Crowdhailer

Crowdhailer

Creator of Raxx

Using OpenID Connect in production, how to do full security checks

I’m trying to set up an elixir application that uses OpenID connect for authentication. I don’t want to roll my own security so I am using the most popular library openid_connect which looks to be supported by Dockyard, or at least it’s on their github.

The instructions to use the library and verify the token are as follows.

Verify the JWT

The JWT is encrypted and it should always be verified with the JSON Web Keys (JWK) for the provider:

{:ok, claims} = OpenIDConnect.verify(:google, tokens["id_token"])

The claims is a payload with the information from the scopes you requested of the provider.

Read the claims and set your app’s user session

Now that you have the claims payload you can use the user data to identify and set the user’s session state for your app.
Setting your app’s session state is outside the scope of this library.

There are additional checks of an id_token that are required if using the implicit flow that are not performed by the verify function. Full list is available here. Final: OpenID Connect Core 1.0 incorporating errata set 2

Does anyone have a setup that does perform all the checks. Either code example or library form?

Most Liked

Crowdhailer

Crowdhailer

Creator of Raxx

There is a lot of overhead in that library/ecosystem. There is understanding Pow/Assent/Assent strategies/OIDC itself. Ideally I would stick with a OpenID specific library as that is the only thing I need.

danschultzer

danschultzer

Pow Core Team

Yeah, PowAssent has a lot of overhead. Assent is the low level multi provider library and it doesn’t have much overhead. Also compared to the OIDC library, it doesn’t require a particular JSON parser or HTTP client and uses config as function arg instead of application env.

Assent OIDC/OAuth2 only supports auth code flow, but for a good reason. Implicit code flow is discouraged in favor of auth code flow without client secret. PKCE is often used in this case.

I’ve most of the id token validations here: assent/lib/assent/strategies/oidc.ex at v0.1.5 · pow-auth/assent · GitHub

Where Next?

Popular in Questions Top

aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
hariharasudhan94
lets say i have a sample like a = 20; b = 10; if (a > b) do {:ok, "a"} end if (a < b) do {:ok, b} end if (a == b) do {:ok, "equa...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
nobody
Hi! In PHP: $_SERVER[‘SERVER_ADDR’] - in Elixir? Searched the docs for ip address and the web, no good results. Thanks!
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
lucidguppy
I have a super simple question about elixir - how would I take a file like this foo bar baz and output a new file that enumerates th...
New
chensan
I have a User schema with a :from_id field set to type :string: defmodule TweetBot.Repo.Migrations.CreateUsers do use Ecto.Migration ...
New
joaquinalcerro
Hi there, I am working with Ecto-Postgresql and I need to call all of the records from a specific table but the table has 40,000 records...
New

Other popular topics Top

vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
danschultzer
None of the current solutions worked well for me, so I went ahead and built a user management system from scratch. This project took far...
548 29377 241
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID<0.412.0> terminating ** (Postgrex.Error) FATAL...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New
joaquinalcerro
Hi there, I am working with Ecto-Postgresql and I need to call all of the records from a specific table but the table has 40,000 records...
New
hariharasudhan94
Lets say i have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => "XXX...
New

We're in Beta

About us Mission Statement