Packages
ash_authentication
5.0.0-rc.12
5.0.0-rc.12
5.0.0-rc.11
5.0.0-rc.10
5.0.0-rc.9
5.0.0-rc.8
5.0.0-rc.7
5.0.0-rc.6
5.0.0-rc.5
5.0.0-rc.4
5.0.0-rc.3
5.0.0-rc.2
5.0.0-rc.1
5.0.0-rc.0
4.14.1
4.14.0
4.13.7
4.13.6
4.13.5
4.13.4
4.13.3
4.13.2
retired
4.13.1
retired
4.13.0
4.12.0
4.11.0
4.10.0
4.9.9
4.9.8
4.9.7
4.9.6
4.9.5
4.9.4
4.9.3
4.9.2
4.9.1
4.9.0
4.8.7
4.8.6
4.8.5
4.8.3
4.8.2
4.8.1
4.8.0
4.7.6
4.7.5
4.7.4
4.7.3
4.7.2
4.7.1
4.7.0
4.6.4
4.6.3
4.6.2
4.6.1
4.6.0
4.5.6
4.5.5
4.5.4
4.5.3
4.5.2
4.5.1
4.5.0
4.4.9
4.4.8
4.4.7
4.4.6
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.3.12
4.3.11
4.3.10
4.3.9
4.3.8
4.3.7
4.3.6
4.3.5
4.3.4
4.3.3
4.3.2
4.3.1
4.3.0
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.1.0
4.0.4
4.0.3
4.0.2
4.0.1
4.0.0
4.0.0-rc.6
4.0.0-rc.5
4.0.0-rc.3
4.0.0-rc.2
4.0.0-rc.1
4.0.0-rc.0
3.12.4
3.12.3
3.12.2
3.12.1
3.12.0
3.11.16
3.11.15
3.11.14
3.11.13
3.11.12
3.11.11
3.11.10
3.11.9
3.11.8
3.11.7
3.11.6
3.11.5
3.11.4
3.11.3
3.11.2
3.11.1
3.11.0
3.10.8
3.10.7
3.10.6
3.10.5
3.10.4
3.10.3
3.10.2
3.10.1
3.10.0
3.9.6
3.9.5
3.9.4
3.9.3
3.9.2
3.9.1
3.9.0
3.8.0
3.7.9
3.7.8
3.7.6
3.7.5
3.7.4
3.7.3
3.7.2
3.7.1
3.7.0
3.6.1
3.6.0
3.5.3
3.5.2
3.5.1
3.5.0
3.3.1
3.3.0
3.2.2
3.2.1
3.2.0
3.1.0
3.0.3
Authentication extension for the Ash Framework.
Current section
Files
Jump to
Current section
Files
lib/ash_authentication/strategies/dynamic_oidc/dsl.ex
# SPDX-FileCopyrightText: 2022 Alembic Pty Ltd
#
# SPDX-License-Identifier: MIT
defmodule AshAuthentication.Strategy.DynamicOidc.Dsl do
@moduledoc false
alias AshAuthentication.Strategy.{Custom, DynamicOidc, Oidc}
@doc false
@spec dsl :: Custom.entity()
def dsl do
Oidc.dsl()
|> Map.merge(%{
name: :dynamic_oidc,
target: DynamicOidc,
args: [{:optional, :name, :dynamic_oidc}],
describe: """
An OpenID Connect strategy whose connection details (`base_url`,
`client_id`, `client_secret`) are loaded at request time from a
database resource extended with `AshAuthentication.OidcConnection`.
This is the building block for data-driven multi-tenant SSO: each row
in the connection resource is one customer's IdP configuration, and
the strategy looks up the right row based on the request path
(`:connection_id` segment) plus the current Ash tenant.
#### More documentation:
- `AshAuthentication.OidcConnection` — the resource extension this strategy depends on
- `AshAuthentication.Strategy.Oidc` — the underlying compile-time OIDC strategy
""",
auto_set_fields: [
assent_strategy: Assent.Strategy.OIDC,
icon: :oidc,
provider: :dynamic_oidc
],
schema: patch_schema()
})
end
defp patch_schema do
Oidc.dsl()
|> Map.get(:schema, [])
# `base_url`, `client_id`, and `client_secret` come from the connection
# resource, not from compile-time DSL.
|> Keyword.delete(:base_url)
|> Keyword.delete(:client_id)
|> Keyword.delete(:client_secret)
# `private_key`-related fields (used for `private_key_jwt` client auth)
# could in theory live on the connection too, but for now we don't
# support them — the typical Okta/Entra/Auth0 setup uses
# `client_secret_basic`.
|> Keyword.delete(:private_key)
|> Keyword.delete(:private_key_id)
|> Keyword.delete(:private_key_path)
|> Keyword.merge(
connection_resource: [
type: {:behaviour, Ash.Resource},
doc: """
The Ash resource (extended with `AshAuthentication.OidcConnection`)
that stores per-tenant OIDC client configuration.
""",
required: true
],
authorization_params: [
type: AshAuthentication.Dsl.secret_keyword_type(),
doc:
"Any additional parameters to encode in the request phase. eg: `authorization_params scope: \"openid profile email\"`",
default: [scope: "profile email"]
]
)
end
end