Simplified authentication for application.garden based on OpenID Connect.
Garden ID is hosted on GitHub so you can simply add it as a git dependency to your deps.edn
:
{io.github.nextjournal/garden-id {:git/sha "<latest-sha>"}}
Wrap your Ring app with ring.middleware.session/wrap-session
and nextjournal.garden-id/wrap-auth
.
Redirecting to the path in nextjournal.garden-id/login-uri
will send the user to a login page. Upon successful login it redirects to "/" and user data is stored in the session.
In local development authentication is mocked and you can impersonate arbitrary users.
You can configure authorization by passing a map as the second argument to nextjournal.garden-id/wrap-auth
.
To only allow certain Github users, members of a certain Github organization or team to access your application, use:
(nextjournal.garden-id/wrap-auth my-app {:github [RESTRICTIONS...]})
Possible restrictions are:
{:login "githubhandle"}
: the usergithubhandle
{:id 1234567}
: the user with the Github ID 1234567{:login ifn}
: call ifn with the GitHub login handle, pass if returns true{:id ifn}
: call ifn with the GitHub id, pass if returns true{:organization "myorg"}
: members of the organizationmyorg
.{:organization "myorg" :team "myteam"}
: members of the teammyteam
of the organizationmyorg
.
The user is permitted if they pass any listed restriction.
You need a valid Github API token in the environment variable GITHUB_API_TOKEN
that is scoped to read the organization members.
Use an application.garden secret to set this.
To only allow login with Apple ID, use:
(nextjournal.garden-id/wrap-auth my-app {:apple []})
See example for an example application.