config settings compile time constant
brianmay opened this issue · 4 comments
From the documentation:
pipeline :oidc_auth do
plug Plugoid,
issuer: "<issuer>",
client_id: "<client_id>",
client_config: MyApp.ClientCallback
end
Unless I am mistaken, it looks like this means that issuer, client_id, scope, etc needs to be a compile time constant, which excludes the ability to configure oidc parameters at runtime, e.g. as is common for docker containers.
Also it would be good if the requirements for issuer could be better documented. I am unclear exactly what I need to pass to this. Maybe https://dex.example.org/ ? Or maybe https://dex.example.org/.well-known/openid-configuration?
I also find it confusing why you need the client_id to lookup the client_id value in the get function.
Yes, these a compile-time constant. You can take a look at https://akoutmos.com/post/plug-runtime-config/ to solve this problem.
Also it would be good if the requirements for issuer could be better documented. I am unclear exactly what I need to pass to this. Maybe https://dex.example.org/ ? Or maybe https://dex.example.org/.well-known/openid-configuration?
Plugoid uses OAuth2MetadataUpdater, take a look at the documentation: https://hexdocs.pm/oauth2_metadata_updater/readme.html
I also find it confusing why you need the client_id to lookup the client_id value in the get function.
Clients can be configured dynamically (keys can change, etc.), which is why there's a callback.
Clients can be configured dynamically (keys can change, etc.), which is why there's a callback.
But it still doesn't make sense that you would use the client_id value to lookup the client_id value.
And the first client_id value really is the client_id value that is sent to the server,
Yes. It's just that this field is part of standard OAuth2 client metadata.
No entirely 100% comfortable using yet another 3rd party package - https://hexdocs.pm/replug/readme.html - but I can confirm it does solve the problem. And it also makes it easier to share common config between different plugoid plug instances in different pipelines.
So closing this bug for now.