The OIDC implementation of assent requires the base_url to be set and ignores the different *_url attributes. At favours the returned configuration from the openid_configuration_uri. To not configure some unused attributes they're removed.
* chore(deps): Bump assent from 0.2.7 to 0.2.8
Bumps [assent](https://github.com/pow-auth/assent) from 0.2.7 to 0.2.8.
- [Release notes](https://github.com/pow-auth/assent/releases)
- [Changelog](https://github.com/pow-auth/assent/blob/main/CHANGELOG.md)
- [Commits](https://github.com/pow-auth/assent/compare/v0.2.7...v0.2.8)
---
updated-dependencies:
- dependency-name: assent
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore(OAuth2): Reflect `assent` `site` -> `base_url` change.
I considered just rewriting it behind the scenes, but I think it's probably better in the long run if we just emit a deprecation.
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Harton <james@harton.nz>
* feat(AshAuthentication.Strategy.Oidc): Add OpenID Connect strategy.
* chore(CI): disable the workflow on pull request event, since it's covered by push.
This fixes a security issue where someone in possession of a special purpose token (reset, confirmation, magic link, etc) would be able to access an API using this token. We strongly encourage you to upgrade.
Closes#190.
Changes the behaviour of the `ConfirmationHookChange` to pass the original, unmodified changeset in the sender options so that senders can account for inhibited changes.
* Adds the `require_token_presence_for_authentication?` DSL option to the Authentication extension which when enabled changes the following behaviour:
1. The `store_in_session` plug will store the user's token rather than their subject in the session.
2. The `retrieve_from_session` plug will look for a stored token in the session rather than a subject and ensure that it's present in the `TokenResource`.
3. The `retrieve_from_bearer` plug will ensure that the token is present in the `TokenResource`.
* Adds the `get_token` action to the `TokenResource`.
After #89 was merged folks were no longer able to use `AshAuthentication.Strategy.Password.HashPasswordChange` and `AshAuthentication.Strategy.Password.PasswordConfirmationValidation` in their own actions. This change fixes this issue by allowing the name of the strategy to be passed in in the changeset context.
Use the `AshAuthentication.Secret` behaviour, rather than asking the user to explicitly set it in their application environment.
This is a breaking change that will require folks to change their resource config to look up the signing secret.
Closes#79.
Closes#77.
* improvement(Confirmation): Confirmation is not a strategy.
* improvement(Confirmation): Support more than one confirmation entity.
* chore: move FIXME doc to issue.
Highlights:
* Replaced `AshAuthentication.Provider` with the much more flexible `AshAuthentication.Strategy`.
* Moved strategies to within the `authentication` DSL using entities and removed excess extensions.
* Added a lot more documentation and test coverage.
* fix(PasswordReset): Generate the reset token using the target action, not the source action.
Also improve tests.
* improvement(PasswordReset): rework PasswordReset to be a provider in it's own right - this means it has it's own routes, etc.
* improvement(docs): change all references to `actor` to `user`.
The word "actor" has special meaning in the Ash ecosystem.
* chore: format `dev` directory also.
* feat(Ash.PlugHelpers): Support standard actor configuration.
* Adds the `:set_actor` plug which will set the actor to a resource based on the subject name.
* Also includes GraphQL and JSON:API interfaces in the devserver for testing.
This is missing a bunch of features that you probably want to use (eg confirmation, password resets), but it's a pretty good place to put a stake in the sand and say it works.
