Use OpenID and OAuth with your Bonfire identity or connect to Bonfire with an external identity
Bonfire.OpenID enables your Bonfire instance to act as both:
https://your-bonfire-instance.tld/openid/client/orcid
https://your-bonfire-instance.tld/oauth/client/github
https://your-bonfire-instance.tld/openid/client/openid_1
https://your-bonfire-instance.tld/openid/client/oauth_1
Set these in your .env
or deployment environment:
ORCID_CLIENT_ID=
ORCID_CLIENT_SECRET=
GITHUB_APP_CLIENT_ID=
GITHUB_CLIENT_SECRET=
OPENID_1_DISCOVERY=https://yourprovider.example/.well-known/openid-configuration
OPENID_1_CLIENT_ID=your-client-id
OPENID_1_CLIENT_SECRET=your-client-secret
OPENID_1_DISPLAY_NAME=Your Provider Name
OPENID_1_SCOPE=openid email profile
OPENID_1_ENABLE_SIGNUP=false
OAUTH_1_AUTHORIZE_URI=https://yourprovider.example/authorize_example_path
OAUTH_1_ACCESS_TOKEN_URI=https://yourprovider.example/token_example_path
OAUTH_1_USERINFO_URI=https://yourprovider.example/api_example_path/userinfo_example_path
OAUTH_1_CLIENT_ID=your-client-id
OAUTH_1_CLIENT_SECRET=your-client-secret
OAUTH_1_DISPLAY_NAME=Your Provider Name
OAUTH_1_ENABLE_SIGNUP=false
Note:
If you setOAUTH_1_ENABLE_SIGNUP=true
orOPENID_1_ENABLE_SIGNUP=true
, users will be offered to sign up for Bonfire using this SSO provider, even if they do not already have a Bonfire account.However, some SSO providers do not provide an email address for the user. In this case, SSO-based signup will currently fail.
To avoid this, either:
- Ensure your SSO provider supplies an email address, or
- Set
OAUTH_1_ENABLE_SIGNUP=false
/OPENID_1_ENABLE_SIGNUP=false
to require users to first create a Bonfire account and link it afterwards.
Users will see a "Sign in with..." button for each configured provider.
After authenticating with the provider, users are redirected back to Bonfire and logged in (or signed up, if enabled).
To disable a client SSO provider, simply comment out or remove the relevant environment variables.
Path | Purpose |
---|---|
/openid/client/:provider |
OpenID client login/callback |
/oauth/client/:provider |
OAuth client login/callback |
Bonfire’s SSO provider endpoints are currently disabled by default.
To enable Bonfire as an SSO provider, set the following environment variable:
ENABLE_SSO_PROVIDER=true
This will activate all provider endpoints (OAuth2/OpenID Connect).
Until a UI is added for this, you can register a new OAuth/OpenID client using a curl
command, making sure that redirect_uris
matches what your client app will use:
curl -X POST https://your-bonfire-instance.tld/api/v1/apps \
-F 'client_name=Your Application Name' \
-F 'redirect_uris=https://your-client-app.example/callback' \
-F 'scopes=openid email profile' \
-F 'website=https://your-client-app.example'
Or using Bonfire's IEx console:
Bonfire.OpenID.Provider.ClientApps.get_or_new("My App", ["https://your-app.example/callback"])
This will return a JSON response with the client ID and secret.
For now you can use Bonfire's IEx console:
# List all registered clients
Bonfire.OpenID.Provider.ClientApps.list_clients()
# List all available scopes
Bonfire.OpenID.Provider.ClientApps.list_scopes()
# List all active tokens
Bonfire.OpenID.Provider.ClientApps.list_active_tokens()
Path | Purpose |
---|---|
/oauth/revoke |
Provider: revoke token |
/oauth/token |
Provider: token endpoint |
/oauth/introspect |
Provider: introspect token |
/oauth/authorize |
Provider: authorize endpoint |
/oauth/ready |
Provider: readiness check |
/openid/authorize |
Provider: OpenID authorize |
/openid/userinfo |
Provider: user info endpoint |
/openid/jwks |
Provider: JWKS endpoint |
/.well-known/openid-configuration |
Provider: discovery endpoint |
Bonfire should support all standard OAuth2 and OpenID Connect grant types:
Redirect URIs must match what is registered for each client.
openid
, email
, and profile
are supported.userinfo_fetched/2
function in UserinfoController
.Powered by these libraries:
Extension copyright (c) 2022 Bonfire Contributors
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public
License along with this program. If not, see https://www.gnu.org/licenses/.