</td>
</tr>
</tbody>
</table>
### Introspection
Target: `AshAuthentication.Strategy.OAuth2`

285
documentation/dsls/DSL:-AshAuthentication.Strategy.Auth0.md Normal file
View file

@ -0,0 +1,285 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.Strategy.Auth0
Strategy for authenticating using [Auth0](https://auth0.com).
This strategy builds on-top of `AshAuthentication.Strategy.OAuth2` and
[`assent`](https://hex.pm/packages/assent).
In order to use Auth0 you need to provide the following minimum configuration:
- `client_id`
- `redirect_uri`
- `client_secret`
- `site`
See the [Auth0 quickstart guide](/documentation/tutorials/auth0-quickstart.md)
for more information.
## DSL Documentation
Provides a pre-configured authentication strategy for [Auth0](https://auth0.com/).
This strategy is built using the `:oauth2` strategy, and thus provides all the same
configuration options should you need them.
For more information see the [Auth0 Quick Start Guide](/documentation/tutorials/auth0-quickstart.md)
in our documentation.
#### Strategy defaults:
The following defaults are applied:
* `:authorize_url` is set to `"/authorize"`.
* `:token_url` is set to `"/oauth/token"`.
* `:user_url` is set to `"/userinfo"`.
* `:authorization_params` is set to `[scope: "openid profile email"]`.
* `:auth_method` is set to `:client_secret_post`.
#### Schema:
* `:name` (`t:atom/0`) - Required. Uniquely identifies the strategy.
* `:client_id` - Required. The OAuth2 client ID.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
client_id fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_client_id)
end
```
* `:base_url` - The base URL of the OAuth2 server - including the leading protocol
(ie `https://`).
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
base_url fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:site` - Deprecated: Use `base_url` instead.
* `:auth_method` - The authentication strategy used, optional. If not set, no
authentication will be used during the access token request. The
value may be one of the following:
* `:client_secret_basic`
* `:client_secret_post`
* `:client_secret_jwt`
* `:private_key_jwt`
Valid values are nil, :client_secret_basic, :client_secret_post, :client_secret_jwt, :private_key_jwt The default value is `:client_secret_post`.
* `:client_secret` - The OAuth2 client secret.
Required if :auth_method is `:client_secret_basic`,
`:client_secret_post` or `:client_secret_jwt`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
site fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:authorize_url` - Required. The API url to the OAuth2 authorize endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end
```
* `:token_url` - Required. The API url to access the token endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end
```
* `:user_url` - Required. The API url to access the user endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end
```
* `:private_key` - The private key to use if `:auth_method` is `:private_key_jwt`
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:redirect_uri` - Required. The callback URI base.
Not the whole URI back to the callback endpoint, but the URI to your
`AuthPlug`. We can generate the rest.
Whilst not particularly secret, it seemed prudent to allow this to be
configured dynamically so that you can use different URIs for
different environments.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:authorization_params` (`t:keyword/0`) - Any additional parameters to encode in the request phase.
eg: `authorization_params scope: "openid profile email"` The default value is `[]`.
* `:registration_enabled?` (`t:boolean/0`) - Is registration enabled for this provider?
If this option is enabled, then new users will be able to register for
your site when authenticating and not already present.
If not, then only existing users will be able to authenticate. The default value is `true`.
* `:register_action_name` (`t:atom/0`) - The name of the action to use to register a user.
Only needed if `registration_enabled?` is `true`.
Because we we don't know the response format of the server, you must
implement your own registration action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name eg:
`register_with_#{name}`.
* `:sign_in_action_name` (`t:atom/0`) - The name of the action to use to sign in an existing user.
Only needed if `registration_enabled?` is `false`.
Because we don't know the response format of the server, you must
implement your own sign-in action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name, eg:
`sign_in_with_#{name}`.
* `:identity_resource` - The resource used to store user identities.
Given that a user can be signed into multiple different
authentication providers at once we use the
`AshAuthentication.UserIdentity` resource to build a mapping
between users, providers and that provider's uid.
See the Identities section of the module documentation for more
information.
Set to `false` to disable. The default value is `false`.
* `:identity_relationship_name` (`t:atom/0`) - Name of the relationship to the provider identities resource The default value is `:identities`.
* `:identity_relationship_user_id_attribute` (`t:atom/0`) - The name of the destination (user_id) attribute on your provider
identity resource.
The only reason to change this would be if you changed the
`user_id_attribute_name` option of the provider identity. The default value is `:user_id`.
* `:icon` (`t:atom/0`) - The name of an icon to use in any potential UI.
This is a *hint* for UI generators to use, and not in any way canonical. The default value is `:oauth2`.
## authentication.strategies.auth0
```elixir
auth0 name \\ :auth0
```
Provides a pre-configured authentication strategy for [Auth0](https://auth0.com/).
This strategy is built using the `:oauth2` strategy, and thus provides all the same
configuration options should you need them.
For more information see the [Auth0 Quick Start Guide](/documentation/tutorials/auth0-quickstart.md)
in our documentation.
###### Strategy defaults:
The following defaults are applied:
* `:authorize_url` is set to `"/authorize"`.
* `:token_url` is set to `"/oauth/token"`.
* `:user_url` is set to `"/userinfo"`.
* `:authorization_params` is set to `[scope: "openid profile email"]`.
* `:auth_method` is set to `:client_secret_post`.
###### Schema:
### Arguments
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`name`](#authentication-strategies-auth0-name){: #authentication-strategies-auth0-name .spark-required} | `atom` | | Uniquely identifies the strategy. |
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`client_id`](#authentication-strategies-auth0-client_id){: #authentication-strategies-auth0-client_id .spark-required} | `(any, any -> any) \| module \| String.t` | | The OAuth2 client ID. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir client_id fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_client_id) end ``` |
| [`authorize_url`](#authentication-strategies-auth0-authorize_url){: #authentication-strategies-auth0-authorize_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to the OAuth2 authorize endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end ``` |
| [`token_url`](#authentication-strategies-auth0-token_url){: #authentication-strategies-auth0-token_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to access the token endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end ``` |
| [`user_url`](#authentication-strategies-auth0-user_url){: #authentication-strategies-auth0-user_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to access the user endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end ``` |
| [`redirect_uri`](#authentication-strategies-auth0-redirect_uri){: #authentication-strategies-auth0-redirect_uri .spark-required} | `(any, any -> any) \| module \| String.t` | | The callback URI base. Not the whole URI back to the callback endpoint, but the URI to your `AuthPlug`. We can generate the rest. Whilst not particularly secret, it seemed prudent to allow this to be configured dynamically so that you can use different URIs for different environments. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. |
| [`base_url`](#authentication-strategies-auth0-base_url){: #authentication-strategies-auth0-base_url } | `(any, any -> any) \| module \| String.t` | | The base URL of the OAuth2 server - including the leading protocol (ie `https://`). Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir base_url fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_site) end ``` |
| [`site`](#authentication-strategies-auth0-site){: #authentication-strategies-auth0-site } | `(any, any -> any) \| module \| String.t` | | Deprecated: Use `base_url` instead. |
| [`auth_method`](#authentication-strategies-auth0-auth_method){: #authentication-strategies-auth0-auth_method } | `nil \| :client_secret_basic \| :client_secret_post \| :client_secret_jwt \| :private_key_jwt` | `:client_secret_post` | The authentication strategy used, optional. If not set, no authentication will be used during the access token request. The value may be one of the following: * `:client_secret_basic` * `:client_secret_post` * `:client_secret_jwt` * `:private_key_jwt` |
| [`client_secret`](#authentication-strategies-auth0-client_secret){: #authentication-strategies-auth0-client_secret } | `(any, any -> any) \| module \| String.t` | | The OAuth2 client secret. Required if :auth_method is `:client_secret_basic`, `:client_secret_post` or `:client_secret_jwt`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir site fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_site) end ``` |
| [`private_key`](#authentication-strategies-auth0-private_key){: #authentication-strategies-auth0-private_key } | `(any, any -> any) \| module \| String.t` | | The private key to use if `:auth_method` is `:private_key_jwt` Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. |
| [`authorization_params`](#authentication-strategies-auth0-authorization_params){: #authentication-strategies-auth0-authorization_params } | `Keyword.t` | `[]` | Any additional parameters to encode in the request phase. eg: `authorization_params scope: "openid profile email"` |
| [`registration_enabled?`](#authentication-strategies-auth0-registration_enabled?){: #authentication-strategies-auth0-registration_enabled? } | `boolean` | `true` | Is registration enabled for this provider? If this option is enabled, then new users will be able to register for your site when authenticating and not already present. If not, then only existing users will be able to authenticate. |
| [`register_action_name`](#authentication-strategies-auth0-register_action_name){: #authentication-strategies-auth0-register_action_name } | `atom` | | The name of the action to use to register a user. Only needed if `registration_enabled?` is `true`. Because we we don't know the response format of the server, you must implement your own registration action of the same name. See the "Registration and Sign-in" section of the module documentation for more information. The default is computed from the strategy name eg: `register_with_#{name}`. |
| [`sign_in_action_name`](#authentication-strategies-auth0-sign_in_action_name){: #authentication-strategies-auth0-sign_in_action_name } | `atom` | | The name of the action to use to sign in an existing user. Only needed if `registration_enabled?` is `false`. Because we don't know the response format of the server, you must implement your own sign-in action of the same name. See the "Registration and Sign-in" section of the module documentation for more information. The default is computed from the strategy name, eg: `sign_in_with_#{name}`. |
| [`identity_resource`](#authentication-strategies-auth0-identity_resource){: #authentication-strategies-auth0-identity_resource } | `module \| false` | `false` | The resource used to store user identities. Given that a user can be signed into multiple different authentication providers at once we use the `AshAuthentication.UserIdentity` resource to build a mapping between users, providers and that provider's uid. See the Identities section of the module documentation for more information. Set to `false` to disable. |
| [`identity_relationship_name`](#authentication-strategies-auth0-identity_relationship_name){: #authentication-strategies-auth0-identity_relationship_name } | `atom` | `:identities` | Name of the relationship to the provider identities resource |
| [`identity_relationship_user_id_attribute`](#authentication-strategies-auth0-identity_relationship_user_id_attribute){: #authentication-strategies-auth0-identity_relationship_user_id_attribute } | `atom` | `:user_id` | The name of the destination (user_id) attribute on your provider identity resource. The only reason to change this would be if you changed the `user_id_attribute_name` option of the provider identity. |
| [`icon`](#authentication-strategies-auth0-icon){: #authentication-strategies-auth0-icon } | `atom` | `:oauth2` | The name of an icon to use in any potential UI. This is a *hint* for UI generators to use, and not in any way canonical. |
### Introspection
Target: `AshAuthentication.Strategy.OAuth2`
<style type="text/css">.spark-required::after { content: "*"; color: red !important; }</style>

863
documentation/dsls/DSL:-AshAuthentication.Strategy.Github.cheatmd
View file

@ -1,863 +0,0 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.Strategy.Github
Strategy for authenticating using [GitHub](https://github.com)
This strategy builds on-top of `AshAuthentication.Strategy.OAuth2` and
[`assent`](https://hex.pm/packages/assent).
In order to use GitHub you need to provide the following minimum configuration:
- `client_id`
- `redirect_uri`
- `client_secret`
See the [GitHub quickstart guide](/documentation/tutorials/github-quickstart.html)
for more information.
## DSL Documentation
Provides a pre-configured authentication strategy for [GitHub](https://github.com/).
This strategy is built using the `:oauth2` strategy, and thus provides all the same
configuration options should you need them.
For more information see the [Github Quick Start Guide](/documentation/tutorials/github-quickstart.md)
in our documentation.
#### Strategy defaults:
The following defaults are applied:
* `:base_url` is set to `"https://api.github.com"`.
* `:authorize_url` is set to `"https://github.com/login/oauth/authorize"`.
* `:token_url` is set to `"https://github.com/login/oauth/access_token"`.
* `:user_url` is set to `"/user"`.
* `:user_emails_url` is set to `"/user/emails"`.
* `:authorization_params` is set to `[scope: "read:user,user:email"]`.
* `:auth_method` is set to `:client_secret_post`.
#### Schema:
* `:name` (`t:atom/0`) - Required. Uniquely identifies the strategy.
* `:client_id` - Required. The OAuth2 client ID.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
client_id fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_client_id)
end
```
* `:base_url` - The base URL of the OAuth2 server - including the leading protocol
(ie `https://`).
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
base_url fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:site` - Deprecated: Use `base_url` instead.
* `:auth_method` - The authentication strategy used, optional. If not set, no
authentication will be used during the access token request. The
value may be one of the following:
* `:client_secret_basic`
* `:client_secret_post`
* `:client_secret_jwt`
* `:private_key_jwt`
Valid values are nil, :client_secret_basic, :client_secret_post, :client_secret_jwt, :private_key_jwt The default value is `:client_secret_post`.
* `:client_secret` - The OAuth2 client secret.
Required if :auth_method is `:client_secret_basic`,
`:client_secret_post` or `:client_secret_jwt`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
site fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:authorize_url` - Required. The API url to the OAuth2 authorize endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end
```
* `:token_url` - Required. The API url to access the token endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end
```
* `:user_url` - Required. The API url to access the user endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end
```
* `:private_key` - The private key to use if `:auth_method` is `:private_key_jwt`
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:redirect_uri` - Required. The callback URI base.
Not the whole URI back to the callback endpoint, but the URI to your
`AuthPlug`. We can generate the rest.
Whilst not particularly secret, it seemed prudent to allow this to be
configured dynamically so that you can use different URIs for
different environments.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:authorization_params` (`t:keyword/0`) - Any additional parameters to encode in the request phase.
eg: `authorization_params scope: "openid profile email"` The default value is `[]`.
* `:registration_enabled?` (`t:boolean/0`) - Is registration enabled for this provider?
If this option is enabled, then new users will be able to register for
your site when authenticating and not already present.
If not, then only existing users will be able to authenticate. The default value is `true`.
* `:register_action_name` (`t:atom/0`) - The name of the action to use to register a user.
Only needed if `registration_enabled?` is `true`.
Because we we don't know the response format of the server, you must
implement your own registration action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name eg:
`register_with_#{name}`.
* `:sign_in_action_name` (`t:atom/0`) - The name of the action to use to sign in an existing user.
Only needed if `registration_enabled?` is `false`.
Because we don't know the response format of the server, you must
implement your own sign-in action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name, eg:
`sign_in_with_#{name}`.
* `:identity_resource` - The resource used to store user identities.
Given that a user can be signed into multiple different
authentication providers at once we use the
`AshAuthentication.UserIdentity` resource to build a mapping
between users, providers and that provider's uid.
See the Identities section of the module documentation for more
information.
Set to `false` to disable. The default value is `false`.
* `:identity_relationship_name` (`t:atom/0`) - Name of the relationship to the provider identities resource The default value is `:identities`.
* `:identity_relationship_user_id_attribute` (`t:atom/0`) - The name of the destination (user_id) attribute on your provider
identity resource.
The only reason to change this would be if you changed the
`user_id_attribute_name` option of the provider identity. The default value is `:user_id`.
* `:icon` (`t:atom/0`) - The name of an icon to use in any potential UI.
This is a *hint* for UI generators to use, and not in any way canonical. The default value is `:oauth2`.
## authentication.strategies.github
```elixir
github name \ :github
```
Provides a pre-configured authentication strategy for [GitHub](https://github.com/).
This strategy is built using the `:oauth2` strategy, and thus provides all the same
configuration options should you need them.
For more information see the [Github Quick Start Guide](/documentation/tutorials/github-quickstart.md)
in our documentation.
###### Strategy defaults:
The following defaults are applied:
* `:base_url` is set to `"https://api.github.com"`.
* `:authorize_url` is set to `"https://github.com/login/oauth/authorize"`.
* `:token_url` is set to `"https://github.com/login/oauth/access_token"`.
* `:user_url` is set to `"/user"`.
* `:user_emails_url` is set to `"/user/emails"`.
* `:authorization_params` is set to `[scope: "read:user,user:email"]`.
* `:auth_method` is set to `:client_secret_post`.
###### Schema:
### Arguments
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-name" href="#authentication-strategies-github-name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
name
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
Uniquely identifies the strategy.
</td>
</tr>
</tbody>
</table>
### Options
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-client_id" href="#authentication-strategies-github-client_id">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
client_id
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The OAuth2 client ID.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
client_id fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_client_id)
end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-authorize_url" href="#authentication-strategies-github-authorize_url">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
authorize_url
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The API url to the OAuth2 authorize endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-token_url" href="#authentication-strategies-github-token_url">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
token_url
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The API url to access the token endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-user_url" href="#authentication-strategies-github-user_url">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
user_url
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The API url to access the user endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-redirect_uri" href="#authentication-strategies-github-redirect_uri">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
redirect_uri
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The callback URI base.
Not the whole URI back to the callback endpoint, but the URI to your
`AuthPlug`. We can generate the rest.
Whilst not particularly secret, it seemed prudent to allow this to be
configured dynamically so that you can use different URIs for
different environments.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-base_url" href="#authentication-strategies-github-base_url">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
base_url
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The base URL of the OAuth2 server - including the leading protocol
(ie `https://`).
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
base_url fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-site" href="#authentication-strategies-github-site">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
site
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
Deprecated: Use `base_url` instead.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-auth_method" href="#authentication-strategies-github-auth_method">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
auth_method
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">nil | :client_secret_basic | :client_secret_post | :client_secret_jwt | :private_key_jwt</code>
</td>
<td style="text-align: left">
<code class="inline">:client_secret_post</code>
</td>
<td style="text-align: left" colspan=2>
The authentication strategy used, optional. If not set, no
authentication will be used during the access token request. The
value may be one of the following:
* `:client_secret_basic`
* `:client_secret_post`
* `:client_secret_jwt`
* `:private_key_jwt`
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-client_secret" href="#authentication-strategies-github-client_secret">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
client_secret
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The OAuth2 client secret.
Required if :auth_method is `:client_secret_basic`,
`:client_secret_post` or `:client_secret_jwt`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
site fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-private_key" href="#authentication-strategies-github-private_key">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
private_key
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The private key to use if `:auth_method` is `:private_key_jwt`
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-authorization_params" href="#authentication-strategies-github-authorization_params">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
authorization_params
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">Keyword.t</code>
</td>
<td style="text-align: left">
<code class="inline">[]</code>
</td>
<td style="text-align: left" colspan=2>
Any additional parameters to encode in the request phase.
eg: `authorization_params scope: "openid profile email"`
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-registration_enabled?" href="#authentication-strategies-github-registration_enabled?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
registration_enabled?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">true</code>
</td>
<td style="text-align: left" colspan=2>
Is registration enabled for this provider?
If this option is enabled, then new users will be able to register for
your site when authenticating and not already present.
If not, then only existing users will be able to authenticate.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-register_action_name" href="#authentication-strategies-github-register_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
register_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The name of the action to use to register a user.
Only needed if `registration_enabled?` is `true`.
Because we we don't know the response format of the server, you must
implement your own registration action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name eg:
`register_with_#{name}`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-sign_in_action_name" href="#authentication-strategies-github-sign_in_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
sign_in_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The name of the action to use to sign in an existing user.
Only needed if `registration_enabled?` is `false`.
Because we don't know the response format of the server, you must
implement your own sign-in action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name, eg:
`sign_in_with_#{name}`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-identity_resource" href="#authentication-strategies-github-identity_resource">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
identity_resource
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">module | false</code>
</td>
<td style="text-align: left">
<code class="inline">false</code>
</td>
<td style="text-align: left" colspan=2>
The resource used to store user identities.
Given that a user can be signed into multiple different
authentication providers at once we use the
`AshAuthentication.UserIdentity` resource to build a mapping
between users, providers and that provider's uid.
See the Identities section of the module documentation for more
information.
Set to `false` to disable.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-identity_relationship_name" href="#authentication-strategies-github-identity_relationship_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
identity_relationship_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:identities</code>
</td>
<td style="text-align: left" colspan=2>
Name of the relationship to the provider identities resource
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-identity_relationship_user_id_attribute" href="#authentication-strategies-github-identity_relationship_user_id_attribute">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
identity_relationship_user_id_attribute
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:user_id</code>
</td>
<td style="text-align: left" colspan=2>
The name of the destination (user_id) attribute on your provider
identity resource.
The only reason to change this would be if you changed the
`user_id_attribute_name` option of the provider identity.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-github-icon" href="#authentication-strategies-github-icon">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
icon
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:oauth2</code>
</td>
<td style="text-align: left" colspan=2>
The name of an icon to use in any potential UI.
This is a *hint* for UI generators to use, and not in any way canonical.
</td>
</tr>
</tbody>
</table>
### Introspection
Target: `AshAuthentication.Strategy.OAuth2`

288
documentation/dsls/DSL:-AshAuthentication.Strategy.Github.md Normal file
View file

@ -0,0 +1,288 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.Strategy.Github
Strategy for authenticating using [GitHub](https://github.com)
This strategy builds on-top of `AshAuthentication.Strategy.OAuth2` and
[`assent`](https://hex.pm/packages/assent).
In order to use GitHub you need to provide the following minimum configuration:
- `client_id`
- `redirect_uri`
- `client_secret`
See the [GitHub quickstart guide](/documentation/tutorials/github-quickstart.html)
for more information.
## DSL Documentation
Provides a pre-configured authentication strategy for [GitHub](https://github.com/).
This strategy is built using the `:oauth2` strategy, and thus provides all the same
configuration options should you need them.
For more information see the [Github Quick Start Guide](/documentation/tutorials/github-quickstart.md)
in our documentation.
#### Strategy defaults:
The following defaults are applied:
* `:base_url` is set to `"https://api.github.com"`.
* `:authorize_url` is set to `"https://github.com/login/oauth/authorize"`.
* `:token_url` is set to `"https://github.com/login/oauth/access_token"`.
* `:user_url` is set to `"/user"`.
* `:user_emails_url` is set to `"/user/emails"`.
* `:authorization_params` is set to `[scope: "read:user,user:email"]`.
* `:auth_method` is set to `:client_secret_post`.
#### Schema:
* `:name` (`t:atom/0`) - Required. Uniquely identifies the strategy.
* `:client_id` - Required. The OAuth2 client ID.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
client_id fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_client_id)
end
```
* `:base_url` - The base URL of the OAuth2 server - including the leading protocol
(ie `https://`).
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
base_url fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:site` - Deprecated: Use `base_url` instead.
* `:auth_method` - The authentication strategy used, optional. If not set, no
authentication will be used during the access token request. The
value may be one of the following:
* `:client_secret_basic`
* `:client_secret_post`
* `:client_secret_jwt`
* `:private_key_jwt`
Valid values are nil, :client_secret_basic, :client_secret_post, :client_secret_jwt, :private_key_jwt The default value is `:client_secret_post`.
* `:client_secret` - The OAuth2 client secret.
Required if :auth_method is `:client_secret_basic`,
`:client_secret_post` or `:client_secret_jwt`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
site fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:authorize_url` - Required. The API url to the OAuth2 authorize endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end
```
* `:token_url` - Required. The API url to access the token endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end
```
* `:user_url` - Required. The API url to access the user endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end
```
* `:private_key` - The private key to use if `:auth_method` is `:private_key_jwt`
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:redirect_uri` - Required. The callback URI base.
Not the whole URI back to the callback endpoint, but the URI to your
`AuthPlug`. We can generate the rest.
Whilst not particularly secret, it seemed prudent to allow this to be
configured dynamically so that you can use different URIs for
different environments.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:authorization_params` (`t:keyword/0`) - Any additional parameters to encode in the request phase.
eg: `authorization_params scope: "openid profile email"` The default value is `[]`.
* `:registration_enabled?` (`t:boolean/0`) - Is registration enabled for this provider?
If this option is enabled, then new users will be able to register for
your site when authenticating and not already present.
If not, then only existing users will be able to authenticate. The default value is `true`.
* `:register_action_name` (`t:atom/0`) - The name of the action to use to register a user.
Only needed if `registration_enabled?` is `true`.
Because we we don't know the response format of the server, you must
implement your own registration action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name eg:
`register_with_#{name}`.
* `:sign_in_action_name` (`t:atom/0`) - The name of the action to use to sign in an existing user.
Only needed if `registration_enabled?` is `false`.
Because we don't know the response format of the server, you must
implement your own sign-in action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name, eg:
`sign_in_with_#{name}`.
* `:identity_resource` - The resource used to store user identities.
Given that a user can be signed into multiple different
authentication providers at once we use the
`AshAuthentication.UserIdentity` resource to build a mapping
between users, providers and that provider's uid.
See the Identities section of the module documentation for more
information.
Set to `false` to disable. The default value is `false`.
* `:identity_relationship_name` (`t:atom/0`) - Name of the relationship to the provider identities resource The default value is `:identities`.
* `:identity_relationship_user_id_attribute` (`t:atom/0`) - The name of the destination (user_id) attribute on your provider
identity resource.
The only reason to change this would be if you changed the
`user_id_attribute_name` option of the provider identity. The default value is `:user_id`.
* `:icon` (`t:atom/0`) - The name of an icon to use in any potential UI.
This is a *hint* for UI generators to use, and not in any way canonical. The default value is `:oauth2`.
## authentication.strategies.github
```elixir
github name \\ :github
```
Provides a pre-configured authentication strategy for [GitHub](https://github.com/).
This strategy is built using the `:oauth2` strategy, and thus provides all the same
configuration options should you need them.
For more information see the [Github Quick Start Guide](/documentation/tutorials/github-quickstart.md)
in our documentation.
###### Strategy defaults:
The following defaults are applied:
* `:base_url` is set to `"https://api.github.com"`.
* `:authorize_url` is set to `"https://github.com/login/oauth/authorize"`.
* `:token_url` is set to `"https://github.com/login/oauth/access_token"`.
* `:user_url` is set to `"/user"`.
* `:user_emails_url` is set to `"/user/emails"`.
* `:authorization_params` is set to `[scope: "read:user,user:email"]`.
* `:auth_method` is set to `:client_secret_post`.
###### Schema:
### Arguments
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`name`](#authentication-strategies-github-name){: #authentication-strategies-github-name .spark-required} | `atom` | | Uniquely identifies the strategy. |
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`client_id`](#authentication-strategies-github-client_id){: #authentication-strategies-github-client_id .spark-required} | `(any, any -> any) \| module \| String.t` | | The OAuth2 client ID. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir client_id fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_client_id) end ``` |
| [`authorize_url`](#authentication-strategies-github-authorize_url){: #authentication-strategies-github-authorize_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to the OAuth2 authorize endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end ``` |
| [`token_url`](#authentication-strategies-github-token_url){: #authentication-strategies-github-token_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to access the token endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end ``` |
| [`user_url`](#authentication-strategies-github-user_url){: #authentication-strategies-github-user_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to access the user endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end ``` |
| [`redirect_uri`](#authentication-strategies-github-redirect_uri){: #authentication-strategies-github-redirect_uri .spark-required} | `(any, any -> any) \| module \| String.t` | | The callback URI base. Not the whole URI back to the callback endpoint, but the URI to your `AuthPlug`. We can generate the rest. Whilst not particularly secret, it seemed prudent to allow this to be configured dynamically so that you can use different URIs for different environments. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. |
| [`base_url`](#authentication-strategies-github-base_url){: #authentication-strategies-github-base_url } | `(any, any -> any) \| module \| String.t` | | The base URL of the OAuth2 server - including the leading protocol (ie `https://`). Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir base_url fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_site) end ``` |
| [`site`](#authentication-strategies-github-site){: #authentication-strategies-github-site } | `(any, any -> any) \| module \| String.t` | | Deprecated: Use `base_url` instead. |
| [`auth_method`](#authentication-strategies-github-auth_method){: #authentication-strategies-github-auth_method } | `nil \| :client_secret_basic \| :client_secret_post \| :client_secret_jwt \| :private_key_jwt` | `:client_secret_post` | The authentication strategy used, optional. If not set, no authentication will be used during the access token request. The value may be one of the following: * `:client_secret_basic` * `:client_secret_post` * `:client_secret_jwt` * `:private_key_jwt` |
| [`client_secret`](#authentication-strategies-github-client_secret){: #authentication-strategies-github-client_secret } | `(any, any -> any) \| module \| String.t` | | The OAuth2 client secret. Required if :auth_method is `:client_secret_basic`, `:client_secret_post` or `:client_secret_jwt`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir site fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_site) end ``` |
| [`private_key`](#authentication-strategies-github-private_key){: #authentication-strategies-github-private_key } | `(any, any -> any) \| module \| String.t` | | The private key to use if `:auth_method` is `:private_key_jwt` Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. |
| [`authorization_params`](#authentication-strategies-github-authorization_params){: #authentication-strategies-github-authorization_params } | `Keyword.t` | `[]` | Any additional parameters to encode in the request phase. eg: `authorization_params scope: "openid profile email"` |
| [`registration_enabled?`](#authentication-strategies-github-registration_enabled?){: #authentication-strategies-github-registration_enabled? } | `boolean` | `true` | Is registration enabled for this provider? If this option is enabled, then new users will be able to register for your site when authenticating and not already present. If not, then only existing users will be able to authenticate. |
| [`register_action_name`](#authentication-strategies-github-register_action_name){: #authentication-strategies-github-register_action_name } | `atom` | | The name of the action to use to register a user. Only needed if `registration_enabled?` is `true`. Because we we don't know the response format of the server, you must implement your own registration action of the same name. See the "Registration and Sign-in" section of the module documentation for more information. The default is computed from the strategy name eg: `register_with_#{name}`. |
| [`sign_in_action_name`](#authentication-strategies-github-sign_in_action_name){: #authentication-strategies-github-sign_in_action_name } | `atom` | | The name of the action to use to sign in an existing user. Only needed if `registration_enabled?` is `false`. Because we don't know the response format of the server, you must implement your own sign-in action of the same name. See the "Registration and Sign-in" section of the module documentation for more information. The default is computed from the strategy name, eg: `sign_in_with_#{name}`. |
| [`identity_resource`](#authentication-strategies-github-identity_resource){: #authentication-strategies-github-identity_resource } | `module \| false` | `false` | The resource used to store user identities. Given that a user can be signed into multiple different authentication providers at once we use the `AshAuthentication.UserIdentity` resource to build a mapping between users, providers and that provider's uid. See the Identities section of the module documentation for more information. Set to `false` to disable. |
| [`identity_relationship_name`](#authentication-strategies-github-identity_relationship_name){: #authentication-strategies-github-identity_relationship_name } | `atom` | `:identities` | Name of the relationship to the provider identities resource |
| [`identity_relationship_user_id_attribute`](#authentication-strategies-github-identity_relationship_user_id_attribute){: #authentication-strategies-github-identity_relationship_user_id_attribute } | `atom` | `:user_id` | The name of the destination (user_id) attribute on your provider identity resource. The only reason to change this would be if you changed the `user_id_attribute_name` option of the provider identity. |
| [`icon`](#authentication-strategies-github-icon){: #authentication-strategies-github-icon } | `atom` | `:oauth2` | The name of an icon to use in any potential UI. This is a *hint* for UI generators to use, and not in any way canonical. |
### Introspection
Target: `AshAuthentication.Strategy.OAuth2`
<style type="text/css">.spark-required::after { content: "*"; color: red !important; }</style>

862
documentation/dsls/DSL:-AshAuthentication.Strategy.Google.cheatmd
View file

@ -1,862 +0,0 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.Strategy.Google
Strategy for authenticating using [Google](https://google.com)
This strategy builds on-top of `AshAuthentication.Strategy.OAuth2` and
[`assent`](https://hex.pm/packages/assent).
In order to use Google you need to provide the following minimum configuration:
- `client_id`
- `redirect_uri`
- `client_secret`
- `site`
See the [Google OAuth 2.0 Overview](https://developers.google.com/identity/protocols/oauth2)
for Google setup details.
## DSL Documentation
Provides a pre-configured authentication strategy for [Google](https://google.com/).
This strategy is built using the `:oauth2` strategy, and thus provides all the same
configuration options should you need them.
See the [Google OAuth 2.0 Overview](https://developers.google.com/identity/protocols/oauth2)
for Google setup details.
#### Strategy defaults:
The following defaults are applied:
* `:base_url` is set to `"https://www.googleapis.com"`.
* `:authorize_url` is set to `"https://accounts.google.com/o/oauth2/v2/auth"`.
* `:token_url` is set to `"/oauth2/v4/token"`.
* `:user_url` is set to `"/oauth2/v3/userinfo"`.
* `:authorization_params` is set to `[scope: "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile"]`.
* `:auth_method` is set to `:client_secret_post`.
#### Schema:
* `:name` (`t:atom/0`) - Required. Uniquely identifies the strategy.
* `:client_id` - Required. The OAuth2 client ID.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
client_id fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_client_id)
end
```
* `:base_url` - The base URL of the OAuth2 server - including the leading protocol
(ie `https://`).
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
base_url fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:site` - Deprecated: Use `base_url` instead.
* `:auth_method` - The authentication strategy used, optional. If not set, no
authentication will be used during the access token request. The
value may be one of the following:
* `:client_secret_basic`
* `:client_secret_post`
* `:client_secret_jwt`
* `:private_key_jwt`
Valid values are nil, :client_secret_basic, :client_secret_post, :client_secret_jwt, :private_key_jwt The default value is `:client_secret_post`.
* `:client_secret` - The OAuth2 client secret.
Required if :auth_method is `:client_secret_basic`,
`:client_secret_post` or `:client_secret_jwt`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
site fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:authorize_url` - Required. The API url to the OAuth2 authorize endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end
```
* `:token_url` - Required. The API url to access the token endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end
```
* `:user_url` - Required. The API url to access the user endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end
```
* `:private_key` - The private key to use if `:auth_method` is `:private_key_jwt`
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:redirect_uri` - Required. The callback URI base.
Not the whole URI back to the callback endpoint, but the URI to your
`AuthPlug`. We can generate the rest.
Whilst not particularly secret, it seemed prudent to allow this to be
configured dynamically so that you can use different URIs for
different environments.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:authorization_params` (`t:keyword/0`) - Any additional parameters to encode in the request phase.
eg: `authorization_params scope: "openid profile email"` The default value is `[]`.
* `:registration_enabled?` (`t:boolean/0`) - Is registration enabled for this provider?
If this option is enabled, then new users will be able to register for
your site when authenticating and not already present.
If not, then only existing users will be able to authenticate. The default value is `true`.
* `:register_action_name` (`t:atom/0`) - The name of the action to use to register a user.
Only needed if `registration_enabled?` is `true`.
Because we we don't know the response format of the server, you must
implement your own registration action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name eg:
`register_with_#{name}`.
* `:sign_in_action_name` (`t:atom/0`) - The name of the action to use to sign in an existing user.
Only needed if `registration_enabled?` is `false`.
Because we don't know the response format of the server, you must
implement your own sign-in action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name, eg:
`sign_in_with_#{name}`.
* `:identity_resource` - The resource used to store user identities.
Given that a user can be signed into multiple different
authentication providers at once we use the
`AshAuthentication.UserIdentity` resource to build a mapping
between users, providers and that provider's uid.
See the Identities section of the module documentation for more
information.
Set to `false` to disable. The default value is `false`.
* `:identity_relationship_name` (`t:atom/0`) - Name of the relationship to the provider identities resource The default value is `:identities`.
* `:identity_relationship_user_id_attribute` (`t:atom/0`) - The name of the destination (user_id) attribute on your provider
identity resource.
The only reason to change this would be if you changed the
`user_id_attribute_name` option of the provider identity. The default value is `:user_id`.
* `:icon` (`t:atom/0`) - The name of an icon to use in any potential UI.
This is a *hint* for UI generators to use, and not in any way canonical. The default value is `:oauth2`.
## authentication.strategies.google
```elixir
google name \ :google
```
Provides a pre-configured authentication strategy for [Google](https://google.com/).
This strategy is built using the `:oauth2` strategy, and thus provides all the same
configuration options should you need them.
See the [Google OAuth 2.0 Overview](https://developers.google.com/identity/protocols/oauth2)
for Google setup details.
###### Strategy defaults:
The following defaults are applied:
* `:base_url` is set to `"https://www.googleapis.com"`.
* `:authorize_url` is set to `"https://accounts.google.com/o/oauth2/v2/auth"`.
* `:token_url` is set to `"/oauth2/v4/token"`.
* `:user_url` is set to `"/oauth2/v3/userinfo"`.
* `:authorization_params` is set to `[scope: "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile"]`.
* `:auth_method` is set to `:client_secret_post`.
###### Schema:
### Arguments
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-name" href="#authentication-strategies-google-name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
name
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
Uniquely identifies the strategy.
</td>
</tr>
</tbody>
</table>
### Options
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-client_id" href="#authentication-strategies-google-client_id">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
client_id
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The OAuth2 client ID.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
client_id fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_client_id)
end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-authorize_url" href="#authentication-strategies-google-authorize_url">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
authorize_url
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The API url to the OAuth2 authorize endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-token_url" href="#authentication-strategies-google-token_url">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
token_url
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The API url to access the token endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-user_url" href="#authentication-strategies-google-user_url">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
user_url
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The API url to access the user endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-redirect_uri" href="#authentication-strategies-google-redirect_uri">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
redirect_uri
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The callback URI base.
Not the whole URI back to the callback endpoint, but the URI to your
`AuthPlug`. We can generate the rest.
Whilst not particularly secret, it seemed prudent to allow this to be
configured dynamically so that you can use different URIs for
different environments.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-base_url" href="#authentication-strategies-google-base_url">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
base_url
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The base URL of the OAuth2 server - including the leading protocol
(ie `https://`).
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
base_url fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-site" href="#authentication-strategies-google-site">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
site
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
Deprecated: Use `base_url` instead.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-auth_method" href="#authentication-strategies-google-auth_method">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
auth_method
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">nil | :client_secret_basic | :client_secret_post | :client_secret_jwt | :private_key_jwt</code>
</td>
<td style="text-align: left">
<code class="inline">:client_secret_post</code>
</td>
<td style="text-align: left" colspan=2>
The authentication strategy used, optional. If not set, no
authentication will be used during the access token request. The
value may be one of the following:
* `:client_secret_basic`
* `:client_secret_post`
* `:client_secret_jwt`
* `:private_key_jwt`
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-client_secret" href="#authentication-strategies-google-client_secret">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
client_secret
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The OAuth2 client secret.
Required if :auth_method is `:client_secret_basic`,
`:client_secret_post` or `:client_secret_jwt`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
site fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-private_key" href="#authentication-strategies-google-private_key">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
private_key
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The private key to use if `:auth_method` is `:private_key_jwt`
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-authorization_params" href="#authentication-strategies-google-authorization_params">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
authorization_params
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">Keyword.t</code>
</td>
<td style="text-align: left">
<code class="inline">[]</code>
</td>
<td style="text-align: left" colspan=2>
Any additional parameters to encode in the request phase.
eg: `authorization_params scope: "openid profile email"`
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-registration_enabled?" href="#authentication-strategies-google-registration_enabled?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
registration_enabled?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">true</code>
</td>
<td style="text-align: left" colspan=2>
Is registration enabled for this provider?
If this option is enabled, then new users will be able to register for
your site when authenticating and not already present.
If not, then only existing users will be able to authenticate.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-register_action_name" href="#authentication-strategies-google-register_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
register_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The name of the action to use to register a user.
Only needed if `registration_enabled?` is `true`.
Because we we don't know the response format of the server, you must
implement your own registration action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name eg:
`register_with_#{name}`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-sign_in_action_name" href="#authentication-strategies-google-sign_in_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
sign_in_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The name of the action to use to sign in an existing user.
Only needed if `registration_enabled?` is `false`.
Because we don't know the response format of the server, you must
implement your own sign-in action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name, eg:
`sign_in_with_#{name}`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-identity_resource" href="#authentication-strategies-google-identity_resource">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
identity_resource
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">module | false</code>
</td>
<td style="text-align: left">
<code class="inline">false</code>
</td>
<td style="text-align: left" colspan=2>
The resource used to store user identities.
Given that a user can be signed into multiple different
authentication providers at once we use the
`AshAuthentication.UserIdentity` resource to build a mapping
between users, providers and that provider's uid.
See the Identities section of the module documentation for more
information.
Set to `false` to disable.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-identity_relationship_name" href="#authentication-strategies-google-identity_relationship_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
identity_relationship_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:identities</code>
</td>
<td style="text-align: left" colspan=2>
Name of the relationship to the provider identities resource
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-identity_relationship_user_id_attribute" href="#authentication-strategies-google-identity_relationship_user_id_attribute">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
identity_relationship_user_id_attribute
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:user_id</code>
</td>
<td style="text-align: left" colspan=2>
The name of the destination (user_id) attribute on your provider
identity resource.
The only reason to change this would be if you changed the
`user_id_attribute_name` option of the provider identity.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-google-icon" href="#authentication-strategies-google-icon">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
icon
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:oauth2</code>
</td>
<td style="text-align: left" colspan=2>
The name of an icon to use in any potential UI.
This is a *hint* for UI generators to use, and not in any way canonical.
</td>
</tr>
</tbody>
</table>
### Introspection
Target: `AshAuthentication.Strategy.OAuth2`

287
documentation/dsls/DSL:-AshAuthentication.Strategy.Google.md Normal file
View file

@ -0,0 +1,287 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.Strategy.Google
Strategy for authenticating using [Google](https://google.com)
This strategy builds on-top of `AshAuthentication.Strategy.OAuth2` and
[`assent`](https://hex.pm/packages/assent).
In order to use Google you need to provide the following minimum configuration:
- `client_id`
- `redirect_uri`
- `client_secret`
- `site`
See the [Google OAuth 2.0 Overview](https://developers.google.com/identity/protocols/oauth2)
for Google setup details.
## DSL Documentation
Provides a pre-configured authentication strategy for [Google](https://google.com/).
This strategy is built using the `:oauth2` strategy, and thus provides all the same
configuration options should you need them.
See the [Google OAuth 2.0 Overview](https://developers.google.com/identity/protocols/oauth2)
for Google setup details.
#### Strategy defaults:
The following defaults are applied:
* `:base_url` is set to `"https://www.googleapis.com"`.
* `:authorize_url` is set to `"https://accounts.google.com/o/oauth2/v2/auth"`.
* `:token_url` is set to `"/oauth2/v4/token"`.
* `:user_url` is set to `"/oauth2/v3/userinfo"`.
* `:authorization_params` is set to `[scope: "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile"]`.
* `:auth_method` is set to `:client_secret_post`.
#### Schema:
* `:name` (`t:atom/0`) - Required. Uniquely identifies the strategy.
* `:client_id` - Required. The OAuth2 client ID.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
client_id fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_client_id)
end
```
* `:base_url` - The base URL of the OAuth2 server - including the leading protocol
(ie `https://`).
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
base_url fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:site` - Deprecated: Use `base_url` instead.
* `:auth_method` - The authentication strategy used, optional. If not set, no
authentication will be used during the access token request. The
value may be one of the following:
* `:client_secret_basic`
* `:client_secret_post`
* `:client_secret_jwt`
* `:private_key_jwt`
Valid values are nil, :client_secret_basic, :client_secret_post, :client_secret_jwt, :private_key_jwt The default value is `:client_secret_post`.
* `:client_secret` - The OAuth2 client secret.
Required if :auth_method is `:client_secret_basic`,
`:client_secret_post` or `:client_secret_jwt`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
site fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:authorize_url` - Required. The API url to the OAuth2 authorize endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end
```
* `:token_url` - Required. The API url to access the token endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end
```
* `:user_url` - Required. The API url to access the user endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end
```
* `:private_key` - The private key to use if `:auth_method` is `:private_key_jwt`
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:redirect_uri` - Required. The callback URI base.
Not the whole URI back to the callback endpoint, but the URI to your
`AuthPlug`. We can generate the rest.
Whilst not particularly secret, it seemed prudent to allow this to be
configured dynamically so that you can use different URIs for
different environments.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:authorization_params` (`t:keyword/0`) - Any additional parameters to encode in the request phase.
eg: `authorization_params scope: "openid profile email"` The default value is `[]`.
* `:registration_enabled?` (`t:boolean/0`) - Is registration enabled for this provider?
If this option is enabled, then new users will be able to register for
your site when authenticating and not already present.
If not, then only existing users will be able to authenticate. The default value is `true`.
* `:register_action_name` (`t:atom/0`) - The name of the action to use to register a user.
Only needed if `registration_enabled?` is `true`.
Because we we don't know the response format of the server, you must
implement your own registration action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name eg:
`register_with_#{name}`.
* `:sign_in_action_name` (`t:atom/0`) - The name of the action to use to sign in an existing user.
Only needed if `registration_enabled?` is `false`.
Because we don't know the response format of the server, you must
implement your own sign-in action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name, eg:
`sign_in_with_#{name}`.
* `:identity_resource` - The resource used to store user identities.
Given that a user can be signed into multiple different
authentication providers at once we use the
`AshAuthentication.UserIdentity` resource to build a mapping
between users, providers and that provider's uid.
See the Identities section of the module documentation for more
information.
Set to `false` to disable. The default value is `false`.
* `:identity_relationship_name` (`t:atom/0`) - Name of the relationship to the provider identities resource The default value is `:identities`.
* `:identity_relationship_user_id_attribute` (`t:atom/0`) - The name of the destination (user_id) attribute on your provider
identity resource.
The only reason to change this would be if you changed the
`user_id_attribute_name` option of the provider identity. The default value is `:user_id`.
* `:icon` (`t:atom/0`) - The name of an icon to use in any potential UI.
This is a *hint* for UI generators to use, and not in any way canonical. The default value is `:oauth2`.
## authentication.strategies.google
```elixir
google name \\ :google
```
Provides a pre-configured authentication strategy for [Google](https://google.com/).
This strategy is built using the `:oauth2` strategy, and thus provides all the same
configuration options should you need them.
See the [Google OAuth 2.0 Overview](https://developers.google.com/identity/protocols/oauth2)
for Google setup details.
###### Strategy defaults:
The following defaults are applied:
* `:base_url` is set to `"https://www.googleapis.com"`.
* `:authorize_url` is set to `"https://accounts.google.com/o/oauth2/v2/auth"`.
* `:token_url` is set to `"/oauth2/v4/token"`.
* `:user_url` is set to `"/oauth2/v3/userinfo"`.
* `:authorization_params` is set to `[scope: "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile"]`.
* `:auth_method` is set to `:client_secret_post`.
###### Schema:
### Arguments
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`name`](#authentication-strategies-google-name){: #authentication-strategies-google-name .spark-required} | `atom` | | Uniquely identifies the strategy. |
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`client_id`](#authentication-strategies-google-client_id){: #authentication-strategies-google-client_id .spark-required} | `(any, any -> any) \| module \| String.t` | | The OAuth2 client ID. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir client_id fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_client_id) end ``` |
| [`authorize_url`](#authentication-strategies-google-authorize_url){: #authentication-strategies-google-authorize_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to the OAuth2 authorize endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end ``` |
| [`token_url`](#authentication-strategies-google-token_url){: #authentication-strategies-google-token_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to access the token endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end ``` |
| [`user_url`](#authentication-strategies-google-user_url){: #authentication-strategies-google-user_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to access the user endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end ``` |
| [`redirect_uri`](#authentication-strategies-google-redirect_uri){: #authentication-strategies-google-redirect_uri .spark-required} | `(any, any -> any) \| module \| String.t` | | The callback URI base. Not the whole URI back to the callback endpoint, but the URI to your `AuthPlug`. We can generate the rest. Whilst not particularly secret, it seemed prudent to allow this to be configured dynamically so that you can use different URIs for different environments. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. |
| [`base_url`](#authentication-strategies-google-base_url){: #authentication-strategies-google-base_url } | `(any, any -> any) \| module \| String.t` | | The base URL of the OAuth2 server - including the leading protocol (ie `https://`). Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir base_url fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_site) end ``` |
| [`site`](#authentication-strategies-google-site){: #authentication-strategies-google-site } | `(any, any -> any) \| module \| String.t` | | Deprecated: Use `base_url` instead. |
| [`auth_method`](#authentication-strategies-google-auth_method){: #authentication-strategies-google-auth_method } | `nil \| :client_secret_basic \| :client_secret_post \| :client_secret_jwt \| :private_key_jwt` | `:client_secret_post` | The authentication strategy used, optional. If not set, no authentication will be used during the access token request. The value may be one of the following: * `:client_secret_basic` * `:client_secret_post` * `:client_secret_jwt` * `:private_key_jwt` |
| [`client_secret`](#authentication-strategies-google-client_secret){: #authentication-strategies-google-client_secret } | `(any, any -> any) \| module \| String.t` | | The OAuth2 client secret. Required if :auth_method is `:client_secret_basic`, `:client_secret_post` or `:client_secret_jwt`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir site fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_site) end ``` |
| [`private_key`](#authentication-strategies-google-private_key){: #authentication-strategies-google-private_key } | `(any, any -> any) \| module \| String.t` | | The private key to use if `:auth_method` is `:private_key_jwt` Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. |
| [`authorization_params`](#authentication-strategies-google-authorization_params){: #authentication-strategies-google-authorization_params } | `Keyword.t` | `[]` | Any additional parameters to encode in the request phase. eg: `authorization_params scope: "openid profile email"` |
| [`registration_enabled?`](#authentication-strategies-google-registration_enabled?){: #authentication-strategies-google-registration_enabled? } | `boolean` | `true` | Is registration enabled for this provider? If this option is enabled, then new users will be able to register for your site when authenticating and not already present. If not, then only existing users will be able to authenticate. |
| [`register_action_name`](#authentication-strategies-google-register_action_name){: #authentication-strategies-google-register_action_name } | `atom` | | The name of the action to use to register a user. Only needed if `registration_enabled?` is `true`. Because we we don't know the response format of the server, you must implement your own registration action of the same name. See the "Registration and Sign-in" section of the module documentation for more information. The default is computed from the strategy name eg: `register_with_#{name}`. |
| [`sign_in_action_name`](#authentication-strategies-google-sign_in_action_name){: #authentication-strategies-google-sign_in_action_name } | `atom` | | The name of the action to use to sign in an existing user. Only needed if `registration_enabled?` is `false`. Because we don't know the response format of the server, you must implement your own sign-in action of the same name. See the "Registration and Sign-in" section of the module documentation for more information. The default is computed from the strategy name, eg: `sign_in_with_#{name}`. |
| [`identity_resource`](#authentication-strategies-google-identity_resource){: #authentication-strategies-google-identity_resource } | `module \| false` | `false` | The resource used to store user identities. Given that a user can be signed into multiple different authentication providers at once we use the `AshAuthentication.UserIdentity` resource to build a mapping between users, providers and that provider's uid. See the Identities section of the module documentation for more information. Set to `false` to disable. |
| [`identity_relationship_name`](#authentication-strategies-google-identity_relationship_name){: #authentication-strategies-google-identity_relationship_name } | `atom` | `:identities` | Name of the relationship to the provider identities resource |
| [`identity_relationship_user_id_attribute`](#authentication-strategies-google-identity_relationship_user_id_attribute){: #authentication-strategies-google-identity_relationship_user_id_attribute } | `atom` | `:user_id` | The name of the destination (user_id) attribute on your provider identity resource. The only reason to change this would be if you changed the `user_id_attribute_name` option of the provider identity. |
| [`icon`](#authentication-strategies-google-icon){: #authentication-strategies-google-icon } | `atom` | `:oauth2` | The name of an icon to use in any potential UI. This is a *hint* for UI generators to use, and not in any way canonical. |
### Introspection
Target: `AshAuthentication.Strategy.OAuth2`
<style type="text/css">.spark-required::after { content: "*"; color: red !important; }</style>

337
documentation/dsls/DSL:-AshAuthentication.Strategy.MagicLink.cheatmd
View file

@ -1,337 +0,0 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.Strategy.MagicLink
Strategy for authentication using a magic link.
In order to use magic link authentication your resource needs to meet the
following minimum requirements:
1. Have a primary key.
2. A uniquely constrained identity field (eg `username` or `email`)
3. Have tokens enabled.
There are other options documented in the DSL.
### Example
```elixir
defmodule MyApp.Accounts.User do
use Ash.Resource,
extensions: [AshAuthentication]
attributes do
uuid_primary_key :id
attribute :email, :ci_string, allow_nil?: false
end
authentication do
api MyApp.Accounts
strategies do
magic_link do
identity_field :email
sender fn user, token, _opts ->
MyApp.Emails.deliver_magic_link(user, token)
end
end
end
end
identities do
identity :unique_email, [:email]
end
end
```
## Actions
By default the magic link strategy will automatically generate the request and
sign-in actions for you, however you're free to define them yourself. If you
do, then the action will be validated to ensure that all the needed
configuration is present.
If you wish to work with the actions directly from your code you can do so via
the `AshAuthentication.Strategy` protocol.
### Examples
Requesting that a magic link token is sent for a user:
iex> strategy = Info.strategy!(Example.User, :magic_link)
...> user = build_user()
...> Strategy.action(strategy, :request, %{"username" => user.username})
:ok
Signing in using a magic link token:
...> {:ok, token} = MagicLink.request_token_for(strategy, user)
...> {:ok, signed_in_user} = Strategy.action(strategy, :sign_in, %{"token" => token})
...> signed_in_user.id == user
true
## Plugs
The magic link strategy provides plug endpoints for both request and sign-in
actions.
If you wish to work with the plugs directly, you can do so via the
`AshAuthentication.Strategy` protocol.
### Examples:
Dispatching to plugs directly:
iex> strategy = Info.strategy!(Example.User, :magic_link)
...> user = build_user()
...> conn = conn(:post, "/user/magic_link/request", %{"user" => %{"username" => user.username}})
...> conn = Strategy.plug(strategy, :request, conn)
...> {_conn, {:ok, nil}} = Plug.Helpers.get_authentication_result(conn)
...> {:ok, token} = MagicLink.request_token_for(strategy, user)
...> conn = conn(:get, "/user/magic_link", %{"token" => token})
...> conn = Strategy.plug(strategy, :sign_in, conn)
...> {_conn, {:ok, signed_in_user}} = Plug.Helpers.get_authentication_result(conn)
...> signed_in_user.id == user.id
true
## DSL Documentation
Strategy for authenticating using local users with a magic link
* `:identity_field` (`t:atom/0`) - The name of the attribute which uniquely identifies the user.
Usually something like `username` or `email_address`. The default value is `:username`.
* `:token_lifetime` - How long the sign in token is valid.
If no unit is provided, then `minutes` is assumed. The default value is `{10, :minutes}`.
* `:request_action_name` (`t:atom/0`) - The name to use for the request action.
If not present it will be generated by prepending the strategy name
with `request_`.
* `:single_use_token?` (`t:boolean/0`) - Automatically revoke the token once it's been used for sign in. The default value is `true`.
* `:sign_in_action_name` (`t:atom/0`) - The name to use for the sign in action.
If not present it will be generated by prepending the strategy name
with `sign_in_with_`.
* `:token_param_name` (`t:atom/0`) - The name of the token parameter in the incoming sign-in request. The default value is `:token`.
* `:sender` - Required. How to send the magic link to the user.
Allows you to glue sending of magic links to [swoosh](https://hex.pm/packages/swoosh), [ex_twilio](https://hex.pm/packages/ex_twilio) or whatever notification system is appropriate for your application.
Accepts a module, module and opts, or a function that takes a record, reset token and options.
See `AshAuthentication.Sender` for more information.
## authentication.strategies.magic_link
```elixir
magic_link name \ :magic_link
```
Strategy for authenticating using local users with a magic link
### Options
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-magic_link-sender" href="#authentication-strategies-magic_link-sender">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
sender
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any, any -> any) | module</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
How to send the magic link to the user.
Allows you to glue sending of magic links to [swoosh](https://hex.pm/packages/swoosh), [ex_twilio](https://hex.pm/packages/ex_twilio) or whatever notification system is appropriate for your application.
Accepts a module, module and opts, or a function that takes a record, reset token and options.
See `AshAuthentication.Sender` for more information.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-magic_link-identity_field" href="#authentication-strategies-magic_link-identity_field">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
identity_field
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:username</code>
</td>
<td style="text-align: left" colspan=2>
The name of the attribute which uniquely identifies the user.
Usually something like `username` or `email_address`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-magic_link-token_lifetime" href="#authentication-strategies-magic_link-token_lifetime">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
token_lifetime
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">pos_integer | {pos_integer, :days | :hours | :minutes | :seconds}</code>
</td>
<td style="text-align: left">
<code class="inline">{10, :minutes}</code>
</td>
<td style="text-align: left" colspan=2>
How long the sign in token is valid.
If no unit is provided, then `minutes` is assumed.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-magic_link-request_action_name" href="#authentication-strategies-magic_link-request_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
request_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The name to use for the request action.
If not present it will be generated by prepending the strategy name
with `request_`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-magic_link-single_use_token?" href="#authentication-strategies-magic_link-single_use_token?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
single_use_token?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">true</code>
</td>
<td style="text-align: left" colspan=2>
Automatically revoke the token once it's been used for sign in.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-magic_link-sign_in_action_name" href="#authentication-strategies-magic_link-sign_in_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
sign_in_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The name to use for the sign in action.
If not present it will be generated by prepending the strategy name
with `sign_in_with_`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-magic_link-token_param_name" href="#authentication-strategies-magic_link-token_param_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
token_param_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:token</code>
</td>
<td style="text-align: left" colspan=2>
The name of the token parameter in the incoming sign-in request.
</td>
</tr>
</tbody>
</table>
### Introspection
Target: `AshAuthentication.Strategy.MagicLink`

172
documentation/dsls/DSL:-AshAuthentication.Strategy.MagicLink.md Normal file
View file

@ -0,0 +1,172 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.Strategy.MagicLink
Strategy for authentication using a magic link.
In order to use magic link authentication your resource needs to meet the
following minimum requirements:
1. Have a primary key.
2. A uniquely constrained identity field (eg `username` or `email`)
3. Have tokens enabled.
There are other options documented in the DSL.
### Example
```elixir
defmodule MyApp.Accounts.User do
use Ash.Resource,
extensions: [AshAuthentication]
attributes do
uuid_primary_key :id
attribute :email, :ci_string, allow_nil?: false
end
authentication do
api MyApp.Accounts
strategies do
magic_link do
identity_field :email
sender fn user, token, _opts ->
MyApp.Emails.deliver_magic_link(user, token)
end
end
end
end
identities do
identity :unique_email, [:email]
end
end
```
## Actions
By default the magic link strategy will automatically generate the request and
sign-in actions for you, however you're free to define them yourself. If you
do, then the action will be validated to ensure that all the needed
configuration is present.
If you wish to work with the actions directly from your code you can do so via
the `AshAuthentication.Strategy` protocol.
### Examples
Requesting that a magic link token is sent for a user:
iex> strategy = Info.strategy!(Example.User, :magic_link)
...> user = build_user()
...> Strategy.action(strategy, :request, %{"username" => user.username})
:ok
Signing in using a magic link token:
...> {:ok, token} = MagicLink.request_token_for(strategy, user)
...> {:ok, signed_in_user} = Strategy.action(strategy, :sign_in, %{"token" => token})
...> signed_in_user.id == user
true
## Plugs
The magic link strategy provides plug endpoints for both request and sign-in
actions.
If you wish to work with the plugs directly, you can do so via the
`AshAuthentication.Strategy` protocol.
### Examples:
Dispatching to plugs directly:
iex> strategy = Info.strategy!(Example.User, :magic_link)
...> user = build_user()
...> conn = conn(:post, "/user/magic_link/request", %{"user" => %{"username" => user.username}})
...> conn = Strategy.plug(strategy, :request, conn)
...> {_conn, {:ok, nil}} = Plug.Helpers.get_authentication_result(conn)
...> {:ok, token} = MagicLink.request_token_for(strategy, user)
...> conn = conn(:get, "/user/magic_link", %{"token" => token})
...> conn = Strategy.plug(strategy, :sign_in, conn)
...> {_conn, {:ok, signed_in_user}} = Plug.Helpers.get_authentication_result(conn)
...> signed_in_user.id == user.id
true
## DSL Documentation
Strategy for authenticating using local users with a magic link
* `:identity_field` (`t:atom/0`) - The name of the attribute which uniquely identifies the user.
Usually something like `username` or `email_address`. The default value is `:username`.
* `:token_lifetime` - How long the sign in token is valid.
If no unit is provided, then `minutes` is assumed. The default value is `{10, :minutes}`.
* `:request_action_name` (`t:atom/0`) - The name to use for the request action.
If not present it will be generated by prepending the strategy name
with `request_`.
* `:single_use_token?` (`t:boolean/0`) - Automatically revoke the token once it's been used for sign in. The default value is `true`.
* `:sign_in_action_name` (`t:atom/0`) - The name to use for the sign in action.
If not present it will be generated by prepending the strategy name
with `sign_in_with_`.
* `:token_param_name` (`t:atom/0`) - The name of the token parameter in the incoming sign-in request. The default value is `:token`.
* `:sender` - Required. How to send the magic link to the user.
Allows you to glue sending of magic links to [swoosh](https://hex.pm/packages/swoosh), [ex_twilio](https://hex.pm/packages/ex_twilio) or whatever notification system is appropriate for your application.
Accepts a module, module and opts, or a function that takes a record, reset token and options.
See `AshAuthentication.Sender` for more information.
## authentication.strategies.magic_link
```elixir
magic_link name \\ :magic_link
```
Strategy for authenticating using local users with a magic link
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`sender`](#authentication-strategies-magic_link-sender){: #authentication-strategies-magic_link-sender .spark-required} | `(any, any, any -> any) \| module` | | How to send the magic link to the user. Allows you to glue sending of magic links to [swoosh](https://hex.pm/packages/swoosh), [ex_twilio](https://hex.pm/packages/ex_twilio) or whatever notification system is appropriate for your application. Accepts a module, module and opts, or a function that takes a record, reset token and options. See `AshAuthentication.Sender` for more information. |
| [`identity_field`](#authentication-strategies-magic_link-identity_field){: #authentication-strategies-magic_link-identity_field } | `atom` | `:username` | The name of the attribute which uniquely identifies the user. Usually something like `username` or `email_address`. |
| [`token_lifetime`](#authentication-strategies-magic_link-token_lifetime){: #authentication-strategies-magic_link-token_lifetime } | `pos_integer \| {pos_integer, :days \| :hours \| :minutes \| :seconds}` | `{10, :minutes}` | How long the sign in token is valid. If no unit is provided, then `minutes` is assumed. |
| [`request_action_name`](#authentication-strategies-magic_link-request_action_name){: #authentication-strategies-magic_link-request_action_name } | `atom` | | The name to use for the request action. If not present it will be generated by prepending the strategy name with `request_`. |
| [`single_use_token?`](#authentication-strategies-magic_link-single_use_token?){: #authentication-strategies-magic_link-single_use_token? } | `boolean` | `true` | Automatically revoke the token once it's been used for sign in. |
| [`sign_in_action_name`](#authentication-strategies-magic_link-sign_in_action_name){: #authentication-strategies-magic_link-sign_in_action_name } | `atom` | | The name to use for the sign in action. If not present it will be generated by prepending the strategy name with `sign_in_with_`. |
| [`token_param_name`](#authentication-strategies-magic_link-token_param_name){: #authentication-strategies-magic_link-token_param_name } | `atom` | `:token` | The name of the token parameter in the incoming sign-in request. |
### Introspection
Target: `AshAuthentication.Strategy.MagicLink`
<style type="text/css">.spark-required::after { content: "*"; color: red !important; }</style>

1020
documentation/dsls/DSL:-AshAuthentication.Strategy.OAuth2.cheatmd
View file

File diff suppressed because it is too large Load diff

445
documentation/dsls/DSL:-AshAuthentication.Strategy.OAuth2.md Normal file
View file

@ -0,0 +1,445 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.Strategy.OAuth2
Strategy for authenticating using an OAuth 2.0 server as the source of truth.
This strategy wraps the excellent [`assent`](https://hex.pm/packages/assent)
package, which provides OAuth 2.0 capabilities.
In order to use OAuth 2.0 authentication on your resource, it needs to meet
the following minimum criteria:
1. Have a primary key.
2. Provide a strategy-specific action, either register or sign-in.
3. Provide configuration for OAuth2 destinations, secrets, etc.
### Example:
```elixir
defmodule MyApp.Accounts.User do
use Ash.Resource,
extensions: [AshAuthentication]
attributes do
uuid_primary_key :id
attribute :email, :ci_string, allow_nil?: false
end
authentication do
api MyApp.Accounts
strategies do
oauth2 :example do
client_id "OAuth Client ID"
redirect_uri "https://my.app/"
client_secret "My Super Secret Secret"
site "https://auth.example.com/"
end
end
end
end
```
## Secrets and runtime configuration
In order to use OAuth 2.0 you need to provide a varying number of secrets and
other configuration which may change based on runtime environment. The
`AshAuthentication.Secret` behaviour is provided to accommodate this. This
allows you to provide configuration either directly on the resource (ie as a
string), as an anonymous function, or as a module.
> ### Warning {: .warning}
>
> We **strongly** urge you not to share actual secrets in your code or
> repository.
### Examples:
Providing configuration as an anonymous function:
```elixir
oauth2 do
client_secret fn _path, resource ->
Application.fetch_env(:my_app, resource, :oauth2_client_secret)
end
end
```
Providing configuration as a module:
```elixir
defmodule MyApp.Secrets do
use AshAuthentication.Secret
def secret_for([:authentication, :strategies, :example, :client_secret], MyApp.User, _opts), do: Application.fetch_env(:my_app, :oauth2_client_secret)
end
# and in your strategies:
oauth2 :example do
client_secret MyApp.Secrets
end
```
## User identities
Because your users can be signed in via multiple providers at once, you can
specify an `identity_resource` in the DSL configuration which points to a
seperate Ash resource which has the `AshAuthentication.UserIdentity` extension
present. This resource will be used to store details of the providers in use
by each user and a relationship will be added to the user resource.
Setting the `identity_resource` will cause extra validations to be applied to
your resource so that changes are tracked correctly on sign-in or
registration.
## Actions
When using an OAuth 2.0 provider you need to declare either a "register" or
"sign-in" action. The reason for this is that it's not possible for us to
know ahead of time how you want to manage the link between your user resources
and the "user info" provided by the OAuth server.
Both actions receive the following two arguments:
1. `user_info` - a map with string keys containing the [OpenID Successful
UserInfo
response](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse).
Usually this will be used to populate your email, nickname or other
identifying field.
2. `oauth_tokens` a map with string keys containing the [OpenID Successful
Token
response](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse)
(or similar).
The actions themselves can be interacted with directly via the
`AshAuthentication.Strategy` protocol, but you are more likely to interact
with them via the web/plugs.
### Sign-in
The sign-in action is called when a successful OAuth2 callback is received.
You should use it to constrain the query to the correct user based on the
arguments provided.
This action is only needed when the `registration_enabled?` DSL settings is
set to `false`.
### Registration
The register action is a little more complicated than the sign-in action,
because we cannot tell the difference between a new user and a returning user
(they all use the same OAuth flow). In order to handle this your register
action must be defined as an upsert with a configured `upsert_identity` (see
example below).
### Examples:
Providing sign-in to users who already exist in the database (and by extension
rejecting new users):
```elixir
defmodule MyApp.Accounts.User do
attributes do
uuid_primary_key :id
attribute :email, :ci_string, allow_nil?: false
end
actions do
read :sign_in_with_example do
argument :user_info, :map, allow_nil?: false
argument :oauth_tokens, :map, allow_nil?: false
prepare AshAuthentication.Strategy.OAuth2.SignInPreparation
filter expr(email == get_path(^arg(:user_info), [:email]))
end
end
authentication do
api MyApp.Accounts
strategies do
oauth2 :example do
registration_enabled? false
end
end
end
end
```
Providing registration or sign-in to all comers:
```elixir
defmodule MyApp.Accounts.User do
attributes do
uuid_primary_key :id
attribute :email, :ci_string, allow_nil?: false
end
actions do
create :register_with_oauth2 do
argument :user_info, :map, allow_nil?: false
argument :oauth_tokens, :map, allow_nil?: false
upsert? true
upsert_identity :email
change AshAuthentication.GenerateTokenChange
change fn changeset, _ctx ->
user_info = Ash.Changeset.get_argument(changeset, :user_info)
changeset
|> Ash.Changeset.change_attribute(:email, user_info["email"])
end
end
end
authentication do
api MyApp.Accounts
strategies do
oauth2 :example do
end
end
end
end
```
## Plugs
OAuth 2.0 is (usually) a browser-based flow. This means that you're most
likely to interact with this strategy via it's plugs. There are two phases to
authentication with OAuth 2.0:
1. The request phase, where the user's browser is redirected to the remote
authentication provider for authentication.
2. The callback phase, where the provider redirects the user back to your app
to create a local database record, session, etc.
## DSL Documentation
OAuth2 authentication
* `:name` (`t:atom/0`) - Required. Uniquely identifies the strategy.
* `:client_id` - Required. The OAuth2 client ID.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
client_id fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_client_id)
end
```
* `:base_url` - The base URL of the OAuth2 server - including the leading protocol
(ie `https://`).
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
base_url fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:site` - Deprecated: Use `base_url` instead.
* `:auth_method` - The authentication strategy used, optional. If not set, no
authentication will be used during the access token request. The
value may be one of the following:
* `:client_secret_basic`
* `:client_secret_post`
* `:client_secret_jwt`
* `:private_key_jwt`
Valid values are nil, :client_secret_basic, :client_secret_post, :client_secret_jwt, :private_key_jwt The default value is `:client_secret_post`.
* `:client_secret` - The OAuth2 client secret.
Required if :auth_method is `:client_secret_basic`,
`:client_secret_post` or `:client_secret_jwt`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
site fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:authorize_url` - Required. The API url to the OAuth2 authorize endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end
```
* `:token_url` - Required. The API url to access the token endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end
```
* `:user_url` - Required. The API url to access the user endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end
```
* `:private_key` - The private key to use if `:auth_method` is `:private_key_jwt`
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:redirect_uri` - Required. The callback URI base.
Not the whole URI back to the callback endpoint, but the URI to your
`AuthPlug`. We can generate the rest.
Whilst not particularly secret, it seemed prudent to allow this to be
configured dynamically so that you can use different URIs for
different environments.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:authorization_params` (`t:keyword/0`) - Any additional parameters to encode in the request phase.
eg: `authorization_params scope: "openid profile email"` The default value is `[]`.
* `:registration_enabled?` (`t:boolean/0`) - Is registration enabled for this provider?
If this option is enabled, then new users will be able to register for
your site when authenticating and not already present.
If not, then only existing users will be able to authenticate. The default value is `true`.
* `:register_action_name` (`t:atom/0`) - The name of the action to use to register a user.
Only needed if `registration_enabled?` is `true`.
Because we we don't know the response format of the server, you must
implement your own registration action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name eg:
`register_with_#{name}`.
* `:sign_in_action_name` (`t:atom/0`) - The name of the action to use to sign in an existing user.
Only needed if `registration_enabled?` is `false`.
Because we don't know the response format of the server, you must
implement your own sign-in action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name, eg:
`sign_in_with_#{name}`.
* `:identity_resource` - The resource used to store user identities.
Given that a user can be signed into multiple different
authentication providers at once we use the
`AshAuthentication.UserIdentity` resource to build a mapping
between users, providers and that provider's uid.
See the Identities section of the module documentation for more
information.
Set to `false` to disable. The default value is `false`.
* `:identity_relationship_name` (`t:atom/0`) - Name of the relationship to the provider identities resource The default value is `:identities`.
* `:identity_relationship_user_id_attribute` (`t:atom/0`) - The name of the destination (user_id) attribute on your provider
identity resource.
The only reason to change this would be if you changed the
`user_id_attribute_name` option of the provider identity. The default value is `:user_id`.
* `:icon` (`t:atom/0`) - The name of an icon to use in any potential UI.
This is a *hint* for UI generators to use, and not in any way canonical. The default value is `:oauth2`.
## authentication.strategies.oauth2
```elixir
oauth2 name \\ :oauth2
```
OAuth2 authentication
### Arguments
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`name`](#authentication-strategies-oauth2-name){: #authentication-strategies-oauth2-name .spark-required} | `atom` | | Uniquely identifies the strategy. |
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`client_id`](#authentication-strategies-oauth2-client_id){: #authentication-strategies-oauth2-client_id .spark-required} | `(any, any -> any) \| module \| String.t` | | The OAuth2 client ID. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir client_id fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_client_id) end ``` |
| [`authorize_url`](#authentication-strategies-oauth2-authorize_url){: #authentication-strategies-oauth2-authorize_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to the OAuth2 authorize endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end ``` |
| [`token_url`](#authentication-strategies-oauth2-token_url){: #authentication-strategies-oauth2-token_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to access the token endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end ``` |
| [`user_url`](#authentication-strategies-oauth2-user_url){: #authentication-strategies-oauth2-user_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to access the user endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir user_url fn _, _ -> {:ok, "https://example.com/userinfo"} end ``` |
| [`redirect_uri`](#authentication-strategies-oauth2-redirect_uri){: #authentication-strategies-oauth2-redirect_uri .spark-required} | `(any, any -> any) \| module \| String.t` | | The callback URI base. Not the whole URI back to the callback endpoint, but the URI to your `AuthPlug`. We can generate the rest. Whilst not particularly secret, it seemed prudent to allow this to be configured dynamically so that you can use different URIs for different environments. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. |
| [`base_url`](#authentication-strategies-oauth2-base_url){: #authentication-strategies-oauth2-base_url } | `(any, any -> any) \| module \| String.t` | | The base URL of the OAuth2 server - including the leading protocol (ie `https://`). Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir base_url fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_site) end ``` |
| [`site`](#authentication-strategies-oauth2-site){: #authentication-strategies-oauth2-site } | `(any, any -> any) \| module \| String.t` | | Deprecated: Use `base_url` instead. |
| [`auth_method`](#authentication-strategies-oauth2-auth_method){: #authentication-strategies-oauth2-auth_method } | `nil \| :client_secret_basic \| :client_secret_post \| :client_secret_jwt \| :private_key_jwt` | `:client_secret_post` | The authentication strategy used, optional. If not set, no authentication will be used during the access token request. The value may be one of the following: * `:client_secret_basic` * `:client_secret_post` * `:client_secret_jwt` * `:private_key_jwt` |
| [`client_secret`](#authentication-strategies-oauth2-client_secret){: #authentication-strategies-oauth2-client_secret } | `(any, any -> any) \| module \| String.t` | | The OAuth2 client secret. Required if :auth_method is `:client_secret_basic`, `:client_secret_post` or `:client_secret_jwt`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir site fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_site) end ``` |
| [`private_key`](#authentication-strategies-oauth2-private_key){: #authentication-strategies-oauth2-private_key } | `(any, any -> any) \| module \| String.t` | | The private key to use if `:auth_method` is `:private_key_jwt` Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. |
| [`authorization_params`](#authentication-strategies-oauth2-authorization_params){: #authentication-strategies-oauth2-authorization_params } | `Keyword.t` | `[]` | Any additional parameters to encode in the request phase. eg: `authorization_params scope: "openid profile email"` |
| [`registration_enabled?`](#authentication-strategies-oauth2-registration_enabled?){: #authentication-strategies-oauth2-registration_enabled? } | `boolean` | `true` | Is registration enabled for this provider? If this option is enabled, then new users will be able to register for your site when authenticating and not already present. If not, then only existing users will be able to authenticate. |
| [`register_action_name`](#authentication-strategies-oauth2-register_action_name){: #authentication-strategies-oauth2-register_action_name } | `atom` | | The name of the action to use to register a user. Only needed if `registration_enabled?` is `true`. Because we we don't know the response format of the server, you must implement your own registration action of the same name. See the "Registration and Sign-in" section of the module documentation for more information. The default is computed from the strategy name eg: `register_with_#{name}`. |
| [`sign_in_action_name`](#authentication-strategies-oauth2-sign_in_action_name){: #authentication-strategies-oauth2-sign_in_action_name } | `atom` | | The name of the action to use to sign in an existing user. Only needed if `registration_enabled?` is `false`. Because we don't know the response format of the server, you must implement your own sign-in action of the same name. See the "Registration and Sign-in" section of the module documentation for more information. The default is computed from the strategy name, eg: `sign_in_with_#{name}`. |
| [`identity_resource`](#authentication-strategies-oauth2-identity_resource){: #authentication-strategies-oauth2-identity_resource } | `module \| false` | `false` | The resource used to store user identities. Given that a user can be signed into multiple different authentication providers at once we use the `AshAuthentication.UserIdentity` resource to build a mapping between users, providers and that provider's uid. See the Identities section of the module documentation for more information. Set to `false` to disable. |
| [`identity_relationship_name`](#authentication-strategies-oauth2-identity_relationship_name){: #authentication-strategies-oauth2-identity_relationship_name } | `atom` | `:identities` | Name of the relationship to the provider identities resource |
| [`identity_relationship_user_id_attribute`](#authentication-strategies-oauth2-identity_relationship_user_id_attribute){: #authentication-strategies-oauth2-identity_relationship_user_id_attribute } | `atom` | `:user_id` | The name of the destination (user_id) attribute on your provider identity resource. The only reason to change this would be if you changed the `user_id_attribute_name` option of the provider identity. |
| [`icon`](#authentication-strategies-oauth2-icon){: #authentication-strategies-oauth2-icon } | `atom` | `:oauth2` | The name of an icon to use in any potential UI. This is a *hint* for UI generators to use, and not in any way canonical. |
### Introspection
Target: `AshAuthentication.Strategy.OAuth2`
<style type="text/css">.spark-required::after { content: "*"; color: red !important; }</style>

1015
documentation/dsls/DSL:-AshAuthentication.Strategy.Oidc.cheatmd
View file

File diff suppressed because it is too large Load diff

315
documentation/dsls/DSL:-AshAuthentication.Strategy.Oidc.md Normal file
View file

@ -0,0 +1,315 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.Strategy.Oidc
Strategy for authentication using an [OpenID
Connect](https://openid.net/connect/) compatible server as the source of
truth.
This strategy builds on-top of `AshAuthentication.Strategy.OAuth2` and
[`assent`](https://hex.pm/packages/assent).
In order to use OIDC you need to provide the following minimum configuration:
- `client_id` - The client id, required
- `site` - The OIDC issuer, required
- `openid_configuration_uri` - The URI for OpenID Provider, optional, defaults
to `/.well-known/openid-configuration`
- `client_authentication_method` - The Client Authentication method to use,
optional, defaults to `client_secret_basic`
- `client_secret` - The client secret, required if
`:client_authentication_method` is `:client_secret_basic`,
`:client_secret_post`, or `:client_secret_jwt`
- `openid_configuration` - The OpenID configuration, optional, the
configuration will be fetched from `:openid_configuration_uri` if this is
not defined
- `id_token_signed_response_alg` - The `id_token_signed_response_alg`
parameter sent by the Client during Registration, defaults to `RS256`
- `id_token_ttl_seconds` - The number of seconds from `iat` that an ID Token
will be considered valid, optional, defaults to nil
- `nonce` - The nonce to use for authorization request, optional, MUST be
session based and unguessable.
## Nonce
`nonce` can be set in the provider config. The `nonce` will be returned in the
`session_params` along with `state`. You can use this to store the value in
the current session e.g. a httpOnly session cookie.
A random value generator can look like this:
```elixir
16
|> :crypto.strong_rand_bytes()
|> Base.encode64(padding: false)
```
AshAuthentication will dynamically generate one for the session if `nonce` is
set to `true`.
## DSL Documentation
Provides an OpenID Connect authentication strategy.
This strategy is built using the `:oauth2` strategy, and thus provides
all the same configuration options should you need them.
#### Schema:
* `:name` (`t:atom/0`) - Required. Uniquely identifies the strategy.
* `:client_id` - Required. The OAuth2 client ID.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
client_id fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_client_id)
end
```
* `:base_url` - The base URL of the OAuth2 server - including the leading protocol
(ie `https://`).
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
base_url fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:site` - Deprecated: Use `base_url` instead.
* `:auth_method` - The authentication strategy used, optional. If not set, no
authentication will be used during the access token request. The
value may be one of the following:
* `:client_secret_basic`
* `:client_secret_post`
* `:client_secret_jwt`
* `:private_key_jwt`
Valid values are nil, :client_secret_basic, :client_secret_post, :client_secret_jwt, :private_key_jwt The default value is `:client_secret_post`.
* `:client_secret` - The OAuth2 client secret.
Required if :auth_method is `:client_secret_basic`,
`:client_secret_post` or `:client_secret_jwt`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
site fn _, resource ->
:my_app
|> Application.get_env(resource, [])
|> Keyword.fetch(:oauth_site)
end
```
* `:authorize_url` - Required. The API url to the OAuth2 authorize endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end
```
* `:token_url` - Required. The API url to access the token endpoint.
Relative to the value of `site`.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end
```
* `:private_key` - The private key to use if `:auth_method` is `:private_key_jwt`
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:redirect_uri` - Required. The callback URI base.
Not the whole URI back to the callback endpoint, but the URI to your
`AuthPlug`. We can generate the rest.
Whilst not particularly secret, it seemed prudent to allow this to be
configured dynamically so that you can use different URIs for
different environments.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
* `:authorization_params` (`t:keyword/0`) - Any additional parameters to encode in the request phase.
eg: `authorization_params scope: "openid profile email"` The default value is `[]`.
* `:registration_enabled?` (`t:boolean/0`) - Is registration enabled for this provider?
If this option is enabled, then new users will be able to register for
your site when authenticating and not already present.
If not, then only existing users will be able to authenticate. The default value is `true`.
* `:register_action_name` (`t:atom/0`) - The name of the action to use to register a user.
Only needed if `registration_enabled?` is `true`.
Because we we don't know the response format of the server, you must
implement your own registration action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name eg:
`register_with_#{name}`.
* `:sign_in_action_name` (`t:atom/0`) - The name of the action to use to sign in an existing user.
Only needed if `registration_enabled?` is `false`.
Because we don't know the response format of the server, you must
implement your own sign-in action of the same name.
See the "Registration and Sign-in" section of the module
documentation for more information.
The default is computed from the strategy name, eg:
`sign_in_with_#{name}`.
* `:identity_resource` - The resource used to store user identities.
Given that a user can be signed into multiple different
authentication providers at once we use the
`AshAuthentication.UserIdentity` resource to build a mapping
between users, providers and that provider's uid.
See the Identities section of the module documentation for more
information.
Set to `false` to disable. The default value is `false`.
* `:identity_relationship_name` (`t:atom/0`) - Name of the relationship to the provider identities resource The default value is `:identities`.
* `:identity_relationship_user_id_attribute` (`t:atom/0`) - The name of the destination (user_id) attribute on your provider
identity resource.
The only reason to change this would be if you changed the
`user_id_attribute_name` option of the provider identity. The default value is `:user_id`.
* `:icon` (`t:atom/0`) - The name of an icon to use in any potential UI.
This is a *hint* for UI generators to use, and not in any way canonical. The default value is `:oauth2`.
* `:openid_configuration_uri` (`t:String.t/0`) - The URI for the OpenID provider The default value is `"/.well-known/openid-configuration"`.
* `:client_authentication_method` - The client authentication method to use. Valid values are :client_secret_basic, :client_secret_post, :client_secret_jwt, :private_key_jwt The default value is `:client_secret_basic`.
* `:openid_configuration` (`t:map/0`) - The OpenID configuration.
If not set, the configuration will be retrieved from `openid_configuration_uri`. The default value is `%{}`.
* `:id_token_signed_response_alg` - The `id_token_signed_response_alg` parameter sent by the Client during Registration.
Valid values are "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "Ed25519", "Ed25519ph", "Ed448", "Ed448ph", "EdDSA" The default value is `"RS256"`.
* `:id_token_ttl_seconds` - The number of seconds from `iat` that an ID Token will be considered valid. The default value is `nil`.
* `:nonce` - A function for generating the session nonce.
When set to `true` the nonce will be automatically generated using
`AshAuthentication.Strategy.Oidc.NonceGenerator`. Set to `false`
to explicitly disable.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
Example:
```elixir
nonce fn _, _ ->
16
|> :crypto.strong_rand_bytes()
|> Base.encode64(padding: false)
end
```
The default value is `true`.
* `:trusted_audiences` - A list of audiences which are trusted. The default value is `nil`.
## authentication.strategies.oidc
```elixir
oidc name \\ :oidc
```
Provides an OpenID Connect authentication strategy.
This strategy is built using the `:oauth2` strategy, and thus provides
all the same configuration options should you need them.
###### Schema:
### Arguments
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`name`](#authentication-strategies-oidc-name){: #authentication-strategies-oidc-name .spark-required} | `atom` | | Uniquely identifies the strategy. |
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`client_id`](#authentication-strategies-oidc-client_id){: #authentication-strategies-oidc-client_id .spark-required} | `(any, any -> any) \| module \| String.t` | | The OAuth2 client ID. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir client_id fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_client_id) end ``` |
| [`authorize_url`](#authentication-strategies-oidc-authorize_url){: #authentication-strategies-oidc-authorize_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to the OAuth2 authorize endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end ``` |
| [`token_url`](#authentication-strategies-oidc-token_url){: #authentication-strategies-oidc-token_url .spark-required} | `(any, any -> any) \| module \| String.t` | | The API url to access the token endpoint. Relative to the value of `site`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end ``` |
| [`redirect_uri`](#authentication-strategies-oidc-redirect_uri){: #authentication-strategies-oidc-redirect_uri .spark-required} | `(any, any -> any) \| module \| String.t` | | The callback URI base. Not the whole URI back to the callback endpoint, but the URI to your `AuthPlug`. We can generate the rest. Whilst not particularly secret, it seemed prudent to allow this to be configured dynamically so that you can use different URIs for different environments. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. |
| [`base_url`](#authentication-strategies-oidc-base_url){: #authentication-strategies-oidc-base_url } | `(any, any -> any) \| module \| String.t` | | The base URL of the OAuth2 server - including the leading protocol (ie `https://`). Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir base_url fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_site) end ``` |
| [`site`](#authentication-strategies-oidc-site){: #authentication-strategies-oidc-site } | `(any, any -> any) \| module \| String.t` | | Deprecated: Use `base_url` instead. |
| [`auth_method`](#authentication-strategies-oidc-auth_method){: #authentication-strategies-oidc-auth_method } | `nil \| :client_secret_basic \| :client_secret_post \| :client_secret_jwt \| :private_key_jwt` | `:client_secret_post` | The authentication strategy used, optional. If not set, no authentication will be used during the access token request. The value may be one of the following: * `:client_secret_basic` * `:client_secret_post` * `:client_secret_jwt` * `:private_key_jwt` |
| [`client_secret`](#authentication-strategies-oidc-client_secret){: #authentication-strategies-oidc-client_secret } | `(any, any -> any) \| module \| String.t` | | The OAuth2 client secret. Required if :auth_method is `:client_secret_basic`, `:client_secret_post` or `:client_secret_jwt`. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir site fn _, resource -> :my_app \|> Application.get_env(resource, []) \|> Keyword.fetch(:oauth_site) end ``` |
| [`private_key`](#authentication-strategies-oidc-private_key){: #authentication-strategies-oidc-private_key } | `(any, any -> any) \| module \| String.t` | | The private key to use if `:auth_method` is `:private_key_jwt` Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. |
| [`authorization_params`](#authentication-strategies-oidc-authorization_params){: #authentication-strategies-oidc-authorization_params } | `Keyword.t` | `[]` | Any additional parameters to encode in the request phase. eg: `authorization_params scope: "openid profile email"` |
| [`registration_enabled?`](#authentication-strategies-oidc-registration_enabled?){: #authentication-strategies-oidc-registration_enabled? } | `boolean` | `true` | Is registration enabled for this provider? If this option is enabled, then new users will be able to register for your site when authenticating and not already present. If not, then only existing users will be able to authenticate. |
| [`register_action_name`](#authentication-strategies-oidc-register_action_name){: #authentication-strategies-oidc-register_action_name } | `atom` | | The name of the action to use to register a user. Only needed if `registration_enabled?` is `true`. Because we we don't know the response format of the server, you must implement your own registration action of the same name. See the "Registration and Sign-in" section of the module documentation for more information. The default is computed from the strategy name eg: `register_with_#{name}`. |
| [`sign_in_action_name`](#authentication-strategies-oidc-sign_in_action_name){: #authentication-strategies-oidc-sign_in_action_name } | `atom` | | The name of the action to use to sign in an existing user. Only needed if `registration_enabled?` is `false`. Because we don't know the response format of the server, you must implement your own sign-in action of the same name. See the "Registration and Sign-in" section of the module documentation for more information. The default is computed from the strategy name, eg: `sign_in_with_#{name}`. |
| [`identity_resource`](#authentication-strategies-oidc-identity_resource){: #authentication-strategies-oidc-identity_resource } | `module \| false` | `false` | The resource used to store user identities. Given that a user can be signed into multiple different authentication providers at once we use the `AshAuthentication.UserIdentity` resource to build a mapping between users, providers and that provider's uid. See the Identities section of the module documentation for more information. Set to `false` to disable. |
| [`identity_relationship_name`](#authentication-strategies-oidc-identity_relationship_name){: #authentication-strategies-oidc-identity_relationship_name } | `atom` | `:identities` | Name of the relationship to the provider identities resource |
| [`identity_relationship_user_id_attribute`](#authentication-strategies-oidc-identity_relationship_user_id_attribute){: #authentication-strategies-oidc-identity_relationship_user_id_attribute } | `atom` | `:user_id` | The name of the destination (user_id) attribute on your provider identity resource. The only reason to change this would be if you changed the `user_id_attribute_name` option of the provider identity. |
| [`icon`](#authentication-strategies-oidc-icon){: #authentication-strategies-oidc-icon } | `atom` | `:oauth2` | The name of an icon to use in any potential UI. This is a *hint* for UI generators to use, and not in any way canonical. |
| [`openid_configuration_uri`](#authentication-strategies-oidc-openid_configuration_uri){: #authentication-strategies-oidc-openid_configuration_uri } | `String.t` | `"/.well-known/openid-configuration"` | The URI for the OpenID provider |
| [`client_authentication_method`](#authentication-strategies-oidc-client_authentication_method){: #authentication-strategies-oidc-client_authentication_method } | `:client_secret_basic \| :client_secret_post \| :client_secret_jwt \| :private_key_jwt` | `:client_secret_basic` | The client authentication method to use. |
| [`openid_configuration`](#authentication-strategies-oidc-openid_configuration){: #authentication-strategies-oidc-openid_configuration } | `map` | `%{}` | The OpenID configuration. If not set, the configuration will be retrieved from `openid_configuration_uri`. |
| [`id_token_signed_response_alg`](#authentication-strategies-oidc-id_token_signed_response_alg){: #authentication-strategies-oidc-id_token_signed_response_alg } | `"HS256" \| "HS384" \| "HS512" \| "RS256" \| "RS384" \| "RS512" \| "ES256" \| "ES384" \| "ES512" \| "PS256" \| "PS384" \| "PS512" \| "Ed25519" \| "Ed25519ph" \| "Ed448" \| "Ed448ph" \| "EdDSA"` | `"RS256"` | The `id_token_signed_response_alg` parameter sent by the Client during Registration. |
| [`id_token_ttl_seconds`](#authentication-strategies-oidc-id_token_ttl_seconds){: #authentication-strategies-oidc-id_token_ttl_seconds } | `nil \| pos_integer` | | The number of seconds from `iat` that an ID Token will be considered valid. |
| [`nonce`](#authentication-strategies-oidc-nonce){: #authentication-strategies-oidc-nonce } | `boolean \| (any, any -> any) \| module \| String.t` | `true` | A function for generating the session nonce. When set to `true` the nonce will be automatically generated using `AshAuthentication.Strategy.Oidc.NonceGenerator`. Set to `false` to explicitly disable. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. Example: ```elixir nonce fn _, _ -> 16 \|> :crypto.strong_rand_bytes() \|> Base.encode64(padding: false) end ``` |
| [`trusted_audiences`](#authentication-strategies-oidc-trusted_audiences){: #authentication-strategies-oidc-trusted_audiences } | `nil \| list(String.t)` | | A list of audiences which are trusted. |
### Introspection
Target: `AshAuthentication.Strategy.OAuth2`
<style type="text/css">.spark-required::after { content: "*"; color: red !important; }</style>

682
documentation/dsls/DSL:-AshAuthentication.Strategy.Password.cheatmd
View file

@ -1,682 +0,0 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.Strategy.Password
Strategy for authenticating using local resources as the source of truth.
In order to use password authentication your resource needs to meet the
following minimum requirements:
1. Have a primary key.
2. A uniquely constrained identity field (eg `username` or `email`).
3. A sensitive string field within which to store the hashed password.
There are other options documented in the DSL.
### Example:
```elixir
defmodule MyApp.Accounts.User do
use Ash.Resource,
extensions: [AshAuthentication]
attributes do
uuid_primary_key :id
attribute :email, :ci_string, allow_nil?: false
attribute :hashed_password, :string, allow_nil?: false, sensitive?: true
end
authentication do
api MyApp.Accounts
strategies do
password :password do
identity_field :email
hashed_password_field :hashed_password
end
end
end
identities do
identity :unique_email, [:email]
end
end
```
## Actions
By default the password strategy will automatically generate the register,
sign-in, reset-request and reset actions for you, however you're free to
define them yourself. If you do, then the action will be validated to ensure
that all the needed configuration is present.
If you wish to work with the actions directly from your code you can do so via
the `AshAuthentication.Strategy` protocol.
### Examples:
Interacting with the actions directly:
iex> strategy = Info.strategy!(Example.User, :password)
...> {:ok, marty} = Strategy.action(strategy, :register, %{"username" => "marty", "password" => "outatime1985", "password_confirmation" => "outatime1985"})
...> marty.username |> to_string()
"marty"
...> {:ok, user} = Strategy.action(strategy, :sign_in, %{"username" => "marty", "password" => "outatime1985"})
...> user.username |> to_string()
"marty"
## Plugs
The password strategy provides plug endpoints for all four actions, although
only sign-in and register will be reported by `Strategy.routes/1` if the
strategy is not configured as resettable.
If you wish to work with the plugs directly, you can do so via the
`AshAuthentication.Strategy` protocol.
### Examples:
Dispatching to plugs directly:
iex> strategy = Info.strategy!(Example.User, :password)
...> conn = conn(:post, "/user/password/register", %{"user" => %{"username" => "marty", "password" => "outatime1985", "password_confirmation" => "outatime1985"}})
...> conn = Strategy.plug(strategy, :register, conn)
...> {_conn, {:ok, marty}} = Plug.Helpers.get_authentication_result(conn)
...> marty.username |> to_string()
"marty"
...> conn = conn(:post, "/user/password/reset_request", %{"user" => %{"username" => "marty"}})
...> conn = Strategy.plug(strategy, :reset_request, conn)
...> {_conn, :ok} = Plug.Helpers.get_authentication_result(conn)
## Testing
See the [Testing guide](/documentation/topics/testing.md) for tips on testing resources using this strategy.
## DSL Documentation
Strategy for authenticating using local resources as the source of truth.
* resettable
Examples:
```
password :password do
identity_field :email
hashed_password_field :hashed_password
hash_provider AshAuthentication.BcryptProvider
confirmation_required? true
end
```
* `:identity_field` (`t:atom/0`) - The name of the attribute which uniquely identifies the user.
Usually something like `username` or `email_address`. The default value is `:username`.
* `:hashed_password_field` (`t:atom/0`) - The name of the attribute within which to store the user's password
once it has been hashed. The default value is `:hashed_password`.
* `:hash_provider` (`t:atom/0`) - A module which implements the `AshAuthentication.HashProvider`
behaviour.
Used to provide cryptographic hashing of passwords. The default value is `AshAuthentication.BcryptProvider`.
* `:confirmation_required?` (`t:boolean/0`) - Whether a password confirmation field is required when registering or
changing passwords. The default value is `true`.
* `:register_action_accept` (list of `t:atom/0`) - A list of additional fields to be accepted in the register action. The default value is `[]`.
* `:password_field` (`t:atom/0`) - The name of the argument used to collect the user's password in
plaintext when registering, checking or changing passwords. The default value is `:password`.
* `:password_confirmation_field` (`t:atom/0`) - The name of the argument used to confirm the user's password in
plaintext when registering or changing passwords. The default value is `:password_confirmation`.
* `:register_action_name` (`t:atom/0`) - The name to use for the register action.
If not present it will be generated by prepending the strategy name
with `register_with_`.
* `:registration_enabled?` (`t:boolean/0`) - If you do not want new users to be able to register using this
strategy, set this to false. The default value is `true`.
* `:sign_in_action_name` (`t:atom/0`) - The name to use for the sign in action.
If not present it will be generated by prepending the strategy name
with `sign_in_with_`.
* `:sign_in_enabled?` (`t:boolean/0`) - If you do not want new users to be able to sign in using this
strategy, set this to false. The default value is `true`.
* `:sign_in_tokens_enabled?` (`t:boolean/0`) - Whether or not to support generating short lived sign in tokens. Requires the resource to have
tokens enabled. There is no drawback to supporting this, and in the future this default will
change from `false` to `true`.
Sign in tokens can be generated on request by setting the `:token_type` context to `:sign_in`
when calling the sign in action. You might do this when you need to generate a short lived token
to be exchanged for a real token using the `validate_sign_in_token` route. This is used, for example,
by `ash_authentication_phoenix` (since 1.7) to support signing in in a liveview, and then redirecting
with a valid token to a controller action, allowing the liveview to show invalid username/password errors. The default value is `false`.
* `:sign_in_token_lifetime` - A lifetime for which a generated sign in token will be valid, if `sign_in_tokens_enabled?`.
If no unit is specified, defaults to `:seconds`. The default value is `{60, :seconds}`.
### resettable
Configure password reset options for the resource
* `:token_lifetime` - How long should the reset token be valid.
If no unit is provided `:hours` is assumed.
Defaults to 3 days. The default value is `{3, :days}`.
* `:request_password_reset_action_name` (`t:atom/0`) - The name to use for the action which generates a password reset token.
If not present it will be generated by prepending the strategy name
with `request_password_reset_with_`.
* `:password_reset_action_name` (`t:atom/0`) - The name to use for the action which actually resets the user's
password.
If not present it will be generated by prepending the strategy name
with `password_reset_with_`.
* `:sender` - Required. How to send the password reset instructions to the user.
Allows you to glue sending of reset instructions to [swoosh](https://hex.pm/packages/swoosh), [ex_twilio](https://hex.pm/packages/ex_twilio) or whatever notification system is appropriate for your application.
Accepts a module, module and opts, or a function that takes a record, reset token and options.
See `AshAuthentication.Sender` for more information.
## authentication.strategies.password
```elixir
password name \ :password
```
Strategy for authenticating using local resources as the source of truth.
### Nested DSLs
* [resettable](#authentication-strategies-password-resettable)
### Examples
```
password :password do
identity_field :email
hashed_password_field :hashed_password
hash_provider AshAuthentication.BcryptProvider
confirmation_required? true
end
```
### Options
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-identity_field" href="#authentication-strategies-password-identity_field">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
identity_field
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:username</code>
</td>
<td style="text-align: left" colspan=2>
The name of the attribute which uniquely identifies the user.
Usually something like `username` or `email_address`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-hashed_password_field" href="#authentication-strategies-password-hashed_password_field">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
hashed_password_field
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:hashed_password</code>
</td>
<td style="text-align: left" colspan=2>
The name of the attribute within which to store the user's password
once it has been hashed.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-hash_provider" href="#authentication-strategies-password-hash_provider">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
hash_provider
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">module</code>
</td>
<td style="text-align: left">
<code class="inline">AshAuthentication.BcryptProvider</code>
</td>
<td style="text-align: left" colspan=2>
A module which implements the `AshAuthentication.HashProvider`
behaviour.
Used to provide cryptographic hashing of passwords.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-confirmation_required?" href="#authentication-strategies-password-confirmation_required?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
confirmation_required?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">true</code>
</td>
<td style="text-align: left" colspan=2>
Whether a password confirmation field is required when registering or
changing passwords.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-register_action_accept" href="#authentication-strategies-password-register_action_accept">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
register_action_accept
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">list(atom)</code>
</td>
<td style="text-align: left">
<code class="inline">[]</code>
</td>
<td style="text-align: left" colspan=2>
A list of additional fields to be accepted in the register action.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-password_field" href="#authentication-strategies-password-password_field">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
password_field
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:password</code>
</td>
<td style="text-align: left" colspan=2>
The name of the argument used to collect the user's password in
plaintext when registering, checking or changing passwords.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-password_confirmation_field" href="#authentication-strategies-password-password_confirmation_field">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
password_confirmation_field
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:password_confirmation</code>
</td>
<td style="text-align: left" colspan=2>
The name of the argument used to confirm the user's password in
plaintext when registering or changing passwords.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-register_action_name" href="#authentication-strategies-password-register_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
register_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The name to use for the register action.
If not present it will be generated by prepending the strategy name
with `register_with_`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-registration_enabled?" href="#authentication-strategies-password-registration_enabled?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
registration_enabled?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">true</code>
</td>
<td style="text-align: left" colspan=2>
If you do not want new users to be able to register using this
strategy, set this to false.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-sign_in_action_name" href="#authentication-strategies-password-sign_in_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
sign_in_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The name to use for the sign in action.
If not present it will be generated by prepending the strategy name
with `sign_in_with_`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-sign_in_enabled?" href="#authentication-strategies-password-sign_in_enabled?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
sign_in_enabled?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">true</code>
</td>
<td style="text-align: left" colspan=2>
If you do not want new users to be able to sign in using this
strategy, set this to false.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-sign_in_tokens_enabled?" href="#authentication-strategies-password-sign_in_tokens_enabled?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
sign_in_tokens_enabled?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">false</code>
</td>
<td style="text-align: left" colspan=2>
Whether or not to support generating short lived sign in tokens. Requires the resource to have
tokens enabled. There is no drawback to supporting this, and in the future this default will
change from `false` to `true`.
Sign in tokens can be generated on request by setting the `:token_type` context to `:sign_in`
when calling the sign in action. You might do this when you need to generate a short lived token
to be exchanged for a real token using the `validate_sign_in_token` route. This is used, for example,
by `ash_authentication_phoenix` (since 1.7) to support signing in in a liveview, and then redirecting
with a valid token to a controller action, allowing the liveview to show invalid username/password errors.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-sign_in_token_lifetime" href="#authentication-strategies-password-sign_in_token_lifetime">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
sign_in_token_lifetime
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">pos_integer | {pos_integer, :days | :hours | :minutes | :seconds}</code>
</td>
<td style="text-align: left">
<code class="inline">{60, :seconds}</code>
</td>
<td style="text-align: left" colspan=2>
A lifetime for which a generated sign in token will be valid, if `sign_in_tokens_enabled?`.
If no unit is specified, defaults to `:seconds`.
</td>
</tr>
</tbody>
</table>
## authentication.strategies.password.resettable
Configure password reset options for the resource
### Options
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-resettable-sender" href="#authentication-strategies-password-resettable-sender">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
sender
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">(any, any, any -> any) | module</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
How to send the password reset instructions to the user.
Allows you to glue sending of reset instructions to [swoosh](https://hex.pm/packages/swoosh), [ex_twilio](https://hex.pm/packages/ex_twilio) or whatever notification system is appropriate for your application.
Accepts a module, module and opts, or a function that takes a record, reset token and options.
See `AshAuthentication.Sender` for more information.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-resettable-token_lifetime" href="#authentication-strategies-password-resettable-token_lifetime">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
token_lifetime
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">pos_integer | {pos_integer, :days | :hours | :minutes | :seconds}</code>
</td>
<td style="text-align: left">
<code class="inline">{3, :days}</code>
</td>
<td style="text-align: left" colspan=2>
How long should the reset token be valid.
If no unit is provided `:hours` is assumed.
Defaults to 3 days.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-resettable-request_password_reset_action_name" href="#authentication-strategies-password-resettable-request_password_reset_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
request_password_reset_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The name to use for the action which generates a password reset token.
If not present it will be generated by prepending the strategy name
with `request_password_reset_with_`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-strategies-password-resettable-password_reset_action_name" href="#authentication-strategies-password-resettable-password_reset_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
password_reset_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The name to use for the action which actually resets the user's
password.
If not present it will be generated by prepending the strategy name
with `password_reset_with_`.
</td>
</tr>
</tbody>
</table>
### Introspection
Target: `AshAuthentication.Strategy.Password.Resettable`
### Introspection
Target: `AshAuthentication.Strategy.Password`

280
documentation/dsls/DSL:-AshAuthentication.Strategy.Password.md Normal file
View file

@ -0,0 +1,280 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.Strategy.Password
Strategy for authenticating using local resources as the source of truth.
In order to use password authentication your resource needs to meet the
following minimum requirements:
1. Have a primary key.
2. A uniquely constrained identity field (eg `username` or `email`).
3. A sensitive string field within which to store the hashed password.
There are other options documented in the DSL.
### Example:
```elixir
defmodule MyApp.Accounts.User do
use Ash.Resource,
extensions: [AshAuthentication]
attributes do
uuid_primary_key :id
attribute :email, :ci_string, allow_nil?: false
attribute :hashed_password, :string, allow_nil?: false, sensitive?: true
end
authentication do
api MyApp.Accounts
strategies do
password :password do
identity_field :email
hashed_password_field :hashed_password
end
end
end
identities do
identity :unique_email, [:email]
end
end
```
## Actions
By default the password strategy will automatically generate the register,
sign-in, reset-request and reset actions for you, however you're free to
define them yourself. If you do, then the action will be validated to ensure
that all the needed configuration is present.
If you wish to work with the actions directly from your code you can do so via
the `AshAuthentication.Strategy` protocol.
### Examples:
Interacting with the actions directly:
iex> strategy = Info.strategy!(Example.User, :password)
...> {:ok, marty} = Strategy.action(strategy, :register, %{"username" => "marty", "password" => "outatime1985", "password_confirmation" => "outatime1985"})
...> marty.username |> to_string()
"marty"
...> {:ok, user} = Strategy.action(strategy, :sign_in, %{"username" => "marty", "password" => "outatime1985"})
...> user.username |> to_string()
"marty"
## Plugs
The password strategy provides plug endpoints for all four actions, although
only sign-in and register will be reported by `Strategy.routes/1` if the
strategy is not configured as resettable.
If you wish to work with the plugs directly, you can do so via the
`AshAuthentication.Strategy` protocol.
### Examples:
Dispatching to plugs directly:
iex> strategy = Info.strategy!(Example.User, :password)
...> conn = conn(:post, "/user/password/register", %{"user" => %{"username" => "marty", "password" => "outatime1985", "password_confirmation" => "outatime1985"}})
...> conn = Strategy.plug(strategy, :register, conn)
...> {_conn, {:ok, marty}} = Plug.Helpers.get_authentication_result(conn)
...> marty.username |> to_string()
"marty"
...> conn = conn(:post, "/user/password/reset_request", %{"user" => %{"username" => "marty"}})
...> conn = Strategy.plug(strategy, :reset_request, conn)
...> {_conn, :ok} = Plug.Helpers.get_authentication_result(conn)
## Testing
See the [Testing guide](/documentation/topics/testing.md) for tips on testing resources using this strategy.
## DSL Documentation
Strategy for authenticating using local resources as the source of truth.
* resettable
Examples:
```
password :password do
identity_field :email
hashed_password_field :hashed_password
hash_provider AshAuthentication.BcryptProvider
confirmation_required? true
end
```
* `:identity_field` (`t:atom/0`) - The name of the attribute which uniquely identifies the user.
Usually something like `username` or `email_address`. The default value is `:username`.
* `:hashed_password_field` (`t:atom/0`) - The name of the attribute within which to store the user's password
once it has been hashed. The default value is `:hashed_password`.
* `:hash_provider` (`t:atom/0`) - A module which implements the `AshAuthentication.HashProvider`
behaviour.
Used to provide cryptographic hashing of passwords. The default value is `AshAuthentication.BcryptProvider`.
* `:confirmation_required?` (`t:boolean/0`) - Whether a password confirmation field is required when registering or
changing passwords. The default value is `true`.
* `:register_action_accept` (list of `t:atom/0`) - A list of additional fields to be accepted in the register action. The default value is `[]`.
* `:password_field` (`t:atom/0`) - The name of the argument used to collect the user's password in
plaintext when registering, checking or changing passwords. The default value is `:password`.
* `:password_confirmation_field` (`t:atom/0`) - The name of the argument used to confirm the user's password in
plaintext when registering or changing passwords. The default value is `:password_confirmation`.
* `:register_action_name` (`t:atom/0`) - The name to use for the register action.
If not present it will be generated by prepending the strategy name
with `register_with_`.
* `:registration_enabled?` (`t:boolean/0`) - If you do not want new users to be able to register using this
strategy, set this to false. The default value is `true`.
* `:sign_in_action_name` (`t:atom/0`) - The name to use for the sign in action.
If not present it will be generated by prepending the strategy name
with `sign_in_with_`.
* `:sign_in_enabled?` (`t:boolean/0`) - If you do not want new users to be able to sign in using this
strategy, set this to false. The default value is `true`.
* `:sign_in_tokens_enabled?` (`t:boolean/0`) - Whether or not to support generating short lived sign in tokens. Requires the resource to have
tokens enabled. There is no drawback to supporting this, and in the future this default will
change from `false` to `true`.
Sign in tokens can be generated on request by setting the `:token_type` context to `:sign_in`
when calling the sign in action. You might do this when you need to generate a short lived token
to be exchanged for a real token using the `validate_sign_in_token` route. This is used, for example,
by `ash_authentication_phoenix` (since 1.7) to support signing in in a liveview, and then redirecting
with a valid token to a controller action, allowing the liveview to show invalid username/password errors. The default value is `false`.
* `:sign_in_token_lifetime` - A lifetime for which a generated sign in token will be valid, if `sign_in_tokens_enabled?`.
If no unit is specified, defaults to `:seconds`. The default value is `{60, :seconds}`.
### resettable
Configure password reset options for the resource
* `:token_lifetime` - How long should the reset token be valid.
If no unit is provided `:hours` is assumed.
Defaults to 3 days. The default value is `{3, :days}`.
* `:request_password_reset_action_name` (`t:atom/0`) - The name to use for the action which generates a password reset token.
If not present it will be generated by prepending the strategy name
with `request_password_reset_with_`.
* `:password_reset_action_name` (`t:atom/0`) - The name to use for the action which actually resets the user's
password.
If not present it will be generated by prepending the strategy name
with `password_reset_with_`.
* `:sender` - Required. How to send the password reset instructions to the user.
Allows you to glue sending of reset instructions to [swoosh](https://hex.pm/packages/swoosh), [ex_twilio](https://hex.pm/packages/ex_twilio) or whatever notification system is appropriate for your application.
Accepts a module, module and opts, or a function that takes a record, reset token and options.
See `AshAuthentication.Sender` for more information.
## authentication.strategies.password
```elixir
password name \\ :password
```
Strategy for authenticating using local resources as the source of truth.
### Nested DSLs
* [resettable](#authentication-strategies-password-resettable)
### Examples
```
password :password do
identity_field :email
hashed_password_field :hashed_password
hash_provider AshAuthentication.BcryptProvider
confirmation_required? true
end
```
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`identity_field`](#authentication-strategies-password-identity_field){: #authentication-strategies-password-identity_field } | `atom` | `:username` | The name of the attribute which uniquely identifies the user. Usually something like `username` or `email_address`. |
| [`hashed_password_field`](#authentication-strategies-password-hashed_password_field){: #authentication-strategies-password-hashed_password_field } | `atom` | `:hashed_password` | The name of the attribute within which to store the user's password once it has been hashed. |
| [`hash_provider`](#authentication-strategies-password-hash_provider){: #authentication-strategies-password-hash_provider } | `module` | `AshAuthentication.BcryptProvider` | A module which implements the `AshAuthentication.HashProvider` behaviour. Used to provide cryptographic hashing of passwords. |
| [`confirmation_required?`](#authentication-strategies-password-confirmation_required?){: #authentication-strategies-password-confirmation_required? } | `boolean` | `true` | Whether a password confirmation field is required when registering or changing passwords. |
| [`register_action_accept`](#authentication-strategies-password-register_action_accept){: #authentication-strategies-password-register_action_accept } | `list(atom)` | `[]` | A list of additional fields to be accepted in the register action. |
| [`password_field`](#authentication-strategies-password-password_field){: #authentication-strategies-password-password_field } | `atom` | `:password` | The name of the argument used to collect the user's password in plaintext when registering, checking or changing passwords. |
| [`password_confirmation_field`](#authentication-strategies-password-password_confirmation_field){: #authentication-strategies-password-password_confirmation_field } | `atom` | `:password_confirmation` | The name of the argument used to confirm the user's password in plaintext when registering or changing passwords. |
| [`register_action_name`](#authentication-strategies-password-register_action_name){: #authentication-strategies-password-register_action_name } | `atom` | | The name to use for the register action. If not present it will be generated by prepending the strategy name with `register_with_`. |
| [`registration_enabled?`](#authentication-strategies-password-registration_enabled?){: #authentication-strategies-password-registration_enabled? } | `boolean` | `true` | If you do not want new users to be able to register using this strategy, set this to false. |
| [`sign_in_action_name`](#authentication-strategies-password-sign_in_action_name){: #authentication-strategies-password-sign_in_action_name } | `atom` | | The name to use for the sign in action. If not present it will be generated by prepending the strategy name with `sign_in_with_`. |
| [`sign_in_enabled?`](#authentication-strategies-password-sign_in_enabled?){: #authentication-strategies-password-sign_in_enabled? } | `boolean` | `true` | If you do not want new users to be able to sign in using this strategy, set this to false. |
| [`sign_in_tokens_enabled?`](#authentication-strategies-password-sign_in_tokens_enabled?){: #authentication-strategies-password-sign_in_tokens_enabled? } | `boolean` | `false` | Whether or not to support generating short lived sign in tokens. Requires the resource to have tokens enabled. There is no drawback to supporting this, and in the future this default will change from `false` to `true`. Sign in tokens can be generated on request by setting the `:token_type` context to `:sign_in` when calling the sign in action. You might do this when you need to generate a short lived token to be exchanged for a real token using the `validate_sign_in_token` route. This is used, for example, by `ash_authentication_phoenix` (since 1.7) to support signing in in a liveview, and then redirecting with a valid token to a controller action, allowing the liveview to show invalid username/password errors. |
| [`sign_in_token_lifetime`](#authentication-strategies-password-sign_in_token_lifetime){: #authentication-strategies-password-sign_in_token_lifetime } | `pos_integer \| {pos_integer, :days \| :hours \| :minutes \| :seconds}` | `{60, :seconds}` | A lifetime for which a generated sign in token will be valid, if `sign_in_tokens_enabled?`. If no unit is specified, defaults to `:seconds`. |
## authentication.strategies.password.resettable
Configure password reset options for the resource
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`sender`](#authentication-strategies-password-resettable-sender){: #authentication-strategies-password-resettable-sender .spark-required} | `(any, any, any -> any) \| module` | | How to send the password reset instructions to the user. Allows you to glue sending of reset instructions to [swoosh](https://hex.pm/packages/swoosh), [ex_twilio](https://hex.pm/packages/ex_twilio) or whatever notification system is appropriate for your application. Accepts a module, module and opts, or a function that takes a record, reset token and options. See `AshAuthentication.Sender` for more information. |
| [`token_lifetime`](#authentication-strategies-password-resettable-token_lifetime){: #authentication-strategies-password-resettable-token_lifetime } | `pos_integer \| {pos_integer, :days \| :hours \| :minutes \| :seconds}` | `{3, :days}` | How long should the reset token be valid. If no unit is provided `:hours` is assumed. Defaults to 3 days. |
| [`request_password_reset_action_name`](#authentication-strategies-password-resettable-request_password_reset_action_name){: #authentication-strategies-password-resettable-request_password_reset_action_name } | `atom` | | The name to use for the action which generates a password reset token. If not present it will be generated by prepending the strategy name with `request_password_reset_with_`. |
| [`password_reset_action_name`](#authentication-strategies-password-resettable-password_reset_action_name){: #authentication-strategies-password-resettable-password_reset_action_name } | `atom` | | The name to use for the action which actually resets the user's password. If not present it will be generated by prepending the strategy name with `password_reset_with_`. |
### Introspection
Target: `AshAuthentication.Strategy.Password.Resettable`
### Introspection
Target: `AshAuthentication.Strategy.Password`
<style type="text/css">.spark-required::after { content: "*"; color: red !important; }</style>

359
documentation/dsls/DSL:-AshAuthentication.TokenResource.cheatmd
View file

@ -1,359 +0,0 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.TokenResource
This is an Ash resource extension which generates the default token resource.
The token resource is used to store information about tokens that should not
be shared with the end user. It does not actually contain any tokens.
For example:
* When an authentication token has been revoked
* When a confirmation token has changes to apply
## Storage
The information stored in this resource is essentially ephemeral - all tokens
have an expiry date, so it doesn't make sense to keep them after that time has
passed. However, if you have any tokens with very long expiry times then we
suggest you store this resource in a resilient data-layer such as Postgres.
## Usage
There is no need to define any attributes or actions (although you can if you
want). The extension will wire up everything that's needed for the token
system to function.
```
defmodule MyApp.Accounts.Token do
use Ash.Resource,
data_layer: AshPostgres.DataLayer,
extensions: [AshAuthentication.TokenResource]
token do
api MyApp.Accounts
end
postgres do
table "tokens"
repo MyApp.Repo
end
end
```
Whilst it is possible to have multiple token resources, there is no need to do
so.
## Removing expired records
Once a token has expired there's no point in keeping the information it refers
to, so expired tokens can be automatically removed by adding the
`AshAuthentication.Supervisor` to your application supervision tree. This
will start the `AshAuthentication.TokenResource.Expunger` `GenServer` which
periodically scans and removes any expired records.
## token
Configuration options for this token resource
### Nested DSLs
* [revocation](#token-revocation)
* [confirmation](#token-confirmation)
### Options
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="token-api" href="#token-api">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
api
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">module</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The Ash API to use to access this resource.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="token-expunge_expired_action_name" href="#token-expunge_expired_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
expunge_expired_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:expunge_expired</code>
</td>
<td style="text-align: left" colspan=2>
The name of the action used to remove expired tokens.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="token-read_expired_action_name" href="#token-read_expired_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
read_expired_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:read_expired</code>
</td>
<td style="text-align: left" colspan=2>
The name of the action use to find all expired tokens.
Used internally by the `expunge_expired` action.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="token-expunge_interval" href="#token-expunge_interval">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
expunge_interval
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">pos_integer</code>
</td>
<td style="text-align: left">
<code class="inline">12</code>
</td>
<td style="text-align: left" colspan=2>
How often to remove expired records.
How often to scan this resource for records which have expired, and thus can be removed.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="token-store_token_action_name" href="#token-store_token_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
store_token_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:store_token</code>
</td>
<td style="text-align: left" colspan=2>
The name of the action to use to store a token.
Used if `store_all_tokens?` is enabled in your authentication resource.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="token-get_token_action_name" href="#token-get_token_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
get_token_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:get_token</code>
</td>
<td style="text-align: left" colspan=2>
The name of the action used to retrieve tokens from the store.
Used if `require_token_presence_for_authentication?` is enabled in your authentication resource.
</td>
</tr>
</tbody>
</table>
## token.revocation
Configuration options for token revocation
### Options
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="token-revocation-revoke_token_action_name" href="#token-revocation-revoke_token_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
revoke_token_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:revoke_token</code>
</td>
<td style="text-align: left" colspan=2>
The name of the action used to revoke tokens.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="token-revocation-is_revoked_action_name" href="#token-revocation-is_revoked_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
is_revoked_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:revoked?</code>
</td>
<td style="text-align: left" colspan=2>
The name of the action used to check if a token is revoked.
</td>
</tr>
</tbody>
</table>
## token.confirmation
Configuration options for confirmation tokens
### Options
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="token-confirmation-store_changes_action_name" href="#token-confirmation-store_changes_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
store_changes_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:store_confirmation_changes</code>
</td>
<td style="text-align: left" colspan=2>
The name of the action used to store confirmation changes.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="token-confirmation-get_changes_action_name" href="#token-confirmation-get_changes_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
get_changes_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:get_confirmation_changes</code>
</td>
<td style="text-align: left" colspan=2>
The name of the action used to get confirmation changes.
</td>
</tr>
</tbody>
</table>

122
documentation/dsls/DSL:-AshAuthentication.TokenResource.md Normal file
View file

@ -0,0 +1,122 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.TokenResource
This is an Ash resource extension which generates the default token resource.
The token resource is used to store information about tokens that should not
be shared with the end user. It does not actually contain any tokens.
For example:
* When an authentication token has been revoked
* When a confirmation token has changes to apply
## Storage
The information stored in this resource is essentially ephemeral - all tokens
have an expiry date, so it doesn't make sense to keep them after that time has
passed. However, if you have any tokens with very long expiry times then we
suggest you store this resource in a resilient data-layer such as Postgres.
## Usage
There is no need to define any attributes or actions (although you can if you
want). The extension will wire up everything that's needed for the token
system to function.
```
defmodule MyApp.Accounts.Token do
use Ash.Resource,
data_layer: AshPostgres.DataLayer,
extensions: [AshAuthentication.TokenResource]
token do
api MyApp.Accounts
end
postgres do
table "tokens"
repo MyApp.Repo
end
end
```
Whilst it is possible to have multiple token resources, there is no need to do
so.
## Removing expired records
Once a token has expired there's no point in keeping the information it refers
to, so expired tokens can be automatically removed by adding the
`AshAuthentication.Supervisor` to your application supervision tree. This
will start the `AshAuthentication.TokenResource.Expunger` `GenServer` which
periodically scans and removes any expired records.
## token
Configuration options for this token resource
### Nested DSLs
* [revocation](#token-revocation)
* [confirmation](#token-confirmation)
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`api`](#token-api){: #token-api .spark-required} | `module` | | The Ash API to use to access this resource. |
| [`expunge_expired_action_name`](#token-expunge_expired_action_name){: #token-expunge_expired_action_name } | `atom` | `:expunge_expired` | The name of the action used to remove expired tokens. |
| [`read_expired_action_name`](#token-read_expired_action_name){: #token-read_expired_action_name } | `atom` | `:read_expired` | The name of the action use to find all expired tokens. Used internally by the `expunge_expired` action. |
| [`expunge_interval`](#token-expunge_interval){: #token-expunge_interval } | `pos_integer` | `12` | How often to remove expired records. How often to scan this resource for records which have expired, and thus can be removed. |
| [`store_token_action_name`](#token-store_token_action_name){: #token-store_token_action_name } | `atom` | `:store_token` | The name of the action to use to store a token. Used if `store_all_tokens?` is enabled in your authentication resource. |
| [`get_token_action_name`](#token-get_token_action_name){: #token-get_token_action_name } | `atom` | `:get_token` | The name of the action used to retrieve tokens from the store. Used if `require_token_presence_for_authentication?` is enabled in your authentication resource. |
## token.revocation
Configuration options for token revocation
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`revoke_token_action_name`](#token-revocation-revoke_token_action_name){: #token-revocation-revoke_token_action_name } | `atom` | `:revoke_token` | The name of the action used to revoke tokens. |
| [`is_revoked_action_name`](#token-revocation-is_revoked_action_name){: #token-revocation-is_revoked_action_name } | `atom` | `:revoked?` | The name of the action used to check if a token is revoked. |
## token.confirmation
Configuration options for confirmation tokens
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`store_changes_action_name`](#token-confirmation-store_changes_action_name){: #token-confirmation-store_changes_action_name } | `atom` | `:store_confirmation_changes` | The name of the action used to store confirmation changes. |
| [`get_changes_action_name`](#token-confirmation-get_changes_action_name){: #token-confirmation-get_changes_action_name } | `atom` | `:get_confirmation_changes` | The name of the action used to get confirmation changes. |
<style type="text/css">.spark-required::after { content: "*"; color: red !important; }</style>

319
documentation/dsls/DSL:-AshAuthentication.UserIdentity.cheatmd
View file

@ -1,319 +0,0 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.UserIdentity
An Ash extension which generates the default user identities resource.
The user identities resource is used to store information returned by remote
authentication strategies (such as those provided by OAuth2) and maps them to
your user resource(s). This provides the following benefits:
1. A user can be signed in to multiple authentication strategies at once.
2. For those provides which support it AshAuthentication can handle
automatic refreshing of tokens.
## Storage
User identities are expected to be relatively long-lived (although they're
deleted on log out), so should probably be stored using a permanent data layer
sush as `ash_postgres`.
## Usage
There is no need to define any attributes, etc. The extension will generate
them all for you. As there is no other use-case for this resource it's
unlikely that you will need to customise it.
```elixir
defmodule MyApp.Accounts.UserIdentity do
use Ash.Resource,
data_layer: AshPostgres.DataLayer,
extensions: [AshAuthentication.UserIdentity]
user_identity do
api MyApp.Accounts
user_resource MyApp.Accounts.User
end
postgres do
table "user_identities"
repo MyApp.Repo
end
end
```
If you intend to operate with multiple user resources, you will need to define
multiple user identity resources.
## user_identity
Configure identity options for this resource
### Options
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="user_identity-api" href="#user_identity-api">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
api
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">module</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The Ash API to use to access this resource.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="user_identity-user_resource" href="#user_identity-user_resource">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
user_resource
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">module</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The user resource to which these identities belong.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="user_identity-uid_attribute_name" href="#user_identity-uid_attribute_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
uid_attribute_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:uid</code>
</td>
<td style="text-align: left" colspan=2>
The name of the `uid` attribute on this resource.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="user_identity-strategy_attribute_name" href="#user_identity-strategy_attribute_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
strategy_attribute_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:strategy</code>
</td>
<td style="text-align: left" colspan=2>
The name of the `strategy` attribute on this resource.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="user_identity-user_id_attribute_name" href="#user_identity-user_id_attribute_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
user_id_attribute_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:user_id</code>
</td>
<td style="text-align: left" colspan=2>
The name of the `user_id` attribute on this resource.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="user_identity-access_token_attribute_name" href="#user_identity-access_token_attribute_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
access_token_attribute_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:access_token</code>
</td>
<td style="text-align: left" colspan=2>
The name of the `access_token` attribute on this resource.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="user_identity-access_token_expires_at_attribute_name" href="#user_identity-access_token_expires_at_attribute_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
access_token_expires_at_attribute_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:access_token_expires_at</code>
</td>
<td style="text-align: left" colspan=2>
The name of the `access_token_expires_at` attribute on this resource.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="user_identity-refresh_token_attribute_name" href="#user_identity-refresh_token_attribute_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
refresh_token_attribute_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:refresh_token</code>
</td>
<td style="text-align: left" colspan=2>
The name of the `refresh_token` attribute on this resource.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="user_identity-upsert_action_name" href="#user_identity-upsert_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
upsert_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:upsert</code>
</td>
<td style="text-align: left" colspan=2>
The name of the action used to create and update records.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="user_identity-destroy_action_name" href="#user_identity-destroy_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
destroy_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:destroy</code>
</td>
<td style="text-align: left" colspan=2>
The name of the action used to destroy records.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="user_identity-read_action_name" href="#user_identity-read_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
read_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:read</code>
</td>
<td style="text-align: left" colspan=2>
The name of the action used to query identities.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="user_identity-user_relationship_name" href="#user_identity-user_relationship_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
user_relationship_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:user</code>
</td>
<td style="text-align: left" colspan=2>
The name of the belongs-to relationship between identities and users.
</td>
</tr>
</tbody>
</table>

81
documentation/dsls/DSL:-AshAuthentication.UserIdentity.md Normal file
View file

@ -0,0 +1,81 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.UserIdentity
An Ash extension which generates the default user identities resource.
The user identities resource is used to store information returned by remote
authentication strategies (such as those provided by OAuth2) and maps them to
your user resource(s). This provides the following benefits:
1. A user can be signed in to multiple authentication strategies at once.
2. For those provides which support it AshAuthentication can handle
automatic refreshing of tokens.
## Storage
User identities are expected to be relatively long-lived (although they're
deleted on log out), so should probably be stored using a permanent data layer
sush as `ash_postgres`.
## Usage
There is no need to define any attributes, etc. The extension will generate
them all for you. As there is no other use-case for this resource it's
unlikely that you will need to customise it.
```elixir
defmodule MyApp.Accounts.UserIdentity do
use Ash.Resource,
data_layer: AshPostgres.DataLayer,
extensions: [AshAuthentication.UserIdentity]
user_identity do
api MyApp.Accounts
user_resource MyApp.Accounts.User
end
postgres do
table "user_identities"
repo MyApp.Repo
end
end
```
If you intend to operate with multiple user resources, you will need to define
multiple user identity resources.
## user_identity
Configure identity options for this resource
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`api`](#user_identity-api){: #user_identity-api .spark-required} | `module` | | The Ash API to use to access this resource. |
| [`user_resource`](#user_identity-user_resource){: #user_identity-user_resource .spark-required} | `module` | | The user resource to which these identities belong. |
| [`uid_attribute_name`](#user_identity-uid_attribute_name){: #user_identity-uid_attribute_name } | `atom` | `:uid` | The name of the `uid` attribute on this resource. |
| [`strategy_attribute_name`](#user_identity-strategy_attribute_name){: #user_identity-strategy_attribute_name } | `atom` | `:strategy` | The name of the `strategy` attribute on this resource. |
| [`user_id_attribute_name`](#user_identity-user_id_attribute_name){: #user_identity-user_id_attribute_name } | `atom` | `:user_id` | The name of the `user_id` attribute on this resource. |
| [`access_token_attribute_name`](#user_identity-access_token_attribute_name){: #user_identity-access_token_attribute_name } | `atom` | `:access_token` | The name of the `access_token` attribute on this resource. |
| [`access_token_expires_at_attribute_name`](#user_identity-access_token_expires_at_attribute_name){: #user_identity-access_token_expires_at_attribute_name } | `atom` | `:access_token_expires_at` | The name of the `access_token_expires_at` attribute on this resource. |
| [`refresh_token_attribute_name`](#user_identity-refresh_token_attribute_name){: #user_identity-refresh_token_attribute_name } | `atom` | `:refresh_token` | The name of the `refresh_token` attribute on this resource. |
| [`upsert_action_name`](#user_identity-upsert_action_name){: #user_identity-upsert_action_name } | `atom` | `:upsert` | The name of the action used to create and update records. |
| [`destroy_action_name`](#user_identity-destroy_action_name){: #user_identity-destroy_action_name } | `atom` | `:destroy` | The name of the action used to destroy records. |
| [`read_action_name`](#user_identity-read_action_name){: #user_identity-read_action_name } | `atom` | `:read` | The name of the action used to query identities. |
| [`user_relationship_name`](#user_identity-user_relationship_name){: #user_identity-user_relationship_name } | `atom` | `:user` | The name of the belongs-to relationship between identities and users. |
<style type="text/css">.spark-required::after { content: "*"; color: red !important; }</style>

446
documentation/dsls/DSL:-AshAuthentication.cheatmd
View file

@ -1,446 +0,0 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication
AshAuthentication provides a turn-key authentication solution for folks using
[Ash](https://www.ash-hq.org/).
## Usage
This package assumes that you have [Ash](https://ash-hq.org/) installed and
configured. See the Ash documentation for details.
Once installed you can easily add support for authentication by configuring
the `AshAuthentication` extension on your resource:
```elixir
defmodule MyApp.Accounts.User do
use Ash.Resource,
extensions: [AshAuthentication]
attributes do
uuid_primary_key :id
attribute :email, :ci_string, allow_nil?: false
attribute :hashed_password, :string, allow_nil?: false, sensitive?: true
end
authentication do
api MyApp.Accounts
strategies do
password :password do
identity_field :email
hashed_password_field :hashed_password
end
end
end
identities do
identity :unique_email, [:email]
end
end
```
If you plan on providing authentication via the web, then you will need to
define a plug using `AshAuthentication.Plug` which builds a `Plug.Router` that
routes incoming authentication requests to the correct provider and provides
callbacks for you to manipulate the conn after success or failure.
If you're using AshAuthentication with Phoenix, then check out
[`ash_authentication_phoenix`](https://github.com/team-alembic/ash_authentication_phoenix)
which provides route helpers, a controller abstraction and LiveView components
for easy set up.
## Authentication Strategies
Currently supported strategies:
1. `AshAuthentication.Strategy.Password`
- authenticate users against your local database using a unique identity
(such as username or email address) and a password.
2. `AshAuthentication.Strategy.OAuth2`
- authenticate using local or remote [OAuth 2.0](https://oauth.net/2/)
compatible services.
## Add-ons
Add-ons are like strategies, except that they don't actually provide
authentication - they just provide features adjacent to authentication.
Current add-ons:
1. `AshAuthentication.AddOn.Confirmation`
- allows you to force the user to confirm changes using a confirmation
token (eg. sending a confirmation email when a new user registers).
## Supervisor
Some add-ons or strategies may require processes to be started which manage
their state over the lifetime of the application (eg periodically deleting
expired token revocations). Because of this you should add
`{AshAuthentication.Supervisor, otp_app: :my_app}` to your application's
supervision tree. See [the Elixir
docs](https://hexdocs.pm/elixir/Application.html#module-the-application-callback-module)
for more information.
## authentication
Configure authentication for this resource
### Nested DSLs
* [tokens](#authentication-tokens)
* [strategies](#authentication-strategies)
* [add_ons](#authentication-add_ons)
### Options
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="authentication-api" href="#authentication-api">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
api
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">module</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The name of the Ash API to use to access this resource when
doing anything authenticaiton related.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-subject_name" href="#authentication-subject_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
subject_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The subject name is used anywhere that a short version of your
resource name is needed, eg:
- generating token claims,
- generating routes,
- form parameter nesting.
This needs to be unique system-wide and if not set will be inferred
from the resource name (ie `MyApp.Accounts.User` will have a subject
name of `user`).
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-get_by_subject_action_name" href="#authentication-get_by_subject_action_name">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
get_by_subject_action_name
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">atom</code>
</td>
<td style="text-align: left">
<code class="inline">:get_by_subject</code>
</td>
<td style="text-align: left" colspan=2>
The name of the read action used to retrieve records.
Used internally by `AshAuthentication.subject_to_user/2`. If the
action doesn't exist, one will be generated for you.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-select_for_senders" href="#authentication-select_for_senders">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
select_for_senders
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">list(atom)</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
A list of fields that we will ensure are selected whenever a sender will be invoked.
This is useful if using something like `ash_graphql` which by default only selects
what fields appear in the query, and if you are exposing these actions that way.
Defaults to `[:email]` if there is an `:email` attribute on the resource, and `[]`
otherwise.
</td>
</tr>
</tbody>
</table>
## authentication.tokens
Configure JWT settings for this resource
### Options
<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Default</th>
<th colspan=2>Docs</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">
<a id="authentication-tokens-token_resource" href="#authentication-tokens-token_resource">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
token_resource
</span>
</a>
<sup style="color: red">*</sup>
</td>
<td style="text-align: left">
<code class="inline">module | false</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The resource used to store token information.
If token generation is enabled for this resource, we need a place to
store information about tokens, such as revocations and in-flight
confirmations.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-tokens-enabled?" href="#authentication-tokens-enabled?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
enabled?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">false</code>
</td>
<td style="text-align: left" colspan=2>
Should JWTs be generated by this resource?
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-tokens-store_all_tokens?" href="#authentication-tokens-store_all_tokens?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
store_all_tokens?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">false</code>
</td>
<td style="text-align: left" colspan=2>
Store all tokens in the `token_resource`?
Some applications need to keep track of all tokens issued to
any user. This is optional behaviour with `ash_authentication`
in order to preserve as much performance as possible.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-tokens-require_token_presence_for_authentication?" href="#authentication-tokens-require_token_presence_for_authentication?">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
require_token_presence_for_authentication?
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">boolean</code>
</td>
<td style="text-align: left">
<code class="inline">false</code>
</td>
<td style="text-align: left" colspan=2>
Require a locally-stored token for authentication?
This inverts the token validation behaviour from requiring that
tokens are not revoked to requiring any token presented by a
client to be present in the token resource to be considered
valid.
Requires `store_all_tokens?` to be `true`.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-tokens-signing_algorithm" href="#authentication-tokens-signing_algorithm">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
signing_algorithm
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">String.t</code>
</td>
<td style="text-align: left">
<code class="inline">"HS256"</code>
</td>
<td style="text-align: left" colspan=2>
The algorithm to use for token signing.
Available signing algorithms are;
EdDSA, Ed448ph, Ed448, Ed25519ph, Ed25519, PS512, PS384, PS256, ES512, ES384, ES256, RS512, RS384, RS256, HS512, HS384 and HS256.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-tokens-token_lifetime" href="#authentication-tokens-token_lifetime">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
token_lifetime
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">pos_integer | {pos_integer, :days | :hours | :minutes | :seconds}</code>
</td>
<td style="text-align: left">
<code class="inline">{14, :days}</code>
</td>
<td style="text-align: left" colspan=2>
How long a token should be valid.
Since refresh tokens are not yet supported, you should
probably set this to a reasonably long time to ensure
a good user experience.
You can either provide a tuple with a time unit, or a positive
integer, in which case the unit is assumed to be hours.
Defaults to 14 days.
</td>
</tr>
<tr>
<td style="text-align: left">
<a id="authentication-tokens-signing_secret" href="#authentication-tokens-signing_secret">
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
signing_secret
</span>
</a>
</td>
<td style="text-align: left">
<code class="inline">(any, any -> any) | module | String.t</code>
</td>
<td style="text-align: left">
</td>
<td style="text-align: left" colspan=2>
The secret used to sign tokens.
Takes either a module which implements the `AshAuthentication.Secret`
behaviour, a 2 arity anonymous function or a string.
See the module documentation for `AshAuthentication.Secret` for more
information.
</td>
</tr>
</tbody>
</table>
## authentication.strategies
Configure authentication strategies on this resource
## authentication.add_ons
Additional add-ons related to, but not providing authentication

155
documentation/dsls/DSL:-AshAuthentication.md Normal file
View file

@ -0,0 +1,155 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication
AshAuthentication provides a turn-key authentication solution for folks using
[Ash](https://www.ash-hq.org/).
## Usage
This package assumes that you have [Ash](https://ash-hq.org/) installed and
configured. See the Ash documentation for details.
Once installed you can easily add support for authentication by configuring
the `AshAuthentication` extension on your resource:
```elixir
defmodule MyApp.Accounts.User do
use Ash.Resource,
extensions: [AshAuthentication]
attributes do
uuid_primary_key :id
attribute :email, :ci_string, allow_nil?: false
attribute :hashed_password, :string, allow_nil?: false, sensitive?: true
end
authentication do
api MyApp.Accounts
strategies do
password :password do
identity_field :email
hashed_password_field :hashed_password
end
end
end
identities do
identity :unique_email, [:email]
end
end
```
If you plan on providing authentication via the web, then you will need to
define a plug using `AshAuthentication.Plug` which builds a `Plug.Router` that
routes incoming authentication requests to the correct provider and provides
callbacks for you to manipulate the conn after success or failure.
If you're using AshAuthentication with Phoenix, then check out
[`ash_authentication_phoenix`](https://github.com/team-alembic/ash_authentication_phoenix)
which provides route helpers, a controller abstraction and LiveView components
for easy set up.
## Authentication Strategies
Currently supported strategies:
1. `AshAuthentication.Strategy.Password`
- authenticate users against your local database using a unique identity
(such as username or email address) and a password.
2. `AshAuthentication.Strategy.OAuth2`
- authenticate using local or remote [OAuth 2.0](https://oauth.net/2/)
compatible services.
## Add-ons
Add-ons are like strategies, except that they don't actually provide
authentication - they just provide features adjacent to authentication.
Current add-ons:
1. `AshAuthentication.AddOn.Confirmation`
- allows you to force the user to confirm changes using a confirmation
token (eg. sending a confirmation email when a new user registers).
## Supervisor
Some add-ons or strategies may require processes to be started which manage
their state over the lifetime of the application (eg periodically deleting
expired token revocations). Because of this you should add
`{AshAuthentication.Supervisor, otp_app: :my_app}` to your application's
supervision tree. See [the Elixir
docs](https://hexdocs.pm/elixir/Application.html#module-the-application-callback-module)
for more information.
## authentication
Configure authentication for this resource
### Nested DSLs
* [tokens](#authentication-tokens)
* [strategies](#authentication-strategies)
* [add_ons](#authentication-add_ons)
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`api`](#authentication-api){: #authentication-api .spark-required} | `module` | | The name of the Ash API to use to access this resource when doing anything authenticaiton related. |
| [`subject_name`](#authentication-subject_name){: #authentication-subject_name } | `atom` | | The subject name is used anywhere that a short version of your resource name is needed, eg: - generating token claims, - generating routes, - form parameter nesting. This needs to be unique system-wide and if not set will be inferred from the resource name (ie `MyApp.Accounts.User` will have a subject name of `user`). |
| [`get_by_subject_action_name`](#authentication-get_by_subject_action_name){: #authentication-get_by_subject_action_name } | `atom` | `:get_by_subject` | The name of the read action used to retrieve records. Used internally by `AshAuthentication.subject_to_user/2`. If the action doesn't exist, one will be generated for you. |
| [`select_for_senders`](#authentication-select_for_senders){: #authentication-select_for_senders } | `list(atom)` | | A list of fields that we will ensure are selected whenever a sender will be invoked. This is useful if using something like `ash_graphql` which by default only selects what fields appear in the query, and if you are exposing these actions that way. Defaults to `[:email]` if there is an `:email` attribute on the resource, and `[]` otherwise. |
## authentication.tokens
Configure JWT settings for this resource
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`token_resource`](#authentication-tokens-token_resource){: #authentication-tokens-token_resource .spark-required} | `module \| false` | | The resource used to store token information. If token generation is enabled for this resource, we need a place to store information about tokens, such as revocations and in-flight confirmations. |
| [`enabled?`](#authentication-tokens-enabled?){: #authentication-tokens-enabled? } | `boolean` | `false` | Should JWTs be generated by this resource? |
| [`store_all_tokens?`](#authentication-tokens-store_all_tokens?){: #authentication-tokens-store_all_tokens? } | `boolean` | `false` | Store all tokens in the `token_resource`? Some applications need to keep track of all tokens issued to any user. This is optional behaviour with `ash_authentication` in order to preserve as much performance as possible. |
| [`require_token_presence_for_authentication?`](#authentication-tokens-require_token_presence_for_authentication?){: #authentication-tokens-require_token_presence_for_authentication? } | `boolean` | `false` | Require a locally-stored token for authentication? This inverts the token validation behaviour from requiring that tokens are not revoked to requiring any token presented by a client to be present in the token resource to be considered valid. Requires `store_all_tokens?` to be `true`. |
| [`signing_algorithm`](#authentication-tokens-signing_algorithm){: #authentication-tokens-signing_algorithm } | `String.t` | `"HS256"` | The algorithm to use for token signing. Available signing algorithms are; EdDSA, Ed448ph, Ed448, Ed25519ph, Ed25519, PS512, PS384, PS256, ES512, ES384, ES256, RS512, RS384, RS256, HS512, HS384 and HS256. |
| [`token_lifetime`](#authentication-tokens-token_lifetime){: #authentication-tokens-token_lifetime } | `pos_integer \| {pos_integer, :days \| :hours \| :minutes \| :seconds}` | `{14, :days}` | How long a token should be valid. Since refresh tokens are not yet supported, you should probably set this to a reasonably long time to ensure a good user experience. You can either provide a tuple with a time unit, or a positive integer, in which case the unit is assumed to be hours. Defaults to 14 days. |
| [`signing_secret`](#authentication-tokens-signing_secret){: #authentication-tokens-signing_secret } | `(any, any -> any) \| module \| String.t` | | The secret used to sign tokens. Takes either a module which implements the `AshAuthentication.Secret` behaviour, a 2 arity anonymous function or a string. See the module documentation for `AshAuthentication.Secret` for more information. |
## authentication.strategies
Configure authentication strategies on this resource
## authentication.add_ons
Additional add-ons related to, but not providing authentication
<style type="text/css">.spark-required::after { content: "*"; color: red !important; }</style>

8
mix.lock
View file

@ -1,14 +1,14 @@
%{
"absinthe": {:hex, :absinthe, "1.7.6", "0b897365f98d068cfcb4533c0200a8e58825a4aeeae6ec33633ebed6de11773b", [:mix], [{:dataloader, "~> 1.0.0 or ~> 2.0", [hex: :dataloader, repo: "hexpm", optional: true]}, {:decimal, "~> 1.0 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}, {:nimble_parsec, "~> 1.2.2 or ~> 1.3", [hex: :nimble_parsec, repo: "hexpm", optional: false]}, {:opentelemetry_process_propagator, "~> 0.2.1", [hex: :opentelemetry_process_propagator, repo: "hexpm", optional: true]}, {:telemetry, "~> 1.0 or ~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "e7626951ca5eec627da960615b51009f3a774765406ff02722b1d818f17e5778"},
"absinthe_plug": {:hex, :absinthe_plug, "1.5.8", "38d230641ba9dca8f72f1fed2dfc8abd53b3907d1996363da32434ab6ee5d6ab", [:mix], [{:absinthe, "~> 1.5", [hex: :absinthe, repo: "hexpm", optional: false]}, {:plug, "~> 1.4", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "bbb04176647b735828861e7b2705465e53e2cf54ccf5a73ddd1ebd855f996e5a"},
"ash": {:hex, :ash, "2.17.10", "5fc4a5bb239ca824fd259276b4b8529dd330cca31c588656f099483aa34ebdc0", [:mix], [{:comparable, "~> 1.0", [hex: :comparable, repo: "hexpm", optional: false]}, {:decimal, "~> 2.0", [hex: :decimal, repo: "hexpm", optional: false]}, {:earmark, "~> 1.4", [hex: :earmark, repo: "hexpm", optional: false]}, {:ecto, "~> 3.7", [hex: :ecto, repo: "hexpm", optional: false]}, {:ets, "~> 0.8", [hex: :ets, repo: "hexpm", optional: false]}, {:jason, ">= 1.0.0", [hex: :jason, repo: "hexpm", optional: false]}, {:picosat_elixir, "~> 0.2", [hex: :picosat_elixir, repo: "hexpm", optional: false]}, {:plug, ">= 0.0.0", [hex: :plug, repo: "hexpm", optional: true]}, {:spark, "~> 1.1 and >= 1.1.50", [hex: :spark, repo: "hexpm", optional: false]}, {:stream_data, "~> 0.6", [hex: :stream_data, repo: "hexpm", optional: false]}, {:telemetry, "~> 1.1", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "263ebecb61480fa0c5106376cb4b0b25735e88372a29615fcc5abf4fe797221f"},
"ash": {:hex, :ash, "2.17.12", "3da797a550a51ee999ed5e81c7c5c82e9c11c9ccaa9b7acac3fc64e4bd2ecc67", [:mix], [{:comparable, "~> 1.0", [hex: :comparable, repo: "hexpm", optional: false]}, {:decimal, "~> 2.0", [hex: :decimal, repo: "hexpm", optional: false]}, {:earmark, "~> 1.4", [hex: :earmark, repo: "hexpm", optional: false]}, {:ecto, "~> 3.7", [hex: :ecto, repo: "hexpm", optional: false]}, {:ets, "~> 0.8", [hex: :ets, repo: "hexpm", optional: false]}, {:jason, ">= 1.0.0", [hex: :jason, repo: "hexpm", optional: false]}, {:picosat_elixir, "~> 0.2", [hex: :picosat_elixir, repo: "hexpm", optional: false]}, {:plug, ">= 0.0.0", [hex: :plug, repo: "hexpm", optional: true]}, {:spark, ">= 1.1.50 and < 2.0.0-0", [hex: :spark, repo: "hexpm", optional: false]}, {:stream_data, "~> 0.6", [hex: :stream_data, repo: "hexpm", optional: false]}, {:telemetry, "~> 1.1", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "905a28545617e59a800111e1f397c92546435d2d31f157bb1787219851572e49"},
"ash_graphql": {:hex, :ash_graphql, "0.26.8", "ca0af0d267d3cb8e7d1cf006b132f7120f7635b54187c7e150c373a652bff09f", [:mix], [{:absinthe, "~> 1.7", [hex: :absinthe, repo: "hexpm", optional: false]}, {:absinthe_plug, "~> 1.4", [hex: :absinthe_plug, repo: "hexpm", optional: false]}, {:ash, "~> 2.17", [hex: :ash, repo: "hexpm", optional: false]}, {:jason, "~> 1.2", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "dfb0a6b9840715b77fce4b95e0e820133706de76c6b1f9bafc16fa9889e7e739"},
"ash_json_api": {:hex, :ash_json_api, "0.34.0", "f11b21c322cead92d0a886c2f9640a35c5866e5024c4744ad1869996aeb3b123", [:mix], [{:ash, "~> 2.3 and >= 2.9.24", [hex: :ash, repo: "hexpm", optional: false]}, {:jason, "~> 1.1", [hex: :jason, repo: "hexpm", optional: false]}, {:json_xema, "~> 0.4.0", [hex: :json_xema, repo: "hexpm", optional: false]}, {:open_api_spex, "~> 3.16", [hex: :open_api_spex, repo: "hexpm", optional: true]}, {:plug, "~> 1.11", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "192d805447e2ed506751a2ae6f58f564741f68a9e8cba1a71a2f6f3928e182f1"},
"ash_postgres": {:hex, :ash_postgres, "1.3.64", "7d7b66c482ffc934a93d9872649d22da0b832cbcb9f3a14b858a3e830100302a", [:mix], [{:ash, "~> 2.17 and >= 2.17.7", [hex: :ash, repo: "hexpm", optional: false]}, {:ecto, "~> 3.9", [hex: :ecto, repo: "hexpm", optional: false]}, {:ecto_sql, "~> 3.9", [hex: :ecto_sql, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:postgrex, ">= 0.0.0", [hex: :postgrex, repo: "hexpm", optional: false]}], "hexpm", "22a40de58746ceae628b89e48317ab8bd4cf6b9cdf88c1e3a006773c4c606cd0"},
"assent": {:hex, :assent, "0.2.9", "e3cdbc8f2e4f8d02c4c490ef8c2148bb1bc0d81aa0648f09addc5918d9a1cd5a", [:mix], [{:certifi, ">= 0.0.0", [hex: :certifi, repo: "hexpm", optional: true]}, {:finch, "~> 0.15", [hex: :finch, repo: "hexpm", optional: true]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:jose, "~> 1.8", [hex: :jose, repo: "hexpm", optional: true]}, {:mint, "~> 1.0", [hex: :mint, repo: "hexpm", optional: true]}, {:req, "~> 0.4", [hex: :req, repo: "hexpm", optional: true]}, {:ssl_verify_fun, ">= 0.0.0", [hex: :ssl_verify_fun, repo: "hexpm", optional: true]}], "hexpm", "5f9562bda90bef7bd3f1b9a348520a5631b86c85145346bb7edb8a7ebbad8e86"},
"bcrypt_elixir": {:hex, :bcrypt_elixir, "3.1.0", "0b110a9a6c619b19a7f73fa3004aa11d6e719a67e672d1633dc36b6b2290a0f7", [:make, :mix], [{:comeonin, "~> 5.3", [hex: :comeonin, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "2ad2acb5a8bc049e8d5aa267802631912bb80d5f4110a178ae7999e69dca1bf7"},
"bunt": {:hex, :bunt, "0.2.1", "e2d4792f7bc0ced7583ab54922808919518d0e57ee162901a16a1b6664ef3b14", [:mix], [], "hexpm", "a330bfb4245239787b15005e66ae6845c9cd524a288f0d141c148b02603777a5"},
"castore": {:hex, :castore, "1.0.4", "ff4d0fb2e6411c0479b1d965a814ea6d00e51eb2f58697446e9c41a97d940b28", [:mix], [], "hexpm", "9418c1b8144e11656f0be99943db4caf04612e3eaecefb5dae9a2a87565584f8"},
"castore": {:hex, :castore, "1.0.5", "9eeebb394cc9a0f3ae56b813459f990abb0a3dedee1be6b27fdb50301930502f", [:mix], [], "hexpm", "8d7c597c3e4a64c395980882d4bca3cebb8d74197c590dc272cfd3b6a6310578"},
"comeonin": {:hex, :comeonin, "5.4.0", "246a56ca3f41d404380fc6465650ddaa532c7f98be4bda1b4656b3a37cc13abe", [:mix], [], "hexpm", "796393a9e50d01999d56b7b8420ab0481a7538d0caf80919da493b4a6e51faf1"},
"comparable": {:hex, :comparable, "1.0.0", "bb669e91cedd14ae9937053e5bcbc3c52bb2f22422611f43b6e38367d94a495f", [:mix], [{:typable, "~> 0.1", [hex: :typable, repo: "hexpm", optional: false]}], "hexpm", "277c11eeb1cd726e7cd41c6c199e7e52fa16ee6830b45ad4cdc62e51f62eb60c"},
"conv_case": {:hex, :conv_case, "0.2.3", "c1455c27d3c1ffcdd5f17f1e91f40b8a0bc0a337805a6e8302f441af17118ed8", [:mix], [], "hexpm", "88f29a3d97d1742f9865f7e394ed3da011abb7c5e8cc104e676fdef6270d4b4a"},
@ -46,7 +46,7 @@
"mimic": {:hex, :mimic, "1.7.4", "cd2772ffbc9edefe964bc668bfd4059487fa639a5b7f1cbdf4fd22946505aa4f", [:mix], [], "hexpm", "437c61041ecf8a7fae35763ce89859e4973bb0666e6ce76d75efc789204447c3"},
"mint": {:hex, :mint, "1.5.1", "8db5239e56738552d85af398798c80648db0e90f343c8469f6c6d8898944fb6f", [:mix], [{:castore, "~> 0.1.0 or ~> 1.0", [hex: :castore, repo: "hexpm", optional: true]}, {:hpax, "~> 0.1.1", [hex: :hpax, repo: "hexpm", optional: false]}], "hexpm", "4a63e1e76a7c3956abd2c72f370a0d0aecddc3976dea5c27eccbecfa5e7d5b1e"},
"mix_audit": {:hex, :mix_audit, "2.1.1", "653aa6d8f291fc4b017aa82bdb79a4017903902ebba57960ef199cbbc8c008a1", [:make, :mix], [{:jason, "~> 1.1", [hex: :jason, repo: "hexpm", optional: false]}, {:yaml_elixir, "~> 2.9", [hex: :yaml_elixir, repo: "hexpm", optional: false]}], "hexpm", "541990c3ab3a7bb8c4aaa2ce2732a4ae160ad6237e5dcd5ad1564f4f85354db1"},
"nimble_options": {:hex, :nimble_options, "1.0.2", "92098a74df0072ff37d0c12ace58574d26880e522c22801437151a159392270e", [:mix], [], "hexpm", "fd12a8db2021036ce12a309f26f564ec367373265b53e25403f0ee697380f1b8"},
"nimble_options": {:hex, :nimble_options, "1.1.0", "3b31a57ede9cb1502071fade751ab0c7b8dbe75a9a4c2b5bbb0943a690b63172", [:mix], [], "hexpm", "8bbbb3941af3ca9acc7835f5655ea062111c9c27bcac53e004460dfd19008a99"},
"nimble_parsec": {:hex, :nimble_parsec, "1.4.0", "51f9b613ea62cfa97b25ccc2c1b4216e81df970acd8e16e8d1bdc58fef21370d", [:mix], [], "hexpm", "9c565862810fb383e9838c1dd2d7d2c437b3d13b267414ba6af33e50d2d1cf28"},
"nimble_pool": {:hex, :nimble_pool, "1.0.0", "5eb82705d138f4dd4423f69ceb19ac667b3b492ae570c9f5c900bb3d2f50a847", [:mix], [], "hexpm", "80be3b882d2d351882256087078e1b1952a28bf98d0a287be87e4a24a710b67a"},
"picosat_elixir": {:hex, :picosat_elixir, "0.2.3", "bf326d0f179fbb3b706bb2c15fbc367dacfa2517157d090fdfc32edae004c597", [:make, :mix], [{:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "f76c9db2dec9d2561ffaa9be35f65403d53e984e8cd99c832383b7ab78c16c66"},
@ -57,7 +57,7 @@
"ranch": {:hex, :ranch, "1.8.0", "8c7a100a139fd57f17327b6413e4167ac559fbc04ca7448e9be9057311597a1d", [:make, :rebar3], [], "hexpm", "49fbcfd3682fab1f5d109351b61257676da1a2fdbe295904176d5e521a2ddfe5"},
"sobelow": {:hex, :sobelow, "0.13.0", "218afe9075904793f5c64b8837cc356e493d88fddde126a463839351870b8d1e", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "cd6e9026b85fc35d7529da14f95e85a078d9dd1907a9097b3ba6ac7ebbe34a0d"},
"sourceror": {:hex, :sourceror, "0.14.1", "c6fb848d55bd34362880da671debc56e77fd722fa13b4dcbeac89a8998fc8b09", [:mix], [], "hexpm", "8b488a219e4c4d7d9ff29d16346fd4a5858085ccdd010e509101e226bbfd8efc"},
"spark": {:hex, :spark, "1.1.51", "8458de5abbb89d18dd5c9235dd39e3757076eba84a5078d1cdc2c1e23c39aa95", [:mix], [{:jason, "~> 1.4", [hex: :jason, repo: "hexpm", optional: false]}, {:nimble_options, "~> 0.5 or ~> 1.0", [hex: :nimble_options, repo: "hexpm", optional: false]}, {:sourceror, "~> 0.1", [hex: :sourceror, repo: "hexpm", optional: false]}], "hexpm", "ed8410aa8db08867b8fff3d65e54deeb7f6f6cf2b8698fc405a386c1c7a9e4f0"},
"spark": {:hex, :spark, "1.1.52", "e0ddd137899c11fb44ef46cda346a112e60365b93e50264da976f45b1c6e28c5", [:mix], [{:jason, "~> 1.4", [hex: :jason, repo: "hexpm", optional: false]}, {:nimble_options, "~> 0.5 or ~> 1.0", [hex: :nimble_options, repo: "hexpm", optional: false]}, {:sourceror, "~> 0.1", [hex: :sourceror, repo: "hexpm", optional: false]}], "hexpm", "2d8b354103eb4ae5fb4ed5f885d491e3ed5684ccb57806c3980fcc15a4b597d6"},
"stream_data": {:hex, :stream_data, "0.6.0", "e87a9a79d7ec23d10ff83eb025141ef4915eeb09d4491f79e52f2562b73e5f47", [:mix], [], "hexpm", "b92b5031b650ca480ced047578f1d57ea6dd563f5b57464ad274718c9c29501c"},
"telemetry": {:hex, :telemetry, "1.2.1", "68fdfe8d8f05a8428483a97d7aab2f268aaff24b49e0f599faa091f1d4e7f61c", [:rebar3], [], "hexpm", "dad9ce9d8effc621708f99eac538ef1cbe05d6a874dd741de2e689c47feafed5"},
"typable": {:hex, :typable, "0.3.0", "0431e121d124cd26f312123e313d2689b9a5322b15add65d424c07779eaa3ca1", [:mix], [], "hexpm", "880a0797752da1a4c508ac48f94711e04c86156f498065a83d160eef945858f8"},