/ueberauth_oidc

An Ueberauth strategy for generic OpenID Connect authentication.

Primary LanguageElixirMIT LicenseMIT

Überauth OIDC

OIDC Provider for Ueberauth using the OpenIDProvider library.

This library provides an OIDC strategy for Ueberauth using the information in the /.well-known url. Only supports authorization_code flow for now. Has optional support for /userinfo endpoints, and has the option to get a user's uid_field from either the claims or the userinfo.

Originally based on rng2/ueberauth_oidc but has now diverged significantly from the source

Installation

  1. Add :ueberauth_oidc to your list of dependencies in mix.exs:

    def deps do
      [{:ueberauth_oidc, git: "https://github.com/DefactoSoftware/ueberauth_oidc.git"}]
    end

    Or if available in hex:

     def deps do
       [{:ueberauth_oidc, "~> 1.0"}]
     end

Configuration

  1. Add OIDC to your Ueberauth configuration:

    config :ueberauth, Ueberauth,
      providers: [
        oidc: { Ueberauth.Strategy.OIDC, [
          default: [
            # required, set to default provider you want to use
            provider: :default_oidc,
    
            # optional
            uid_field: :sub
          ],
    
          # optional override for each provider
          google: [uid_field: :email],
          ...
        ] }
      ]
  2. Update your provider configuration. See OpenIDConnect for a list of supported options.

    config :ueberauth, Ueberauth.Strategy.OIDC,
      # one or more providers
      default_oidc: [
        fetch_userinfo: true, # true/false
        userinfo_uid_field: "upn", # only include if getting the user_id from userinfo
        uid_field: "sub" # only include if getting the user_id from the claims
        discovery_document_uri: "https://oidc.example/.well-known/openid-configuration",
        client_id: "client_id",
        client_secret: "123456789",
        redirect_uri: "https://your.url/auth/oidc/callback",
        response_type: "code",
        scope: "openid profile email"
      ],
      ...

Usage

  1. Include the Ueberauth plug in your controller:

    defmodule MyApp.AuthController do
      use MyApp.Web, :controller
      plug Ueberauth
      ...
    end
  2. Create the request and callback routes if you haven't already:

    scope "/auth", MyApp do
      pipe_through :browser
    
      get "/:unused", AuthController, :request
      get "/:unused/callback", AuthController, :callback
    end
  3. Your controller needs to implement callbacks to deal with Ueberauth.Auth and Ueberauth.Failure responses. For an example implementation see the Ueberauth Example application. Note that the Ueberauth.Strategy.Info struct stored in Ueberauth.Auth will be empty. Use the information in Ueberauth.Auth.Credentials and Ueberauth.Strategy.Extra instead:

    • Ueberauth.Auth.Credentials contains the access_token and related fields

    • The other map in Ueberauth.Auth.Credentials contains provider and user_info

    • Ueberauth.Strategy.Extra contains the raw claims, tokens and opts

  4. Add OpenIDConnect.Worker with a provider list during application startup:

    def start(_type, _args) do
    ...
    children = [
      ...,
      {OpenIDConnect.Worker, Application.get_env(:ueberauth, Ueberauth.Strategy.OIDC)},
      ...
    ]
    ...
    Supervisor.start_link(children, opts)
    end

Calling

Depending on the configured url, you can initialize the request through:

/auth/oidc

To use another provider instead of the configured default, add the oidc_provider option:

/auth/oidc?oidc_provider=google

License

Please see LICENSE for licensing details.

Loosely based on rng2/ueberauth_oidc.