Merge pull request #178 from pow-auth/auth0-oidc

danschultzer · web-flow · commit b4f708aab30b · 2025-01-06T14:22:19.000-08:00
Switch to Auth0 OIDC
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 ### Breaking changes
 
+* `Assent.Strategy.Auth0.authorize_url/2` no longer accepts `:domain` config, use `:base_url` instead
 * `Assent.Strategy.Google` now return `hd` instead of `google_hd`
 * `:site` configuration option removed, use `:base_url` instead
 * `Assent.Strategy.OAuth2.authorize_url/2` no longer allows `:state` in `:authorization_params`
@@ -17,6 +18,7 @@
 
 ### Changes
 
+* `Assent.Strategy.Auth0` now uses OIDC instead of OAuth 2.0 base strategy
 * `Assent.Strategy.Google` now uses OIDC instead of OAuth 2.0 base strategy
 
 ## v0.2
diff --git a/lib/assent/strategies/auth0.ex b/lib/assent/strategies/auth0.ex
@@ -1,6 +1,10 @@
 defmodule Assent.Strategy.Auth0 do
   @moduledoc """
-  Auth0 OAuth 2.0 strategy.
+  Auth0 OpenID Connect strategy.
+
+  ## Configuration
+
+  - `:base_url` - The Auth0 base URL, required
 
   ## Usage
 
@@ -13,33 +17,13 @@ defmodule Assent.Strategy.Auth0 do
 
   See `Assent.Strategy.OAuth2` for more.
   """
-  use Assent.Strategy.OAuth2.Base
+  use Assent.Strategy.OIDC.Base
 
   @impl true
-  def default_config(config) do
-    append_domain_config(config,
-      authorize_url: "/authorize",
-      token_url: "/oauth/token",
-      user_url: "/userinfo",
-      authorization_params: [scope: "openid profile email"],
-      auth_method: :client_secret_post
-    )
-  end
-
-  defp append_domain_config(config, default) do
-    case Assent.fetch_config(config, :domain) do
-      {:ok, domain} ->
-        IO.warn("`:domain` config is deprecated. Use `:base_url` instead.")
-        Keyword.put(default, :base_url, prepend_scheme(domain))
-
-      _error ->
-        default
-    end
+  def default_config(_config) do
+    [
+      authorization_params: [scope: "email profile"],
+      client_authentication_method: "client_secret_post"
+    ]
   end
-
-  defp prepend_scheme("http" <> _ = domain), do: domain
-  defp prepend_scheme(domain), do: "https://" <> domain
-
-  @impl true
-  def normalize(_config, user), do: {:ok, user}
 end
diff --git a/test/assent/strategies/auth0_test.exs b/test/assent/strategies/auth0_test.exs
@@ -1,70 +1,59 @@
 defmodule Assent.Strategy.Auth0Test do
-  use Assent.Test.OAuth2TestCase
-
-  alias Assent.{MissingConfigError, Strategy.Auth0}
-
-  # From https://auth0.com/docs/api/authentication#user-profile
-  @user_response %{
-    "sub" => "248289761001",
-    "name" => "Jane Josephine Doe",
-    "given_name" => "Jane",
-    "family_name" => "Doe",
-    "middle_name" => "Josephine",
-    "nickname" => "JJ",
-    "preferred_username" => "j.doe",
-    "profile" => "http://exampleco.com/janedoe",
-    "picture" => "http://exampleco.com/janedoe/me.jpg",
-    "website" => "http://exampleco.com",
-    "email" => "janedoe@exampleco.com",
-    "email_verified" => true,
-    "gender" => "female",
-    "birthdate" => "1972-03-31",
-    "zoneinfo" => "America/Los_Angeles",
-    "locale" => "en-US",
-    "phone_number" => "+1 (111) 222-3434",
-    "phone_number_verified" => false,
-    "address" => %{
-      "country" => "us"
-    },
-    "updated_at" => "1556845729"
+  use Assent.Test.OIDCTestCase
+
+  alias Assent.Strategy.Auth0
+
+  # From https://auth0.com/docs/get-started/apis/scopes/sample-use-cases-scopes-and-claims#authenticate-a-user-and-request-standard-claims
+  @id_token_claims %{
+    "name" => "John Doe",
+    "nickname" => "john.doe",
+    "picture" => "https://myawesomeavatar.com/avatar.png",
+    "updated_at" => "2017-03-30T15:13:40.474Z",
+    "email" => "john.doe@test.com",
+    "email_verified" => false,
+    "iss" => "https://{yourDomain}/",
+    "sub" => "auth0|USER-ID",
+    "aud" => "{yourClientId}",
+    "exp" => :os.system_time(:second) + 60,
+    "iat" => :os.system_time(:second),
+    "nonce" => "crypto-value",
+    "at_hash" => "IoS3ZGppJKUn3Bta_LgE2A"
+  }
+  @user %{
+    "email" => "john.doe@test.com",
+    "email_verified" => false,
+    "sub" => "auth0|USER-ID",
+    "name" => "John Doe",
+    "nickname" => "john.doe",
+    "picture" => "https://myawesomeavatar.com/avatar.png",
+    "updated_at" => "2017-03-30T15:13:40.474Z"
   }
-  @user @user_response
 
   test "authorize_url/2", %{config: config} do
-    config = Keyword.delete(config, :base_url)
-
-    assert {:error, %MissingConfigError{} = error} = Auth0.authorize_url(config)
-    assert error.key == :base_url
-
-    assert {:ok, %{url: url}} =
-             Auth0.authorize_url(config ++ [base_url: "https://demo.auth0.com/authorize"])
-
-    assert url =~ "https://demo.auth0.com/authorize"
+    assert {:ok, %{url: url}} = Auth0.authorize_url(config)
+    assert url =~ "/oauth/authorize?client_id=id"
+    assert url =~ "scope=openid+email+profile"
   end
 
   test "callback/2", %{config: config, callback_params: params} do
-    expect_oauth2_access_token_request([uri: "/oauth/token"], fn _conn, params ->
-      assert params["client_secret"] == config[:client_secret]
-    end)
-
-    expect_oauth2_user_request(@user_response, uri: "/userinfo")
+    openid_config =
+      config[:openid_configuration]
+      |> Map.put("issuer", "https://{yourDomain}/")
+      |> Map.put("token_endpoint_auth_methods_supported", ["client_secret_post"])
 
-    assert {:ok, %{user: user}} = Auth0.callback(config, params)
-    assert user == @user
-  end
-
-  ### Deprecated
+    session_params = Map.put(config[:session_params], :nonce, "crypto-value")
 
-  test "authorize_url/2 with `:domain` config", %{config: config} do
-    config = Keyword.take(config, [:client_id, :redirect_uri])
+    config =
+      Keyword.merge(config,
+        openid_configuration: openid_config,
+        client_id: "{yourClientId}",
+        session_params: session_params
+      )
 
-    assert {:error, %MissingConfigError{} = error} = Auth0.authorize_url(config)
-    assert error.key == :base_url
+    [key | _rest] = expect_oidc_jwks_uri_request()
+    expect_oidc_access_token_request(id_token_opts: [claims: @id_token_claims, kid: key["kid"]])
 
-    assert {:ok, %{url: url}} = Auth0.authorize_url(config ++ [domain: "demo.auth0.com"])
-    assert url =~ "https://demo.auth0.com/authorize"
-
-    assert {:ok, %{url: url}} = Auth0.authorize_url(config ++ [domain: "http://demo.auth0.com"])
-    assert url =~ "http://demo.auth0.com/authorize"
+    assert {:ok, %{user: user}} = Auth0.callback(config, params)
+    assert user == @user
   end
 end
