mirror of
https://github.com/team-alembic/ash_authentication.git
synced 2024-09-20 13:24:20 +12:00
98ee7a341b
* chore(deps): bump spark from 1.1.43 to 1.1.44 Bumps [spark](https://github.com/ash-project/spark) from 1.1.43 to 1.1.44. - [Changelog](https://github.com/ash-project/spark/blob/main/CHANGELOG.md) - [Commits](https://github.com/ash-project/spark/compare/v1.1.43...v1.1.44) --- updated-dependencies: - dependency-name: spark dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * docs: Update DSL cheat sheets. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: James Harton <james@harton.nz>
994 lines
29 KiB
Text
994 lines
29 KiB
Text
<!--
|
|
This file was generated by Spark. Do not edit it by hand.
|
|
-->
|
|
# DSL: AshAuthentication.Strategy.Oidc
|
|
|
|
Strategy for authentication using an [OpenID
|
|
Connect](https://openid.net/connect/) compatible server as the source of
|
|
truth.
|
|
|
|
This strategy builds on-top of `AshAuthentication.Strategy.OAuth2` and
|
|
[`assent`](https://hex.pm/packages/assent).
|
|
|
|
In order to use OIDC you need to provide the following minimum configuration:
|
|
|
|
- `client_id` - The client id, required
|
|
- `site` - The OIDC issuer, required
|
|
- `openid_configuration_uri` - The URI for OpenID Provider, optional, defaults
|
|
to `/.well-known/openid-configuration`
|
|
- `client_authentication_method` - The Client Authentication method to use,
|
|
optional, defaults to `client_secret_basic`
|
|
- `client_secret` - The client secret, required if
|
|
`:client_authentication_method` is `:client_secret_basic`,
|
|
`:client_secret_post`, or `:client_secret_jwt`
|
|
- `openid_configuration` - The OpenID configuration, optional, the
|
|
configuration will be fetched from `:openid_configuration_uri` if this is
|
|
not defined
|
|
- `id_token_signed_response_alg` - The `id_token_signed_response_alg`
|
|
parameter sent by the Client during Registration, defaults to `RS256`
|
|
- `id_token_ttl_seconds` - The number of seconds from `iat` that an ID Token
|
|
will be considered valid, optional, defaults to nil
|
|
- `nonce` - The nonce to use for authorization request, optional, MUST be
|
|
session based and unguessable.
|
|
|
|
|
|
## Nonce
|
|
`nonce` can be set in the provider config. The `nonce` will be returned in the
|
|
`session_params` along with `state`. You can use this to store the value in
|
|
the current session e.g. a httpOnly session cookie.
|
|
|
|
A random value generator can look like this:
|
|
|
|
```elixir
|
|
16
|
|
|> :crypto.strong_rand_bytes()
|
|
|> Base.encode64(padding: false)
|
|
```
|
|
|
|
AshAuthentication will dynamically generate one for the session if `nonce` is
|
|
set to `true`.
|
|
|
|
## DSL Documentation
|
|
|
|
Provides an OpenID Connect authentication strategy.
|
|
|
|
This strategy is built using the `:oauth2` strategy, and thus provides
|
|
all the same configuration options should you need them.
|
|
|
|
#### Schema:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* `:name` (`t:atom/0`) - Required. Uniquely identifies the strategy.
|
|
|
|
* `:client_id` - Required. The OAuth2 client ID.
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
Example:
|
|
```elixir
|
|
client_id fn _, resource ->
|
|
:my_app
|
|
|> Application.get_env(resource, [])
|
|
|> Keyword.fetch(:oauth_client_id)
|
|
end
|
|
```
|
|
|
|
* `:site` - Required. The base URL of the OAuth2 server - including the leading protocol
|
|
(ie `https://`).
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
Example:
|
|
```elixir
|
|
site fn _, resource ->
|
|
:my_app
|
|
|> Application.get_env(resource, [])
|
|
|> Keyword.fetch(:oauth_site)
|
|
end
|
|
```
|
|
|
|
* `:auth_method` - The authentication strategy used, optional. If not set, no
|
|
authentication will be used during the access token request. The
|
|
value may be one of the following:
|
|
* `:client_secret_basic`
|
|
* `:client_secret_post`
|
|
* `:client_secret_jwt`
|
|
* `:private_key_jwt`
|
|
Valid values are nil, :client_secret_basic, :client_secret_post, :client_secret_jwt, :private_key_jwt The default value is `:client_secret_post`.
|
|
|
|
* `:client_secret` - The OAuth2 client secret.
|
|
Required if :auth_method is `:client_secret_basic`,
|
|
`:client_secret_post` or `:client_secret_jwt`.
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
Example:
|
|
```elixir
|
|
site fn _, resource ->
|
|
:my_app
|
|
|> Application.get_env(resource, [])
|
|
|> Keyword.fetch(:oauth_site)
|
|
end
|
|
```
|
|
|
|
* `:authorize_url` - Required. The API url to the OAuth2 authorize endpoint.
|
|
Relative to the value of `site`.
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
Example:
|
|
```elixir
|
|
authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end
|
|
```
|
|
|
|
* `:token_url` - Required. The API url to access the token endpoint.
|
|
Relative to the value of `site`.
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
Example:
|
|
```elixir
|
|
token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end
|
|
```
|
|
|
|
* `:private_key` - The private key to use if `:auth_method` is `:private_key_jwt`
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
* `:redirect_uri` - Required. The callback URI base.
|
|
Not the whole URI back to the callback endpoint, but the URI to your
|
|
`AuthPlug`. We can generate the rest.
|
|
Whilst not particularly secret, it seemed prudent to allow this to be
|
|
configured dynamically so that you can use different URIs for
|
|
different environments.
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
* `:authorization_params` (`t:keyword/0`) - Any additional parameters to encode in the request phase.
|
|
eg: `authorization_params scope: "openid profile email"` The default value is `[]`.
|
|
|
|
* `:registration_enabled?` (`t:boolean/0`) - Is registration enabled for this provider?
|
|
If this option is enabled, then new users will be able to register for
|
|
your site when authenticating and not already present.
|
|
If not, then only existing users will be able to authenticate. The default value is `true`.
|
|
|
|
* `:register_action_name` (`t:atom/0`) - The name of the action to use to register a user.
|
|
Only needed if `registration_enabled?` is `true`.
|
|
Because we we don't know the response format of the server, you must
|
|
implement your own registration action of the same name.
|
|
See the "Registration and Sign-in" section of the module
|
|
documentation for more information.
|
|
The default is computed from the strategy name eg:
|
|
`register_with_#{name}`.
|
|
|
|
* `:sign_in_action_name` (`t:atom/0`) - The name of the action to use to sign in an existing user.
|
|
Only needed if `registration_enabled?` is `false`.
|
|
Because we don't know the response format of the server, you must
|
|
implement your own sign-in action of the same name.
|
|
See the "Registration and Sign-in" section of the module
|
|
documentation for more information.
|
|
The default is computed from the strategy name, eg:
|
|
`sign_in_with_#{name}`.
|
|
|
|
* `:identity_resource` - The resource used to store user identities.
|
|
Given that a user can be signed into multiple different
|
|
authentication providers at once we use the
|
|
`AshAuthentication.UserIdentity` resource to build a mapping
|
|
between users, providers and that provider's uid.
|
|
See the Identities section of the module documentation for more
|
|
information.
|
|
Set to `false` to disable. The default value is `false`.
|
|
|
|
* `:identity_relationship_name` (`t:atom/0`) - Name of the relationship to the provider identities resource The default value is `:identities`.
|
|
|
|
* `:identity_relationship_user_id_attribute` (`t:atom/0`) - The name of the destination (user_id) attribute on your provider
|
|
identity resource.
|
|
The only reason to change this would be if you changed the
|
|
`user_id_attribute_name` option of the provider identity. The default value is `:user_id`.
|
|
|
|
* `:icon` (`t:atom/0`) - The name of an icon to use in any potential UI.
|
|
This is a *hint* for UI generators to use, and not in any way canonical. The default value is `:oauth2`.
|
|
|
|
* `:openid_configuration_uri` (`t:String.t/0`) - The URI for the OpenID provider The default value is `"/.well-known/openid-configuration"`.
|
|
|
|
* `:client_authentication_method` - The client authentication method to use. Valid values are :client_secret_basic, :client_secret_post, :client_secret_jwt, :private_key_jwt The default value is `:client_secret_basic`.
|
|
|
|
* `:openid_configuration` (`t:map/0`) - The OpenID configuration.
|
|
If not set, the configuration will be retrieved from `openid_configuration_uri`. The default value is `%{}`.
|
|
|
|
* `:id_token_signed_response_alg` - The `id_token_signed_response_alg` parameter sent by the Client during Registration.
|
|
Valid values are "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "Ed25519", "Ed25519ph", "Ed448", "Ed448ph", "EdDSA" The default value is `"RS256"`.
|
|
|
|
* `:id_token_ttl_seconds` - The number of seconds from `iat` that an ID Token will be considered valid. The default value is `nil`.
|
|
|
|
* `:nonce` - A function for generating the session nonce.
|
|
When set to `true` the nonce will be automatically generated using
|
|
`AshAuthentication.Strategy.Oidc.NonceGenerator`. Set to `false`
|
|
to explicitly disable.
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
Example:
|
|
```elixir
|
|
nonce fn _, _ ->
|
|
16
|
|
|> :crypto.strong_rand_bytes()
|
|
|> Base.encode64(padding: false)
|
|
end
|
|
```
|
|
|
|
The default value is `true`.
|
|
|
|
* `:trusted_audiences` - A list of audiences which are trusted. The default value is `nil`.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## authentication.strategies.oidc
|
|
```elixir
|
|
oidc name \ :oidc
|
|
```
|
|
|
|
|
|
Provides an OpenID Connect authentication strategy.
|
|
|
|
This strategy is built using the `:oauth2` strategy, and thus provides
|
|
all the same configuration options should you need them.
|
|
|
|
###### Schema:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Arguments
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Default</th>
|
|
<th colspan=2>Docs</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-name" href="#authentication-strategies-oidc-name">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
name
|
|
</span>
|
|
</a>
|
|
<sup style="color: red">*</sup>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">atom</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
Uniquely identifies the strategy.
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
### Options
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Default</th>
|
|
<th colspan=2>Docs</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-client_id" href="#authentication-strategies-oidc-client_id">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
client_id
|
|
</span>
|
|
</a>
|
|
<sup style="color: red">*</sup>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">(any, any -> any) | module | String.t</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The OAuth2 client ID.
|
|
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
|
|
Example:
|
|
|
|
```elixir
|
|
client_id fn _, resource ->
|
|
:my_app
|
|
|> Application.get_env(resource, [])
|
|
|> Keyword.fetch(:oauth_client_id)
|
|
end
|
|
```
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-site" href="#authentication-strategies-oidc-site">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
site
|
|
</span>
|
|
</a>
|
|
<sup style="color: red">*</sup>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">(any, any -> any) | module | String.t</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The base URL of the OAuth2 server - including the leading protocol
|
|
(ie `https://`).
|
|
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
|
|
Example:
|
|
|
|
```elixir
|
|
site fn _, resource ->
|
|
:my_app
|
|
|> Application.get_env(resource, [])
|
|
|> Keyword.fetch(:oauth_site)
|
|
end
|
|
```
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-authorize_url" href="#authentication-strategies-oidc-authorize_url">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
authorize_url
|
|
</span>
|
|
</a>
|
|
<sup style="color: red">*</sup>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">(any, any -> any) | module | String.t</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The API url to the OAuth2 authorize endpoint.
|
|
|
|
Relative to the value of `site`.
|
|
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
|
|
Example:
|
|
|
|
```elixir
|
|
authorize_url fn _, _ -> {:ok, "https://exampe.com/authorize"} end
|
|
```
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-token_url" href="#authentication-strategies-oidc-token_url">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
token_url
|
|
</span>
|
|
</a>
|
|
<sup style="color: red">*</sup>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">(any, any -> any) | module | String.t</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The API url to access the token endpoint.
|
|
|
|
Relative to the value of `site`.
|
|
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
|
|
Example:
|
|
|
|
```elixir
|
|
token_url fn _, _ -> {:ok, "https://example.com/oauth_token"} end
|
|
```
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-redirect_uri" href="#authentication-strategies-oidc-redirect_uri">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
redirect_uri
|
|
</span>
|
|
</a>
|
|
<sup style="color: red">*</sup>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">(any, any -> any) | module | String.t</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The callback URI base.
|
|
|
|
Not the whole URI back to the callback endpoint, but the URI to your
|
|
`AuthPlug`. We can generate the rest.
|
|
|
|
Whilst not particularly secret, it seemed prudent to allow this to be
|
|
configured dynamically so that you can use different URIs for
|
|
different environments.
|
|
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-auth_method" href="#authentication-strategies-oidc-auth_method">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
auth_method
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">nil | :client_secret_basic | :client_secret_post | :client_secret_jwt | :private_key_jwt</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">:client_secret_post</code>
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The authentication strategy used, optional. If not set, no
|
|
authentication will be used during the access token request. The
|
|
value may be one of the following:
|
|
|
|
* `:client_secret_basic`
|
|
* `:client_secret_post`
|
|
* `:client_secret_jwt`
|
|
* `:private_key_jwt`
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-client_secret" href="#authentication-strategies-oidc-client_secret">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
client_secret
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">(any, any -> any) | module | String.t</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The OAuth2 client secret.
|
|
|
|
Required if :auth_method is `:client_secret_basic`,
|
|
`:client_secret_post` or `:client_secret_jwt`.
|
|
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
|
|
Example:
|
|
|
|
```elixir
|
|
site fn _, resource ->
|
|
:my_app
|
|
|> Application.get_env(resource, [])
|
|
|> Keyword.fetch(:oauth_site)
|
|
end
|
|
```
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-private_key" href="#authentication-strategies-oidc-private_key">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
private_key
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">(any, any -> any) | module | String.t</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The private key to use if `:auth_method` is `:private_key_jwt`
|
|
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-authorization_params" href="#authentication-strategies-oidc-authorization_params">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
authorization_params
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">Keyword.t</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">[]</code>
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
Any additional parameters to encode in the request phase.
|
|
|
|
eg: `authorization_params scope: "openid profile email"`
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-registration_enabled?" href="#authentication-strategies-oidc-registration_enabled?">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
registration_enabled?
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">boolean</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">true</code>
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
Is registration enabled for this provider?
|
|
|
|
If this option is enabled, then new users will be able to register for
|
|
your site when authenticating and not already present.
|
|
|
|
If not, then only existing users will be able to authenticate.
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-register_action_name" href="#authentication-strategies-oidc-register_action_name">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
register_action_name
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">atom</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The name of the action to use to register a user.
|
|
|
|
Only needed if `registration_enabled?` is `true`.
|
|
|
|
Because we we don't know the response format of the server, you must
|
|
implement your own registration action of the same name.
|
|
|
|
See the "Registration and Sign-in" section of the module
|
|
documentation for more information.
|
|
|
|
The default is computed from the strategy name eg:
|
|
`register_with_#{name}`.
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-sign_in_action_name" href="#authentication-strategies-oidc-sign_in_action_name">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
sign_in_action_name
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">atom</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The name of the action to use to sign in an existing user.
|
|
|
|
Only needed if `registration_enabled?` is `false`.
|
|
|
|
Because we don't know the response format of the server, you must
|
|
implement your own sign-in action of the same name.
|
|
|
|
See the "Registration and Sign-in" section of the module
|
|
documentation for more information.
|
|
|
|
The default is computed from the strategy name, eg:
|
|
`sign_in_with_#{name}`.
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-identity_resource" href="#authentication-strategies-oidc-identity_resource">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
identity_resource
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">module | false</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">false</code>
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The resource used to store user identities.
|
|
|
|
Given that a user can be signed into multiple different
|
|
authentication providers at once we use the
|
|
`AshAuthentication.UserIdentity` resource to build a mapping
|
|
between users, providers and that provider's uid.
|
|
|
|
See the Identities section of the module documentation for more
|
|
information.
|
|
|
|
Set to `false` to disable.
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-identity_relationship_name" href="#authentication-strategies-oidc-identity_relationship_name">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
identity_relationship_name
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">atom</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">:identities</code>
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
Name of the relationship to the provider identities resource
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-identity_relationship_user_id_attribute" href="#authentication-strategies-oidc-identity_relationship_user_id_attribute">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
identity_relationship_user_id_attribute
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">atom</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">:user_id</code>
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The name of the destination (user_id) attribute on your provider
|
|
identity resource.
|
|
|
|
The only reason to change this would be if you changed the
|
|
`user_id_attribute_name` option of the provider identity.
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-icon" href="#authentication-strategies-oidc-icon">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
icon
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">atom</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">:oauth2</code>
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The name of an icon to use in any potential UI.
|
|
|
|
This is a *hint* for UI generators to use, and not in any way canonical.
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-openid_configuration_uri" href="#authentication-strategies-oidc-openid_configuration_uri">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
openid_configuration_uri
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">String.t</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">"/.well-known/openid-configuration"</code>
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The URI for the OpenID provider
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-client_authentication_method" href="#authentication-strategies-oidc-client_authentication_method">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
client_authentication_method
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">:client_secret_basic | :client_secret_post | :client_secret_jwt | :private_key_jwt</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">:client_secret_basic</code>
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The client authentication method to use.
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-openid_configuration" href="#authentication-strategies-oidc-openid_configuration">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
openid_configuration
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">map</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">%{}</code>
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The OpenID configuration.
|
|
|
|
If not set, the configuration will be retrieved from `openid_configuration_uri`.
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-id_token_signed_response_alg" href="#authentication-strategies-oidc-id_token_signed_response_alg">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
id_token_signed_response_alg
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">"HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "PS256" | "PS384" | "PS512" | "Ed25519" | "Ed25519ph" | "Ed448" | "Ed448ph" | "EdDSA"</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">"RS256"</code>
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The `id_token_signed_response_alg` parameter sent by the Client during Registration.
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-id_token_ttl_seconds" href="#authentication-strategies-oidc-id_token_ttl_seconds">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
id_token_ttl_seconds
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">nil | pos_integer</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
The number of seconds from `iat` that an ID Token will be considered valid.
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-nonce" href="#authentication-strategies-oidc-nonce">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
nonce
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">boolean | (any, any -> any) | module | String.t</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">true</code>
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
A function for generating the session nonce.
|
|
|
|
When set to `true` the nonce will be automatically generated using
|
|
`AshAuthentication.Strategy.Oidc.NonceGenerator`. Set to `false`
|
|
to explicitly disable.
|
|
|
|
Takes either a module which implements the `AshAuthentication.Secret`
|
|
behaviour, a 2 arity anonymous function or a string.
|
|
|
|
See the module documentation for `AshAuthentication.Secret` for more
|
|
information.
|
|
|
|
|
|
Example:
|
|
|
|
```elixir
|
|
nonce fn _, _ ->
|
|
16
|
|
|> :crypto.strong_rand_bytes()
|
|
|> Base.encode64(padding: false)
|
|
end
|
|
```
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td style="text-align: left">
|
|
<a id="authentication-strategies-oidc-trusted_audiences" href="#authentication-strategies-oidc-trusted_audiences">
|
|
<span style="font-family: Inconsolata, Menlo, Courier, monospace;">
|
|
trusted_audiences
|
|
</span>
|
|
</a>
|
|
|
|
</td>
|
|
<td style="text-align: left">
|
|
<code class="inline">nil | list(String.t)</code>
|
|
</td>
|
|
<td style="text-align: left">
|
|
|
|
</td>
|
|
<td style="text-align: left" colspan=2>
|
|
A list of audiences which are trusted.
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
|
|
|
|
|
|
|
|
|
|
### Introspection
|
|
|
|
Target: `AshAuthentication.Strategy.OAuth2`
|
|
|
|
|