OAuth2 and OpenID Connect metadata updater for Elixir
Oauth2MetadataUpdater maintains an OAuth2 or OpenID Connect server's metadata up to date and performs the necessary validations. It also automatically adds the defaults values to the response.
Implements the following standards:
- RFC8414 - OAuth 2.0 Authorization Server Metadata
- Except section 2.1 (Signed Authorization Server Metadata)
- OpenID Connect Discovery 1.0 incorporating errata set 1
- Except section 2
def deps do
[
{:oauth2_metadata_updater, "~> 1.2"},
{:hackney, "~> 1.0"}
]
end
The hackney dependency is used as the default adapter for Tesla. Another one can be used
instead (see
https://github.com/teamon/tesla#adapters) and then
has to be configured in your config.exs
:
config :tesla, adapter: Tesla.Adapter.AnotherOne
Oauth2MetadataUpdater dynamically loads metadata (lazy-loading) and keeps it in memory for further access. Examples:
iex> Oauth2MetadataUpdater.get_metadata_value("https://accounts.google.com", "authorization_endpoint", suffix: "openid-configuration")
{:ok, "https://accounts.google.com/o/oauth2/v2/auth"}
iex> Oauth2MetadataUpdater.get_metadata_value("https://login.live.com", "response_modes_supported", suffix: "openid-configuration")
{:ok, ["query", "fragment", "form_post"]}
iex> Oauth2MetadataUpdater.get_metadata_value("https://openid-connect.onelogin.com/oidc", "claims_supported", suffix: "openid-configuration", url_construction: :non_standard_append)
{:ok,
["acr", "auth_time", "company", "custom_fields", "department", "email",
"family_name", "given_name", "groups", "iss", "locale_code", "name",
"phone_number", "preferred_username", "sub", "title", "updated_at"]}
suffix
: the well-know URI suffix as documented in the IANA registry. Defaults to"openid-configuration"
refresh_interval
: the number of seconds to keep metadata in cache before it is fetched again. Defaults to3600
secondsmin_refresh_interval
: the delay before Oauth2MetadataUpdater will try to fetch metadata of an issuer again. It is intended to prevent fetching storms when the metadata is unavailable. Defaults to10
secondson_refresh_failure
: determines the behaviour of Oauth2MetadataUpdater when the issuer metadata becomes unavailable::keep_metadata
will keep the metadata in the cache,:discard
will delete the metadata. Defaults to:keep_metadata
:tesla_middlewares
:Tesla
middlewares to add to the outgoing requesturl_construction
::standard
(default) or:non_standard_append
. Given the issuer"https://www.example.com/auth"
the result URI would be::standard
:"https://www.example.com/.well-known/oauth-authorization-server/auth"
:non_standard_append
:"https://www.example.com/auth/.well-known/oauth-authorization-server"
validation
: in addition to the mandatory metadata values of the OAuth2 specification, OpenID Connect makes thejwks_uri
,subject_types_supported
andid_token_signing_alg_values_supported
values mandatory. This option determines against which standard to validate::oauth2
or:oidc
. Defaults to:oidc
The :suffix
, :on_refresh_failure
, :url_construction
, :validation
options shall be used
unchanged for a given issuer between multiple calls, otherwise an exception will be raised.
See JWKSURIUpdater
.