UeberauthOidcc

pipeline status badge coverage badge latest release badge

UeberauthOidcc is two things:

an implementation of Ueberauth.Strategy based on the Oidcc library
a set of modules for implementing other OpenID Connect (OIDC) strategies

Installation

The package can be installed by adding ueberauth_oidcc to your list of dependencies in mix.exs:

def deps do
  [
    {:ueberauth_oidcc, "~> 0.3.2"}
  ]
end

Configuration

Add an OIDC Issuer to your Ueberauth configuration.

An issuer is a single OIDC endpoint, but it can be shared by multiple Ueberauth.Strategy.Oidcc providers.

config :ueberauth_oidcc, :issuers, [
  %{name: :oidcc_issuer, issuer: "<issuer URI>"}
]

The issuer must provide OIDC configuration at <issuer URI>/.well-known/openid-configuration.

See oidcc_provider_configuration:opts/0 for issuer parameters.

Add the Ueberauth.Strategy.Oidcc strategy to your configuration.

See UeberauthOidcc.Config for supported options.

config :ueberauth, Ueberauth,
  providers: [
    oidc: { Ueberauth.Strategy.Oidcc,
      issuer: :oidcc_issuer, # matches the name above
      client_id: "client_id",
      client_secret: "123456789",
      scopes: ["openid", "profile", "email"],
      # optional
      callback_path: "/auth/oidc/callback",
      userinfo: true, # whether to pull info from the Userinfo endpoint, default: false
      validate_scopes: true, # whether to validate the returned scopes are a subset of those request, default: false
      uid_field: "email", # pulled from the merge of the claims and userinfo (if fetched), default: sub
      authorization_params: %{}, # additional parameters for the authorization request
      authorization_params_passthrough: [], # params to pass through from the incoming request (such as "prompt")
      authorization_endpoint: "https://oidc-override/request" # override the initial request URI
    }
  ]

The core Ueberauth configuration is only read at compile time, so if you have runtime configuration you'll need to use one of two approaches:

Use a {module, fun, args} tuple or {:system, <env var>} tuple.

config :ueberauth, Ueberauth,
  providers: [
    oidc: { Ueberauth.Strategy.Oidcc,
      issuer: :oidcc_issuer,
      client_id: {:system, "CLIENT_ID"},
      client_secret: {System, :get_env, ["CLIENT_SECRET"]}
    }
  ]

Put it under the :ueberauth_oidcc:providers config.

 # config/runtime.exs
 config :ueberauth_oidcc, :providers,
  oidc: [
    client_secret: System.fetch_env!("OIDC_CLIENT_SECRET")
  ]

Usage

Include the Ueberauth plug in your controller:

defmodule MyApp.AuthController do
  use MyApp.Web, :controller
  plug Ueberauth
  ...
end

Create the request and callback routes if you haven't already:

scope "/auth", MyApp do
  pipe_through :browser

  get "/:unused", AuthController, :request
  get "/:unused/callback", AuthController, :callback
end

Your controller needs to implement callback/2 to deal with Ueberauth.Auth and Ueberauth.Failure responses. For an example implementation see the Ueberauth Example application.
- Ueberauth.Auth.Credentials contains the access_token and related fields
  - The other map in Ueberauth.Auth.Credentials contains id_token
- Ueberauth.Auth.Extra contains the raw claims, userinfo, and options

Calling

Depending on the configured url, you can initialize the request through:

/auth/oidc

Documentation

Documentation can be generated with ExDoc and or found at https://hexdocs.pm/ueberauth_oidcc.

License

Released under the MIT License. Please see LICENSE for details.