Crowdhailer
Using OpenID Connect in production, how to do full security checks
I’m trying to set up an elixir application that uses OpenID connect for authentication. I don’t want to roll my own security so I am using the most popular library openid_connect which looks to be supported by Dockyard, or at least it’s on their github.
The instructions to use the library and verify the token are as follows.
Verify the JWT
The JWT is encrypted and it should always be verified with the JSON Web Keys (JWK) for the provider:
{:ok, claims} = OpenIDConnect.verify(:google, tokens["id_token"])The
claimsis a payload with the information from thescopesyou requested of the provider.Read the claims and set your app’s user session
Now that you have the
claimspayload you can use the user data to identify and set the user’s session state for your app.
Setting your app’s session state is outside the scope of this library.
There are additional checks of an id_token that are required if using the implicit flow that are not performed by the verify function. Full list is available here. Final: OpenID Connect Core 1.0 incorporating errata set 2
Does anyone have a setup that does perform all the checks. Either code example or library form?
Most Liked
wolfiton
Have you looked at pow and pow_assent? GitHub - pow-auth/pow_assent: Multi-provider authentication for your Pow enabled app · GitHub
Crowdhailer
There is a lot of overhead in that library/ecosystem. There is understanding Pow/Assent/Assent strategies/OIDC itself. Ideally I would stick with a OpenID specific library as that is the only thing I need.
danschultzer
Yeah, PowAssent has a lot of overhead. Assent is the low level multi provider library and it doesn’t have much overhead. Also compared to the OIDC library, it doesn’t require a particular JSON parser or HTTP client and uses config as function arg instead of application env.
Assent OIDC/OAuth2 only supports auth code flow, but for a good reason. Implicit code flow is discouraged in favor of auth code flow without client secret. PKCE is often used in this case.
I’ve most of the id token validations here: assent/lib/assent/strategies/oidc.ex at v0.1.5 · pow-auth/assent · GitHub








