oauth/oidc

priv/oauth/create_client.exs

@@ -0,0 +1,22 @@
+
+id = SecureRandom.uuid()
+secret = SecureRandom.hex(64)
+
+[name, redirect] = System.argv()
+
+Boruta.Ecto.Admin.create_client(%{
+  id: id, # OAuth client_id
+  secret: secret, # OAuth client_secret
+  name: name, # Display name
+  redirect_uris: [redirect], # OAuth client redirect_uris
+  pkce: false, # PKCE enabled
+  public_refresh_token: true, # do not require client_secret for refreshing tokens
+  public_revoke: false, # do not require client_secret for revoking tokens
+  confidential: false, # see OAuth 2.0 confidentiality (requires client secret for some flows)
+  token_endpoint_auth_methods: [ # activable client authentication methods
+    "client_secret_basic",
+    "client_secret_post",
+    "client_secret_jwt",
+    "private_key_jwt"
+  ],
+}) |> IO.inspect

priv/repo/migrations/20231105011324_create_boruta.exs

@@ -0,0 +1,87 @@
+defmodule SsoBsn.Repo.Migrations.CreateBoruta do
+  use Ecto.Migration
+
+  def change do
+    create table(:oauth_clients, primary_key: false) do
+      add :id, :uuid, primary_key: true
+      add :name, :string, default: "", null: false
+      add :secret, :string, null: false
+      add :redirect_uris, {:array, :string}, default: [], null: false
+      add :scope, :string
+      add :authorize_scope, :boolean, default: false, null: false
+
+      add :supported_grant_types, {:array, :string},
+        default: [
+          "client_credentials",
+          "password",
+          "authorization_code",
+          "refresh_token",
+          "implicit",
+          "revoke",
+          "introspect"
+        ],
+        null: false
+
+      add :authorization_code_ttl, :integer, null: false
+      add :access_token_ttl, :integer, null: false
+      add :pkce, :boolean, default: false, null: false
+      add :public_key, :text 
+      add :private_key, :text, null: false
+      add :id_token_ttl, :integer, default: 3600
+      add :public_refresh_token, :boolean, null: false, default: false
+      add :refresh_token_ttl, :integer, null: false, default: "2592000"
+      add :public_revoke, :boolean, null: false, default: false
+      add :id_token_signature_alg, :string, default: "RS512"
+      add :confidential, :boolean, default: false, null: false
+      add :jwt_public_key, :text
+      add :token_endpoint_auth_methods, {:array, :string}, null: false,
+        default: ["client_secret_basic", "client_secret_post"]
+      add :token_endpoint_jwt_auth_alg, :string, default: "HS256", null: false
+      add :userinfo_signed_response_alg, :string
+      timestamps()
+    end
+
+    create table(:oauth_tokens, primary_key: false) do
+      add :id, :uuid, primary_key: true
+      add :type, :string
+      add :value, :string
+      add :refresh_token, :string
+      add :expires_at, :integer
+      add :redirect_uri, :string
+      add :state, :string
+      add :scope, :string, default: ""
+      add :revoked_at, :utc_datetime_usec
+      add :code_challenge_hash, :string
+      add :code_challenge_method, :string
+      add :nonce, :string
+      add :previous_token, :string
+      add :refresh_token_revoked_at, :utc_datetime_usec
+      add :previous_code, :string
+
+      add :client_id, references(:oauth_clients, type: :uuid, on_delete: :nilify_all)
+      add :sub, :string
+
+      timestamps(type: :utc_datetime_usec)
+    end
+
+    create table(:oauth_scopes, primary_key: false) do
+      add :id, :binary_id, primary_key: true
+      add :label, :string
+      add :name, :string, default: ""
+      add :public, :boolean, default: false, null: false
+
+      timestamps()
+    end
+
+    create table(:oauth_clients_scopes) do
+      add :client_id, references(:oauth_clients, type: :uuid, on_delete: :delete_all)
+      add :scope_id, references(:oauth_scopes, type: :uuid, on_delete: :delete_all)
+    end
+
+    create unique_index(:oauth_clients, [:id, :secret])
+    create index(:oauth_tokens, [:value])
+    create unique_index(:oauth_tokens, [:client_id, :value])
+    create unique_index(:oauth_tokens, [:client_id, :refresh_token])
+    create unique_index(:oauth_scopes, [:name])
+  end
+end

priv/repo/migrations/20231106235646_user_last_login.exs

@@ -0,0 +1,9 @@
+defmodule SsoBsn.Repo.Migrations.UserLastLogin do
+  use Ecto.Migration
+
+  def change do
+    alter table(:users) do
+      add :last_login_at, :utc_datetime_usec
+    end
+  end
+end