search

tanguilp / plugoid

OpenID Connect Plug for Elixir's Phoenix web framework
https://hexdocs.pm/plugoid/
Apache License 2.0
16 stars 1 forks source link

config settings compile time constant #8

Closed brianmay closed 2 years ago

brianmay commented 2 years ago

From the documentation:

pipeline :oidc_auth do
    plug Plugoid,
      issuer: "<issuer>",
      client_id: "<client_id>",
      client_config: MyApp.ClientCallback
  end

Unless I am mistaken, it looks like this means that issuer, client_id, scope, etc needs to be a compile time constant, which excludes the ability to configure oidc parameters at runtime, e.g. as is common for docker containers.

Also it would be good if the requirements for issuer could be better documented. I am unclear exactly what I need to pass to this. Maybe https://dex.example.org/ ? Or maybe https://dex.example.org/.well-known/openid-configuration?

I also find it confusing why you need the client_id to lookup the client_id value in the get function.

tanguilp commented 2 years ago

Yes, these a compile-time constant. You can take a look at https://akoutmos.com/post/plug-runtime-config/ to solve this problem.

Also it would be good if the requirements for issuer could be better documented. I am unclear exactly what I need to pass to this. Maybe https://dex.example.org/ ? Or maybe https://dex.example.org/.well-known/openid-configuration?

Plugoid uses OAuth2MetadataUpdater, take a look at the documentation: https://hexdocs.pm/oauth2_metadata_updater/readme.html

I also find it confusing why you need the client_id to lookup the client_id value in the get function.

Clients can be configured dynamically (keys can change, etc.), which is why there's a callback.

brianmay commented 2 years ago

Clients can be configured dynamically (keys can change, etc.), which is why there's a callback.

But it still doesn't make sense that you would use the client_id value to lookup the client_id value.

And the first client_id value really is the client_id value that is sent to the server,

tanguilp commented 2 years ago

Yes. It's just that this field is part of standard OAuth2 client metadata.

brianmay commented 2 years ago

No entirely 100% comfortable using yet another 3rd party package - https://hexdocs.pm/replug/readme.html - but I can confirm it does solve the problem. And it also makes it easier to share common config between different plugoid plug instances in different pipelines.

So closing this bug for now.