Adds single sign on functionality to a Phoenix app.
This library acts as a single sign on client by providing a controller that works in conjunction with Simple Auth to authenticate the user against an OAuth2 provider and store the user's details in the session.
In addition to providing the standard OAuth2 endpoints, the provider must provide a URL that gives the current user's details when provided with a token.
If available in Hex, the package can be installed
by adding simple_sso
to your list of dependencies in mix.exs
:
def deps do
[
{:simple_sso, "~> 0.1.0"}
]
end
config :simple_auth,
user_session_api: SimpleAuth.UserSession.Memory,
session_expiry_seconds: 3600,
login_url: {SimpleSSO.OAuthController, :authorize_url},
error_view: MyApp.ErrorView,
user_model: MyApp.User #Optional - if not specified a map is stored as the user
config :simple_sso,
error_view: MyApp.ErrorView,
current_user_path: "/api/users/me" # Gets the current user when given Bearer token in the authorization header
config :simple_sso, :oauth,
client_id: "my-client",
client_secret: "my-secret",
redirect_uri: "http://my-site/auth/callback",
site: "http://oauth-provider-site"
Add the following to router.ex
to match the redirect_uri
above:
scope "/" do
pipe_through(:browser)
get("/auth/callback", SimpleSSO.OAuthController, :auth_callback)
end
<%= link "Student Login", to: SimpleSSO.OAuthController.authorize_url() %>
Add the following optional route if you want single sign out also:
pipeline :api do
plug(:accepts, ["json"])
end
scope "/" do
pipe_through(:api)
delete("/api/logout", SimpleSSO.OAuthController, :logout_api)
end
In the provider you must call this URL to force all sessions for the user to logout e.g.
DELETE http://my-site/api/logout?user_id=1234
If there are multiple OAuth consumers, multiple logouts can be done here by posting to each URL.
In your app just set the logout link to the provider's logout UI link.
Therefore the process will be as follows:
- User clicks on logout link
- Logout action is executed on provider site
- Provider backend sends API calls to each OAuth consumers passing the user id
- The OAuth consumer controller (within SimpleSSO controller) deletes the in memory session for the user.
The OAuth2 provider must have the following endpoints:
/oauth/authorize
- OAuth2 Authorize endpoint that redirects the theredirect_uri
with acode
/oauth/token
- OAuth2 Token endpoint that exchanges acode
for atoken
/api/users/me
- Provides json in the following structure given atoken
in theAuthorize
header
{
"user":{
"id":1234,
"email":"user1@acme.com"
},
"roles":[
"ROLE_ADMIN"
]
}
These URLs are configurable in the config.