Add nonce and/or OIDC to AshAuthentication
OIDC is built on top of oauth2 and is already implemented in Assent. Some providers, Netsuite in my case, (seem to) require a nonce, which Assent provides when creating a new strategy and passing nonce: true
https://github.com/pow-auth/assent/blob/b591e5a714765770340f6cf81e54db29118e511b/lib/assent/strategies/oidc.ex#L49
GitHub
assent/oidc.ex at b591e5a714765770340f6cf81e54db29118e511b · pow-au...
Multi-provider framework in Elixir. Contribute to pow-auth/assent development by creating an account on GitHub.
25 Replies
Thanks for posting this @absowoot. What I think needs to happen is that we need to add an OIDC strategy which will use the Assent OIDC provider. Hopefully not a huge deal. If I push a branch with support at some stage soon are you okay with testing it?
Absolutely
I've started a branch. It's not ready to test yet, and I'm busy with customer stuff the rest of the day. I'll likely get some time to work on it tomorrow morning or Monday.
Not a problem, thanks!
If this is going to provide support for acting as an OIDC provider with the identity backed by an Ash resource, I'd be up for testing as well shortly. Was planning to use Hydra for this.
Will need to check into AshAuthentication first, but if I recall core (not _phoenix) is unopinionated about enrollment flows etc.?
Correct. Given the resources you can pretty much implement whatever you want on top of them
Hey folks. Sorry this took so long, but I thin I've finished the OIDC strategy. I'm waiting for a release of spark to fix some dialyzer errors but in the mean time can you please test the
feat/oidc-strategy branch with your use cases?Thanks for the update @jart Here are some issues I'm running into (I'm still new to Elixir so these could be on my end)
1. ash_authenticationphoenix complains about a missing icon for :oidc and I couldn't figure out how to pass an existing icon like github
2. Setting nonce "true" sets nonce=true in the url for my OIDC provider
Setting nonce true gives an "Authentication Error" when visiting /auth/oidc/new
Using the statement below in user.ex gives an "Authentication Error" when visiting /auth/oidc/new
```nonce fn , _ ->
24
|> :crypto.strong_rand_bytes()
|> Base.encode64(padding: false)
|> binary_part(0, 24)
end```
So I set one manually for testing.
3. My provider shows that I successfully login but the callback page shows "Authentication Error" I suspect there is something I'm missing, and help would be appreciated. Here is my user.ex: https://gist.github.com/absowoot/ac5b78442114f838b7b7d78c79378516
Does it make sense to not have a nonce generated for an OpenID Connect strategy?
Yes and no... You kill the protection from token injection.
right so should we even support it?
turning off the nonce I mean
I want to say no, but it is standard to do so :thinkies:
Default to
true for sure, at least.assent source code and it looks like they don't actually verify the nonce in any way, so I guess AshAuthentication should do thatnonce DSL value can be set to true, false or {SomeSecretModule, opts}. You have to explicitly set it to false to disable nonce generation now. I also pushed a new version of ash_authentication_phoenix which has the oidc icon present and renders a default icon when it can't find one for the strategy. I have it working here with my Auth0 test account, but keen to find out more from you.Not sure if this is still the case, the last time I used it for OIDC was a couple years ago, but Cognito still didn't support
nonce, and would thus break things that wanted it. Might be worth a note in the docs.@jart The updates are working great, thanks! I would agree with @\ ឵឵឵ that the nonce should probably be set to
false by default.One issue that I'm seeing is that the following items are required in the OAuth2 plug but should generally pull from the openid_configuration:
1. authorize_url
2. token_url
For reference, here is the config I was using with POW assent which worked as expected: https://gist.github.com/absowoot/fe67de899b81575fe4b6b5cdb64202db
Additionally, I tried setting openid_configuration map and it doesn't seem to work. Netsuite uses a different issuer than what's in their /.well-known/openid-configuration
Note that Assent also added trusted_audiences to their config recently which is another item that I need to pass
@absowoot can you put those observations in a GH issue on
ash_authentication? If the OIDC stuff is working well for those that need it now, we probably won't prioritize improvements in the short term, but having that documented in an open issue would be good for the future.Yeah absolutely! I didn't want to clog up GH issues for a branch but I'll get these comments posted there
oh, right I forgot this is in a branch. But if its working, we should merge it 😄
but yeah an issue is good 👍
Should I wait for merge?
nah, go for it. Just mention that the branch isn't merged yet, and feel free to say that I asked you to open the issue 🙂
Thanks @absowoot for the great feedback. I was really struggling with the fact that the oidc strategy should probably just have its own callback plug but there’s so much shared dna with oauth2 that I couldn’t bring myself to do it.
Re merging the build doesn’t pass because of an incorrect typespec in spark. I’ve been waiting for something more important to justify a spark release but I’m not going to hold out much longer lol.
No problem -- OIDC is definitely confusing and Netsuite doesn't make it any easier from my side lol
AshAuthentication v3.11.0 has just gone out with OIDC support! 🎉