OpenID Connect layer

[ericdude4]

Hi, have you given any thought to an optional OpenID Connect layer in this library?

A default implementation proposal:

someone has requested a token with scope=openid then exchanges an authorization code for an access token.

# GET /oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL&scope=openid
case ExOauth2Provider.Authorization.preauthorize(resource_owner, params, otp_app: :my_app) do
  {:ok, client, scopes}             -> # render authorization page
  {:redirect, redirect_uri}         -> # redirect to external redirect_uri
  {:native_redirect, %{code: code}} -> # redirect to local :show endpoint
  {:error, error, http_status}      -> # render error page
end

# Then the auth code exchange can respond like:
# POST /oauth/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=CALLBACK_URL
case ExOauth2Provider.Token.grant(params, otp_app: :my_app) do
  {:ok, access_token}                             -> # JSON response
  {:ok, access_token, open_id_token}   -> # JSON response which includes openid connect JWT and access_token
  {:error, error, http_status}                   -> # JSON response
end

Maybe the authorization server can define which of the resource_owner fields should be encoded as JWT claims:

config :my_app, ExOauth2Provider,
  repo: MyApp.Repo,
  resource_owner: MyApp.Users.User
  open_id: true,
  open_id_claim_fields: [:id, :email, ...]

What do you think?