Install Elixir deps

The feature uses Assent , a flexible OAuth/OIDC library that supports many providers out of the box. Assent handles the OAuth flow, token management, and user info extraction.

Assent: hexdocs.pm/assent

mix.exs Reveal

	`-66,7 +66,8 @@ defmodule MyApp.MixProject do`
	`{:gettext, "~> 1.0"},`
	`{:jason, "~> 1.2"},`
	`{:dns_cluster, "~> 0.2.0"},`
-	`{:bandit, "~> 1.5"}`
+	`{:bandit, "~> 1.5"},`
+	`{:assent, "~> 0.2"}`
	`]`
	`end`

Runtime configuration

OAuth providers are configured in runtime.exs for production, reading credentials from environment variables:

For development, create config/dev.secret.exs with your test credentials and import it from config/dev.exs .

config/runtime.exs Reveal

	`-116,4 +116,24 @@ if config_env() == :prod do`
	`# config :swoosh, :api_client, Swoosh.ApiClient.Req`
	`#`
	`# See https://hexdocs.pm/swoosh/Swoosh.html#module-installation for details.`
+
+	`# OAuth providers`
+	`config :my_app, :oauth_providers,`
+	`google: [`
+	`strategy: Assent.Strategy.Google,`
+	`client_id: System.fetch_env!("GOOGLE_CLIENT_ID"),`
+	`client_secret: System.fetch_env!("GOOGLE_CLIENT_SECRET")`
+	`],`
+	`apple: [`
+	`strategy: Assent.Strategy.Apple,`
+	`client_id: System.fetch_env!("APPLE_CLIENT_ID"),`
+	`team_id: System.fetch_env!("APPLE_TEAM_ID"),`
+	`private_key_id: System.fetch_env!("APPLE_PRIVATE_KEY_ID"),`
+	`# Apple private key is sensitive to whitespace.`
+	`# Encode your key with:`
+	`# cat /path/to/AuthKey_XXXXX.p8 \| base64`
+	`private_key: System.fetch_env!("APPLE_PRIVATE_KEY_BASE64") \|> Base.decode64!(),`
+	`# Apple OAuth uses security measures that do not require a state token`
+	`state: false`
+	`]`
	`end`

guides/CONFIGURE_SIGN_IN_WITH_APPLE.md

	`-0,0 +1,80 @@`
+	`# Configure Sign-in with Apple`
+
+	`## Prerequisites`
+
+	`- Apple Developer account ($99/year)`
+	`- A domain you control (Apple doesn't allow localhost)`
+
+	`## Step 1: Register an App ID`
+
+	`1. Go to [Apple Developer Identifiers](https://developer.apple.com/account/resources/identifiers)`
+	`2. Click "+" → "App IDs" → "App"`
+	3. Enter a description and Bundle ID (e.g., `com.yourapp.web`)
+	`4. Enable "Sign in with Apple" capability`
+	`5. Click Continue/Register`
+
+	`## Step 2: Create a Services ID`
+
+	`This is your OAuth client.`
+
+	`1. Go to Identifiers → Click "+" → "Services IDs"`
+	2. Enter a description and identifier (e.g., `com.yourapp.web.signin`)
+	`3. Click Continue/Register`
+	`4. Click on the newly created Services ID`
+	`5. Enable "Sign in with Apple"`
+	`6. Click "Configure":`
+	`- Primary App ID: select your App ID from Step 1`
+	- Domains: `yourdomain.com`
+	- Return URLs: `https://yourdomain.com/auth/apple/callback`
+	`7. Save`
+
+	`## Step 3: Create a Key`
+
+	`1. Go to [Apple Developer Keys](https://developer.apple.com/account/resources/authkeys)`
+	`2. Click "+" to create a new key`
+	`3. Enter a name (e.g., "My App Sign In")`
+	`4. Enable "Sign in with Apple", click Configure, select your Primary App ID`
+	`5. Click Continue/Register`
+	6. Download the `.p8` key file (you only get one chance!)
+	`7. Note the Key ID shown`
+
+	`## Step 4: Configure Your Phoenix App`
+
+	Add to `config/dev.secret.exs`:
+
+	```elixir
+	`config :my_app, :oauth_providers,`
+	`apple: [`
+	`strategy: Assent.Strategy.Apple,`
+	`client_id: "com.yourapp.web.signin",`
+	`team_id: "XXXXXXXXXX",`
+	`private_key_id: "XXXXXXXXXX",`
+	`private_key: """`
+	`-----BEGIN PRIVATE KEY-----`
+	`<contents of your .p8 file>`
+	`-----END PRIVATE KEY-----`
+	`"""`
+	`]`
+	```
+
+	`Where:`
+	- `client_id` - Your Services ID identifier from Step 2
+	- `team_id` - Your 10-character Team ID (visible in top right of developer portal)
+	- `private_key_id` - The Key ID from Step 3
+	- `private_key` - Contents of the downloaded `.p8` file
+
+	`## Local Development`
+
+	Apple doesn't allow `localhost` as a redirect domain. Options:
+
+	1. Use ngrok - Run `ngrok http 4000`, add the ngrok domain to your Services ID configuration temporarily
+	`2. Test in staging - Deploy to a staging environment with a real domain`
+	`3. Skip locally - Use Google sign-in for local development, test Apple in staging/production`
+
+	`## Production`
+
+	`Set these environment variables:`
+	- `APPLE_CLIENT_ID`
+	- `APPLE_TEAM_ID`
+	- `APPLE_PRIVATE_KEY_ID`
+	- `APPLE_PRIVATE_KEY`

guides/CONFIGURE_SIGN_IN_WITH_GOOGLE.md

	`-0,0 +1,65 @@`
+	`# Configure Sign-in with Google`
+
+	`## Step 1: Access Google Cloud Console`
+
+	`1. Go to the [Google Cloud Console Credentials page](https://console.cloud.google.com/apis/credentials)`
+	`2. Create a project if you don't have one`
+
+	`## Step 2: Configure the OAuth Consent Screen`
+
+	`1. Click "OAuth consent screen" in the sidebar`
+	`2. Choose "External" and click "Create"`
+	`3. Fill in the required fields:`
+	`- App name`
+	`- User support email`
+	`- Developer contact email`
+	`4. Click "Save and Continue"`
+	5. Add scopes: `email` and `profile`
+	`6. Add yourself as a test user (required while in testing mode)`
+	`7. Complete the setup`
+
+	`## Step 3: Create OAuth Client ID`
+
+	`1. Click "Credentials" in the sidebar`
+	`2. Click "Create Credentials" → "OAuth client ID"`
+	`3. Select "Web application"`
+	`4. Add Authorized JavaScript origins:`
+	```
+	`http://localhost:4000`
+	```
+	`5. Add Authorized redirect URIs:`
+	```
+	`http://localhost:4000/auth/google/callback`
+	```
+	`6. Click "Create" and copy your Client ID and Client Secret`
+
+	`## Step 4: Configure Your Phoenix App`
+
+	Create `config/dev.secret.exs`:
+
+	```elixir
+	`import Config`
+
+	`config :my_app, :oauth_providers,`
+	`google: [`
+	`strategy: Assent.Strategy.Google,`
+	`client_id: "your-client-id.apps.googleusercontent.com",`
+	`client_secret: "your-client-secret"`
+	`]`
+	```
+
+	Ensure it's imported at the bottom of `config/dev.exs`:
+
+	```elixir
+	`import_config "dev.secret.exs"`
+	```
+
+	`## Step 5: Test`
+
+	1. Start your server: `mix phx.server`
+	2. Go to `http://localhost:4000/users/log-in`
+	`3. Click "Sign in with Google"`
+
+	`## Production`
+
+	Add your production domain to the Google Console (both JavaScript origins and redirect URIs), then set `GOOGLE_CLIENT_ID` and `GOOGLE_CLIENT_SECRET` environment variables.

Accounts context - OAuth functions

The Accounts context is extended with OAuth-related functions:

oauth_provider_configured?/1 - Checks if a provider is configured in the application config. Used to conditionally show OAuth buttons in the UI.

find_or_create_oauth_user/3 - The main OAuth authentication function with a three-step strategy:

OAuth users are automatically confirmed since their email is pre-verified by the provider.

list_user_identities/1 - Lists all OAuth identities for a user, ordered by provider name.

unlink_identity/2 - Removes an OAuth provider from a user's account. Includes a safety check: users can only unlink if they have a password set OR have other identities remaining, preventing account lockout.

lib/my_app/accounts.ex Reveal

	`-6,7 +6,18 @@ defmodule MyApp.Accounts do`
	`import Ecto.Query, warn: false`
	`alias MyApp.Repo`

-	`alias MyApp.Accounts.{User, UserToken, UserNotifier}`
+	`alias MyApp.Accounts.{User, UserIdentity, UserToken, UserNotifier}`
+
+	`## OAuth configuration`
+
+	`@doc """`
+	`Returns whether the given OAuth provider is configured.`
+	`"""`
+	`def oauth_provider_configured?(provider) when is_atom(provider) do`
+	`:my_app`
+	`\|> Application.get_env(:oauth_providers, [])`
+	`\|> Keyword.has_key?(provider)`
+	`end`

	`## Database getters`

	`-294,4 +305,118 @@ defmodule MyApp.Accounts do`
	`end`
	`end)`
	`end`
+
+	`## OAuth`
+
+	`@doc """`
+	`Finds or creates a user from OAuth data.`
+
+	`The strategy is:`
+	`1. If an identity exists for this provider+uid, return the associated user`
+	`2. If the email matches an existing user, link the identity to that user`
+	`3. Otherwise, create a new user with the identity`
+
+	`OAuth emails are considered pre-verified, so new users are automatically confirmed.`
+	`"""`
+	`def find_or_create_oauth_user(provider, provider_uid, user_info) do`
+	`email = get_oauth_email(user_info)`
+
+	`Repo.transact(fn ->`
+	`case get_identity_by_provider(provider, provider_uid) do`
+	`%UserIdentity{user: user} ->`
+	`{:ok, user}`
+
+	`nil ->`
+	`case get_user_by_email(email) do`
+	`%User{} = user ->`
+	`create_identity_for_user(user, provider, provider_uid, email, user_info)`
+
+	`nil ->`
+	`create_user_with_identity(provider, provider_uid, email, user_info)`
+	`end`
+	`end`
+	`end)`
+	`end`
+
+	`defp get_oauth_email(%{"email" => email}), do: email`
+	`defp get_oauth_email(%{email: email}), do: email`
+	`defp get_oauth_email(_), do: nil`
+
+	`defp get_identity_by_provider(provider, provider_uid) do`
+	`UserIdentity`
+	`\|> where([i], i.provider == ^provider and i.provider_uid == ^provider_uid)`
+	`\|> preload(:user)`
+	`\|> Repo.one()`
+	`end`
+
+	`defp create_identity_for_user(user, provider, provider_uid, email, user_info) do`
+	`%UserIdentity{}`
+	`\|> UserIdentity.changeset(%{`
+	`provider: provider,`
+	`provider_uid: provider_uid,`
+	`provider_email: email,`
+	`provider_data: user_info,`
+	`user_id: user.id`
+	`})`
+	`\|> Repo.insert()`
+	`\|> case do`
+	`{:ok, _identity} -> {:ok, user}`
+	`{:error, changeset} -> {:error, changeset}`
+	`end`
+	`end`
+
+	`defp create_user_with_identity(provider, provider_uid, email, user_info) do`
+	`# OAuth emails are pre-verified`
+	`now = DateTime.utc_now(:second)`
+
+	`user_changeset =`
+	`%User{}`
+	`\|> User.email_changeset(%{email: email})`
+	`\|> Ecto.Changeset.put_change(:confirmed_at, now)`
+
+	`with {:ok, user} <- Repo.insert(user_changeset) do`
+	`create_identity_for_user(user, provider, provider_uid, email, user_info)`
+	`end`
+	`end`
+
+	`@doc """`
+	`Lists all OAuth identities for a user.`
+	`"""`
+	`def list_user_identities(%User{id: user_id}) do`
+	`UserIdentity`
+	`\|> where([i], i.user_id == ^user_id)`
+	`\|> order_by([i], asc: i.provider)`
+	`\|> Repo.all()`
+	`end`
+
+	`@doc """`
+	`Unlinks an OAuth identity from a user.`
+
+	`Only allows unlinking if the user has a password set or has other identities,`
+	`to prevent locking the user out of their account.`
+	`"""`
+	`def unlink_identity(%User{} = user, provider) when is_binary(provider) do`
+	`identity =`
+	`UserIdentity`
+	`\|> where([i], i.user_id == ^user.id and i.provider == ^provider)`
+	`\|> Repo.one()`
+
+	`cond do`
+	`is_nil(identity) ->`
+	`{:error, :not_found}`
+
+	`not can_unlink_identity?(user) ->`
+	`{:error, :cannot_unlink}`
+
+	`true ->`
+	`Repo.delete(identity)`
+	`end`
+	`end`
+
+	`defp can_unlink_identity?(%User{} = user) do`
+	`has_password = not is_nil(user.hashed_password)`
+	`identity_count = Repo.aggregate(from(i in UserIdentity, where: i.user_id == ^user.id), :count)`
+
+	`has_password or identity_count > 1`
+	`end`
	`end`

User schema update

The User schema gets a has_many :identities association to UserIdentity . This allows loading all connected OAuth providers for a user.

lib/my_app/accounts/user.ex Reveal

	`-2,6 +2,8 @@ defmodule MyApp.Accounts.User do`
	`use Ecto.Schema`
	`import Ecto.Changeset`

+	`alias MyApp.Accounts.UserIdentity`
+
	`@primary_key {:id, :binary_id, autogenerate: true}`
	`@foreign_key_type :binary_id`
	`schema "users" do`
	`-11,6 +13,8 @@ defmodule MyApp.Accounts.User do`
	`field :confirmed_at, :utc_datetime`
	`field :authenticated_at, :utc_datetime, virtual: true`

+	`has_many :identities, UserIdentity`
+
	`timestamps(type: :utc_datetime)`
	`end`

UserIdentity schema

The UserIdentity schema stores OAuth provider connections for users. Each identity links a user to a specific provider (like "google" or "apple") using the provider's unique identifier ( provider_uid ).

The schema also stores the provider_email (which may differ from the user's account email) and provider_data (the raw user info from the OAuth provider, useful for debugging or future features).

A unique constraint on [:provider, :provider_uid] ensures each OAuth account can only be linked to one user.

lib/my_app/accounts/user_identity.ex Reveal

	`-0,0 +1,30 @@`
+	`defmodule MyApp.Accounts.UserIdentity do`
+	`use Ecto.Schema`
+	`import Ecto.Changeset`
+
+	`alias MyApp.Accounts.User`
+
+	`@primary_key {:id, :binary_id, autogenerate: true}`
+	`@foreign_key_type :binary_id`
+	`schema "user_identities" do`
+	`field :provider, :string`
+	`field :provider_uid, :string`
+	`field :provider_email, :string`
+	`field :provider_data, :map, default: %{}`
+
+	`belongs_to :user, User`
+
+	`timestamps(type: :utc_datetime)`
+	`end`
+
+	`@doc """`
+	`Changeset for creating a user identity.`
+	`"""`
+	`def changeset(identity, attrs) do`
+	`identity`
+	`\|> cast(attrs, [:provider, :provider_uid, :provider_email, :provider_data, :user_id])`
+	`\|> validate_required([:provider, :provider_uid, :user_id])`
+	`\|> unique_constraint([:provider, :provider_uid])`
+	`\|> foreign_key_constraint(:user_id)`
+	`end`
+	`end`

OAuth button components

Brand-compliant OAuth buttons following official guidelines from Google and Apple:

Both buttons use the official SVG icons and follow the respective brand guidelines for colors and styling.

lib/my_app_web/components/core_components.ex Reveal

	`-116,6 +116,104 @@ defmodule MyAppWeb.CoreComponents do`
	`end`
	`end`

+	`@doc """`
+	`Renders OAuth sign-in buttons for Google and Apple.`
+
+	`Buttons follow official brand guidelines:`
+	`- Google: https://developers.google.com/identity/branding-guidelines`
+	`- Apple: https://developer.apple.com/design/human-interface-guidelines/sign-in-with-apple`
+
+	`## Examples`
+
+	`<.oauth_buttons google_href={~p"/auth/google"} apple_href={~p"/auth/apple"} />`
+	`"""`
+	`attr :google_href, :string, required: true`
+	`attr :apple_href, :string, required: true`
+
+	`def oauth_buttons(assigns) do`
+	`~H"""`
+	`<div class="flex flex-col gap-3">`
+	`<.google_button href={@google_href} />`
+	`<.apple_button href={@apple_href} />`
+	`</div>`
+	`"""`
+	`end`
+
+	`@doc """`
+	`Renders a Google sign-in button following official brand guidelines.`
+	`"""`
+	`attr :href, :string, required: true`
+	`attr :class, :string, default: nil`
+
+	`def google_button(assigns) do`
+	`~H"""`
+	`<.link`
+	`href={@href}`
+	`class={[`
+	`"flex items-center justify-center gap-3 w-full px-3 py-2.5 bg-white border border-[#747775] rounded-md text-[#1F1F1F] font-medium text-sm hover:bg-gray-50 transition-colors",`
+	`@class`
+	`]}`
+	`>`
+	`<.google_icon />`
+	`<span>Sign in with Google</span>`
+	`</.link>`
+	`"""`
+	`end`
+
+	`@doc """`
+	`Renders an Apple sign-in button following official brand guidelines.`
+	`"""`
+	`attr :href, :string, required: true`
+	`attr :class, :string, default: nil`
+
+	`def apple_button(assigns) do`
+	`~H"""`
+	`<.link`
+	`href={@href}`
+	`class={[`
+	`"flex items-center justify-center gap-3 w-full px-3 py-2.5 bg-black border border-black rounded-md text-white font-medium text-sm hover:bg-gray-900 transition-colors",`
+	`@class`
+	`]}`
+	`>`
+	`<.apple_icon />`
+	`<span>Sign in with Apple</span>`
+	`</.link>`
+	`"""`
+	`end`
+
+	`@doc false`
+	`def google_icon(assigns) do`
+	`~H"""`
+	`<svg class="size-5" viewBox="0 0 24 24" aria-hidden="true">`
+	`<path`
+	`d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z"`
+	`fill="#4285F4"`
+	`/>`
+	`<path`
+	`d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z"`
+	`fill="#34A853"`
+	`/>`
+	`<path`
+	`d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z"`
+	`fill="#FBBC05"`
+	`/>`
+	`<path`
+	`d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z"`
+	`fill="#EA4335"`
+	`/>`
+	`</svg>`
+	`"""`
+	`end`
+
+	`@doc false`
+	`def apple_icon(assigns) do`
+	`~H"""`
+	`<svg class="size-5" viewBox="0 0 24 24" fill="white" aria-hidden="true">`
+	<path d="M12.152 6.896c-.948 0-2.415-1.078-3.96-1.04-2.04.027-3.91 1.183-4.961 3.014-2.117 3.675-.546 9.103 1.519 12.09 1.013 1.454 2.208 3.09 3.792 3.039 1.52-.065 2.09-.987 3.935-.987 1.831 0 2.35.987 3.96.948 1.637-.026 2.676-1.48 3.676-2.948 1.156-1.688 1.636-3.325 1.662-3.415-.039-.013-3.182-1.221-3.22-4.857-.026-3.04 2.48-4.494 2.597-4.559-1.429-2.09-3.623-2.324-4.39-2.376-2-.156-3.675 1.09-4.61 1.09zM15.53 3.83c.843-1.012 1.4-2.427 1.245-3.83-1.207.052-2.662.805-3.532 1.818-.78.896-1.454 2.338-1.273 3.714 1.338.104 2.715-.688 3.559-1.701" />
+	`</svg>`
+	`"""`
+	`end`
+
	`@doc """`
	`Renders an input with label and error messages.`

OAuth controller

The OAuthController handles the OAuth flow with two actions:

request/2 - Initiates the OAuth flow by generating an authorization URL using Assent and redirecting the user to the provider. Stores session params (for CSRF protection) in the session.

callback/2 - Handles the OAuth callback when the user returns from the provider. Exchanges the authorization code for tokens, extracts user info, and calls find_or_create_oauth_user/3 to authenticate. On success, logs the user in with "remember me" enabled.

The controller uses String.to_existing_atom/1 when parsing the provider parameter, which safely rejects unknown providers.

lib/my_app_web/controllers/oauth_controller.ex Reveal

	`-0,0 +1,86 @@`
+	`defmodule MyAppWeb.OAuthController do`
+	`use MyAppWeb, :controller`
+
+	`alias MyApp.Accounts`
+	`alias MyAppWeb.UserAuth`
+
+	`@doc """`
+	`Initiates the OAuth flow by redirecting to the provider's authorization URL.`
+	`"""`
+	`def request(conn, %{"provider" => provider}) do`
+	`provider_atom = String.to_existing_atom(provider)`
+	`config = get_provider_config(provider_atom)`
+
+	`redirect_uri = url(~p"/auth/#{provider}/callback")`
+	`config = Keyword.put(config, :redirect_uri, redirect_uri)`
+
+	`case config[:strategy].authorize_url(config) do`
+	`{:ok, %{url: url, session_params: session_params}} ->`
+	`conn`
+	`\|> put_session(:oauth_session_params, session_params)`
+	`\|> put_session(:oauth_provider, provider)`
+	`\|> redirect(external: url)`
+
+	`{:error, reason} ->`
+	`conn`
+	`\|> put_flash(:error, "Failed to start OAuth: #{inspect(reason)}")`
+	`\|> redirect(to: ~p"/users/log-in")`
+	`end`
+	`rescue`
+	`ArgumentError ->`
+	`conn`
+	`\|> put_flash(:error, "Unknown OAuth provider")`
+	`\|> redirect(to: ~p"/users/log-in")`
+	`end`
+
+	`@doc """`
+	`Handles the OAuth callback from the provider.`
+	`"""`
+	`def callback(conn, %{"provider" => provider} = params) do`
+	`provider_atom = String.to_existing_atom(provider)`
+	`config = get_provider_config(provider_atom)`
+	`session_params = get_session(conn, :oauth_session_params) \|\| %{}`
+
+	`redirect_uri = url(~p"/auth/#{provider}/callback")`
+	`config = Keyword.put(config, :redirect_uri, redirect_uri)`
+	`config = Keyword.put(config, :session_params, session_params)`
+
+	`with {:ok, %{user: user_info, token: _token}} <- config[:strategy].callback(config, params),`
+	`provider_uid <- get_provider_uid(user_info),`
+	`{:ok, user} <- Accounts.find_or_create_oauth_user(provider, provider_uid, user_info) do`
+	`conn`
+	`\|> delete_session(:oauth_session_params)`
+	`\|> delete_session(:oauth_provider)`
+	`\|> UserAuth.log_in_user(user, %{"remember_me" => "true"})`
+	`else`
+	`{:error, %Ecto.Changeset{} = changeset} ->`
+	`errors = Ecto.Changeset.traverse_errors(changeset, fn {msg, _} -> msg end)`
+
+	`conn`
+	`\|> put_flash(:error, "Failed to sign in: #{inspect(errors)}")`
+	`\|> redirect(to: ~p"/users/log-in")`
+
+	`{:error, reason} ->`
+	`conn`
+	`\|> put_flash(:error, "Authentication failed: #{inspect(reason)}")`
+	`\|> redirect(to: ~p"/users/log-in")`
+	`end`
+	`rescue`
+	`ArgumentError ->`
+	`conn`
+	`\|> put_flash(:error, "Unknown OAuth provider")`
+	`\|> redirect(to: ~p"/users/log-in")`
+	`end`
+
+	`defp get_provider_config(provider) do`
+	`providers = Application.get_env(:my_app, :oauth_providers, [])`
+
+	`case Keyword.get(providers, provider) do`
+	`nil -> raise ArgumentError, "Unknown provider: #{provider}"`
+	`config -> config`
+	`end`
+	`end`
+
+	`defp get_provider_uid(%{"sub" => sub}), do: sub`
+	`defp get_provider_uid(%{sub: sub}), do: sub`
+	`end`

Login LiveView

The login page conditionally displays OAuth buttons when providers are configured. The buttons appear above the email/password form with an "or continue with email" divider.

The mount/3 callback checks which providers are configured using oauth_provider_configured?/1 and assigns boolean flags ( google_oauth? , apple_oauth? ) to control button visibility.

lib/my_app_web/live/user_live/login.ex

	`-35,6 +35,13 @@ defmodule MyAppWeb.UserLive.Login do`
	`</div>`
	`</div>`

+	`<div :if={@google_oauth? or @apple_oauth?} class="flex flex-col gap-3">`
+	`<.google_button :if={@google_oauth?} href={~p"/auth/google"} />`
+	`<.apple_button :if={@apple_oauth?} href={~p"/auth/apple"} />`
+	`</div>`
+
+	`<div :if={@google_oauth? or @apple_oauth?} class="divider">or continue with email</div>`
+
	`<.form`
	`:let={f}`
	`for={@form}`
	`-100,7 +107,13 @@ defmodule MyAppWeb.UserLive.Login do`

	`form = to_form(%{"email" => email}, as: "user")`

-	`{:ok, assign(socket, form: form, trigger_submit: false)}`
+	`{:ok,`
+	`assign(socket,`
+	`form: form,`
+	`trigger_submit: false,`
+	`google_oauth?: Accounts.oauth_provider_configured?(:google),`
+	`apple_oauth?: Accounts.oauth_provider_configured?(:apple)`
+	`)}`
	`end`

	`@impl true`

Registration LiveView

Similar to the login page, registration shows OAuth buttons when configured. The divider text reads "or register with email" to match the registration context.

lib/my_app_web/live/user_live/registration.ex Reveal

	`-22,6 +22,13 @@ defmodule MyAppWeb.UserLive.Registration do`
	`</.header>`
	`</div>`

+	`<div :if={@google_oauth? or @apple_oauth?} class="flex flex-col gap-3">`
+	`<.google_button :if={@google_oauth?} href={~p"/auth/google"} />`
+	`<.apple_button :if={@apple_oauth?} href={~p"/auth/apple"} />`
+	`</div>`
+
+	`<div :if={@google_oauth? or @apple_oauth?} class="divider">or register with email</div>`
+
	`<.form for={@form} id="registration_form" phx-submit="save" phx-change="validate">`
	`<.input`
	`field={@form[:email]}`
	`-50,7 +57,13 @@ defmodule MyAppWeb.UserLive.Registration do`
	`def mount(_params, _session, socket) do`
	`changeset = Accounts.change_user_email(%User{}, %{}, validate_unique: false)`

-	`{:ok, assign_form(socket, changeset), temporary_assigns: [form: nil]}`
+	`socket =`
+	`socket`
+	`\|> assign(google_oauth?: Accounts.oauth_provider_configured?(:google))`
+	`\|> assign(apple_oauth?: Accounts.oauth_provider_configured?(:apple))`
+	`\|> assign_form(changeset)`
+
+	`{:ok, socket, temporary_assigns: [form: nil]}`
	`end`

	`@impl true`

Settings LiveView - Connected accounts

The settings page adds a "Connected Accounts" section showing:

The can_unlink assign determines whether unlink buttons appear. Users can unlink if they have a password OR more than one identity.

The handle_event("unlink_identity", ...) callback processes unlink requests, verifies sudo mode, and updates the UI after successful unlinking.

lib/my_app_web/live/user_live/settings.ex Reveal

	`-62,6 +62,48 @@ defmodule MyAppWeb.UserLive.Settings do`
	`Save Password`
	`</.button>`
	`</.form>`
+
+	`<div class="divider" />`
+
+	`<.header>`
+	`Connected Accounts`
+	`</.header>`
+
+	`<div class="space-y-3">`
+	`<div`
+	`:for={identity <- @identities}`
+	`class="flex items-center justify-between p-3 bg-base-200 rounded-lg"`
+	`>`
+	`<div class="flex items-center gap-3">`
+	`<span class="font-medium capitalize">{identity.provider}</span>`
+	`<span :if={identity.provider_email} class="text-sm text-base-content/70">`
+	`({identity.provider_email})`
+	`</span>`
+	`</div>`
+	`<.button`
+	`:if={@can_unlink}`
+	`class="btn btn-ghost btn-sm"`
+	`phx-click="unlink_identity"`
+	`phx-value-provider={identity.provider}`
+	`data-confirm={"Are you sure you want to unlink your #{identity.provider} account?"}`
+	`>`
+	`Unlink`
+	`</.button>`
+	`</div>`
+
+	`<p :if={@identities == []} class="text-base-content/70">No connected accounts.</p>`
+
+	`<div :if={@google_oauth? or @apple_oauth?} class="mt-4 flex flex-col gap-3">`
+	`<.google_button`
+	`:if={@google_oauth? and not Enum.any?(@identities, &(&1.provider == "google"))}`
+	`href={~p"/auth/google"}`
+	`/>`
+	`<.apple_button`
+	`:if={@apple_oauth? and not Enum.any?(@identities, &(&1.provider == "apple"))}`
+	`href={~p"/auth/apple"}`
+	`/>`
+	`</div>`
+	`</div>`
	`</Layouts.app>`
	`"""`
	`end`
	`-84,6 +126,10 @@ defmodule MyAppWeb.UserLive.Settings do`
	`user = socket.assigns.current_scope.user`
	`email_changeset = Accounts.change_user_email(user, %{}, validate_unique: false)`
	`password_changeset = Accounts.change_user_password(user, %{}, hash_password: false)`
+	`identities = Accounts.list_user_identities(user)`
+
+	`# User can unlink if they have a password OR more than one identity`
+	`can_unlink = not is_nil(user.hashed_password) or length(identities) > 1`

	`socket =`
	`socket`
	`-91,6 +137,10 @@ defmodule MyAppWeb.UserLive.Settings do`
	`\|> assign(:email_form, to_form(email_changeset))`
	`\|> assign(:password_form, to_form(password_changeset))`
	`\|> assign(:trigger_submit, false)`
+	`\|> assign(:identities, identities)`
+	`\|> assign(:can_unlink, can_unlink)`
+	`\|> assign(:google_oauth?, Accounts.oauth_provider_configured?(:google))`
+	`\|> assign(:apple_oauth?, Accounts.oauth_provider_configured?(:apple))`

	`{:ok, socket}`
	`end`
	`-154,4 +204,32 @@ defmodule MyAppWeb.UserLive.Settings do`
	`{:noreply, assign(socket, password_form: to_form(changeset, action: :insert))}`
	`end`
	`end`
+
+	`def handle_event("unlink_identity", %{"provider" => provider}, socket) do`
+	`user = socket.assigns.current_scope.user`
+	`true = Accounts.sudo_mode?(user)`
+
+	`case Accounts.unlink_identity(user, provider) do`
+	`{:ok, _identity} ->`
+	`identities = Accounts.list_user_identities(user)`
+	`can_unlink = not is_nil(user.hashed_password) or length(identities) > 1`
+
+	`{:noreply,`
+	`socket`
+	`\|> assign(:identities, identities)`
+	`\|> assign(:can_unlink, can_unlink)`
+	`\|> put_flash(:info, "#{String.capitalize(provider)} account unlinked.")}`
+
+	`{:error, :not_found} ->`
+	`{:noreply, put_flash(socket, :error, "Account not found.")}`
+
+	`{:error, :cannot_unlink} ->`
+	`{:noreply,`
+	`put_flash(`
+	`socket,`
+	`:error,`
+	`"Cannot unlink this account. You need at least one way to sign in."`
+	`)}`
+	`end`
+	`end`
	`end`

Router configuration

OAuth routes are added in their own scope under /auth :

The routes use dynamic :provider segments, supporting any configured provider without additional routing changes.

lib/my_app_web/router.ex Reveal

	`-13,6 +13,15 @@ defmodule MyAppWeb.Router do`
	`plug :fetch_current_scope_for_user`
	`end`

+	`pipeline :browser_no_csrf do`
+	`plug :accepts, ["html"]`
+	`plug :fetch_session`
+	`plug :fetch_live_flash`
+	`plug :put_root_layout, html: {MyAppWeb.Layouts, :root}`
+	`plug :put_secure_browser_headers`
+	`plug :fetch_current_scope_for_user`
+	`end`
+
	`pipeline :api do`
	`plug :accepts, ["json"]`
	`end`
	`-45,6 +54,20 @@ defmodule MyAppWeb.Router do`
	`end`
	`end`

+	`## OAuth routes`
+
+	`scope "/auth", MyAppWeb do`
+	`pipe_through :browser`
+
+	`get "/:provider", OAuthController, :request`
+	`end`
+
+	`scope "/auth", MyAppWeb do`
+	`pipe_through :browser_no_csrf`
+
+	`match :*, "/:provider/callback", OAuthController, :callback`
+	`end`
+
	`## Authentication routes`

	`scope "/", MyAppWeb do`

priv/repo/migrations/20260130065924_create_user_identities.exs Reveal

	`-0,0 +1,19 @@`
+	`defmodule MyApp.Repo.Migrations.CreateUserIdentities do`
+	`use Ecto.Migration`
+
+	`def change do`
+	`create table(:user_identities, primary_key: false) do`
+	`add :id, :binary_id, primary_key: true`
+	`add :provider, :string, null: false`
+	`add :provider_uid, :string, null: false`
+	`add :provider_email, :string`
+	`add :provider_data, :map, default: %{}`
+	`add :user_id, references(:users, type: :binary_id, on_delete: :delete_all), null: false`
+
+	`timestamps(type: :utc_datetime)`
+	`end`
+
+	`create unique_index(:user_identities, [:provider, :provider_uid])`
+	`create index(:user_identities, [:user_id])`
+	`end`
+	`end`

test/my_app/accounts_test.exs Reveal

	`-394,4 +394,137 @@ defmodule MyApp.AccountsTest do`
	`refute inspect(%User{password: "123456"}) =~ "password: \"123456\""`
	`end`
	`end`
+
+	`describe "oauth_provider_configured?/1" do`
+	`test "returns true when provider is configured" do`
+	`Application.put_env(:my_app, :oauth_providers, google: [client_id: "test"])`
+	`assert Accounts.oauth_provider_configured?(:google)`
+	`after`
+	`Application.delete_env(:my_app, :oauth_providers)`
+	`end`
+
+	`test "returns false when provider is not configured" do`
+	`Application.put_env(:my_app, :oauth_providers, [])`
+	`refute Accounts.oauth_provider_configured?(:google)`
+	`after`
+	`Application.delete_env(:my_app, :oauth_providers)`
+	`end`
+
+	`test "returns false when no providers are configured" do`
+	`Application.delete_env(:my_app, :oauth_providers)`
+	`refute Accounts.oauth_provider_configured?(:google)`
+	`end`
+	`end`
+
+	`describe "find_or_create_oauth_user/3" do`
+	`test "returns existing user when identity already exists" do`
+	`user = user_fixture()`
+	`_identity = user_identity_fixture(user, provider: "google", provider_uid: "123")`
+
+	`user_info = oauth_user_info(user.email)`
+	`{:ok, found_user} = Accounts.find_or_create_oauth_user("google", "123", user_info)`
+
+	`assert found_user.id == user.id`
+	`# Should not create a new identity`
+	`assert length(Accounts.list_user_identities(user)) == 1`
+	`end`
+
+	`test "links identity to existing user when email matches" do`
+	`user = user_fixture()`
+	`user_info = oauth_user_info(user.email)`
+
+	`{:ok, found_user} = Accounts.find_or_create_oauth_user("google", "new_uid", user_info)`
+
+	`assert found_user.id == user.id`
+	`identities = Accounts.list_user_identities(user)`
+	`assert length(identities) == 1`
+	`assert hd(identities).provider == "google"`
+	`assert hd(identities).provider_uid == "new_uid"`
+	`end`
+
+	`test "creates new user and identity when no match found" do`
+	`email = unique_user_email()`
+	`user_info = oauth_user_info(email)`
+
+	`{:ok, new_user} = Accounts.find_or_create_oauth_user("google", "brand_new_uid", user_info)`
+
+	`assert new_user.email == email`
+	`assert new_user.confirmed_at != nil`
+	`identities = Accounts.list_user_identities(new_user)`
+	`assert length(identities) == 1`
+	`assert hd(identities).provider == "google"`
+	`end`
+
+	`test "new oauth user is automatically confirmed" do`
+	`user_info = oauth_user_info()`
+	`{:ok, user} = Accounts.find_or_create_oauth_user("google", "uid_123", user_info)`
+
+	`assert user.confirmed_at != nil`
+	`end`
+	`end`
+
+	`describe "list_user_identities/1" do`
+	`test "returns empty list when user has no identities" do`
+	`user = user_fixture()`
+	`assert Accounts.list_user_identities(user) == []`
+	`end`
+
+	`test "returns all identities for user" do`
+	`user = user_fixture()`
+	`user_identity_fixture(user, provider: "google", provider_uid: "g123")`
+	`user_identity_fixture(user, provider: "apple", provider_uid: "a123")`
+
+	`identities = Accounts.list_user_identities(user)`
+	`assert length(identities) == 2`
+	`providers = Enum.map(identities, & &1.provider)`
+	`assert "google" in providers`
+	`assert "apple" in providers`
+	`end`
+
+	`test "does not return other users' identities" do`
+	`user1 = user_fixture()`
+	`user2 = user_fixture()`
+	`user_identity_fixture(user1, provider: "google", provider_uid: "g1")`
+	`user_identity_fixture(user2, provider: "google", provider_uid: "g2")`
+
+	`identities = Accounts.list_user_identities(user1)`
+	`assert length(identities) == 1`
+	`assert hd(identities).provider_uid == "g1"`
+	`end`
+	`end`
+
+	`describe "unlink_identity/2" do`
+	`test "removes identity when user has password" do`
+	`user = user_fixture() \|> set_password()`
+	`user_identity_fixture(user, provider: "google")`
+
+	`assert {:ok, _} = Accounts.unlink_identity(user, "google")`
+	`assert Accounts.list_user_identities(user) == []`
+	`end`
+
+	`test "removes identity when user has multiple identities" do`
+	`user = user_fixture()`
+	`user_identity_fixture(user, provider: "google", provider_uid: "g1")`
+	`user_identity_fixture(user, provider: "apple", provider_uid: "a1")`
+
+	`assert {:ok, _} = Accounts.unlink_identity(user, "google")`
+
+	`identities = Accounts.list_user_identities(user)`
+	`assert length(identities) == 1`
+	`assert hd(identities).provider == "apple"`
+	`end`
+
+	`test "returns error when identity not found" do`
+	`user = user_fixture()`
+	`assert {:error, :not_found} = Accounts.unlink_identity(user, "google")`
+	`end`
+
+	`test "returns error when user would be locked out" do`
+	`user = user_fixture()`
+	`user_identity_fixture(user, provider: "google")`
+
+	`# User has no password and only one identity`
+	`assert {:error, :cannot_unlink} = Accounts.unlink_identity(user, "google")`
+	`end`
+	`end`
	`end`

test/my_app_web/controllers/oauth_controller_test.exs Reveal

	`-0,0 +1,181 @@`
+	`defmodule MyAppWeb.OAuthControllerTest do`
+	`use MyAppWeb.ConnCase, async: true`
+
+	`import MyApp.AccountsFixtures`
+
+	`alias MyApp.Accounts`
+
+	`setup do`
+	`# Configure a mock OAuth provider for testing`
+	`Application.put_env(:my_app, :oauth_providers,`
+	`google: [`
+	`strategy: MyAppWeb.OAuthControllerTest.MockStrategy,`
+	`client_id: "test_client_id",`
+	`client_secret: "test_client_secret"`
+	`]`
+	`)`
+
+	`on_exit(fn ->`
+	`Application.delete_env(:my_app, :oauth_providers)`
+	`end)`
+
+	`%{user: user_fixture()}`
+	`end`
+
+	`describe "GET /auth/:provider (request)" do`
+	`test "redirects to OAuth provider", %{conn: conn} do`
+	`conn = get(conn, ~p"/auth/google")`
+
+	`assert redirected_to(conn) =~ "https://accounts.google.com/o/oauth2/v2/auth"`
+	`assert get_session(conn, :oauth_session_params)`
+	`assert get_session(conn, :oauth_provider) == "google"`
+	`end`
+
+	`test "redirects to login with error for unknown provider", %{conn: conn} do`
+	`conn = get(conn, ~p"/auth/unknown")`
+
+	`assert redirected_to(conn) == ~p"/users/log-in"`
+	`assert Phoenix.Flash.get(conn.assigns.flash, :error) == "Unknown OAuth provider"`
+	`end`
+	`end`
+
+	`describe "GET /auth/:provider/callback" do`
+	`test "creates new user and logs them in", %{conn: conn} do`
+	`email = unique_user_email()`
+
+	`conn =`
+	`conn`
+	`\|> init_test_session(`
+	`oauth_session_params: %{state: "test_state"},`
+	`oauth_provider: "google"`
+	`)`
+	`\|> get(~p"/auth/google/callback", %{`
+	`"code" => "test_code",`
+	`"state" => "test_state",`
+	`"_mock_email" => email,`
+	`"_mock_sub" => "google_123"`
+	`})`
+
+	`assert get_session(conn, :user_token)`
+	`assert redirected_to(conn) == ~p"/"`
+
+	`# Verify user was created`
+	`user = Accounts.get_user_by_email(email)`
+	`assert user`
+	`assert user.confirmed_at`
+	`end`
+
+	`test "logs in existing user when identity exists", %{conn: conn, user: user} do`
+	`_identity = user_identity_fixture(user, provider: "google", provider_uid: "existing_123")`
+
+	`conn =`
+	`conn`
+	`\|> init_test_session(`
+	`oauth_session_params: %{state: "test_state"},`
+	`oauth_provider: "google"`
+	`)`
+	`\|> get(~p"/auth/google/callback", %{`
+	`"code" => "test_code",`
+	`"state" => "test_state",`
+	`"_mock_email" => user.email,`
+	`"_mock_sub" => "existing_123"`
+	`})`
+
+	`assert get_session(conn, :user_token)`
+	`assert redirected_to(conn) == ~p"/"`
+	`end`
+
+	`test "links identity to existing user with matching email", %{conn: conn, user: user} do`
+	`conn =`
+	`conn`
+	`\|> init_test_session(`
+	`oauth_session_params: %{state: "test_state"},`
+	`oauth_provider: "google"`
+	`)`
+	`\|> get(~p"/auth/google/callback", %{`
+	`"code" => "test_code",`
+	`"state" => "test_state",`
+	`"_mock_email" => user.email,`
+	`"_mock_sub" => "new_google_id"`
+	`})`
+
+	`assert get_session(conn, :user_token)`
+	`assert redirected_to(conn) == ~p"/"`
+
+	`# Verify identity was linked`
+	`identities = Accounts.list_user_identities(user)`
+	`assert length(identities) == 1`
+	`assert hd(identities).provider_uid == "new_google_id"`
+	`end`
+
+	`test "redirects to login with error for unknown provider", %{conn: conn} do`
+	`conn =`
+	`conn`
+	`\|> init_test_session(oauth_session_params: %{})`
+	`\|> get(~p"/auth/unknown/callback", %{"code" => "test"})`
+
+	`assert redirected_to(conn) == ~p"/users/log-in"`
+	`assert Phoenix.Flash.get(conn.assigns.flash, :error) == "Unknown OAuth provider"`
+	`end`
+
+	`test "redirects to login with error on OAuth failure", %{conn: conn} do`
+	`conn =`
+	`conn`
+	`\|> init_test_session(`
+	`oauth_session_params: %{state: "test_state"},`
+	`oauth_provider: "google"`
+	`)`
+	`\|> get(~p"/auth/google/callback", %{`
+	`"error" => "access_denied",`
+	`"state" => "test_state",`
+	`"_mock_error" => "access_denied"`
+	`})`
+
+	`assert redirected_to(conn) == ~p"/users/log-in"`
+	`assert Phoenix.Flash.get(conn.assigns.flash, :error) =~ "Authentication failed"`
+	`end`
+	`end`
+
+	`# Mock strategy for testing OAuth flows`
+	`defmodule MockStrategy do`
+	`@behaviour Assent.Strategy`
+
+	`@impl true`
+	`def authorize_url(config) do`
+	`state = Base.encode64(:crypto.strong_rand_bytes(16))`
+
+	`url =`
+	`"https://accounts.google.com/o/oauth2/v2/auth?" <>`
+	`URI.encode_query(%{`
+	`client_id: config[:client_id],`
+	`redirect_uri: config[:redirect_uri],`
+	`state: state`
+	`})`
+
+	`{:ok, %{url: url, session_params: %{state: state}}}`
+	`end`
+
+	`@impl true`
+	`def callback(_config, params) do`
+	`if params["_mock_error"] do`
+	`{:error, params["_mock_error"]}`
+	`else`
+	`email = params["_mock_email"] \|\| "test_#{System.unique_integer()}@example.com"`
+	`sub = params["_mock_sub"] \|\| "mock_sub_#{System.unique_integer()}"`
+
+	`{:ok,`
+	`%{`
+	`user: %{`
+	`"sub" => sub,`
+	`"email" => email,`
+	`"name" => "Test User"`
+	`},`
+	`token: %{`
+	`"access_token" => "mock_access_token",`
+	`"token_type" => "Bearer"`
+	`}`
+	`}}`
+	`end`
+	`end`
+	`end`
+	`end`

test/support/fixtures/accounts_fixtures.ex Reveal

	`-86,4 +86,31 @@ defmodule MyApp.AccountsFixtures do`
	`set: [inserted_at: dt, authenticated_at: dt]`
	`)`
	`end`
+
+	`def user_identity_fixture(user, attrs \\ %{}) do`
+	`attrs =`
+	`Enum.into(attrs, %{`
+	`provider: "google",`
+	`provider_uid: "google_#{System.unique_integer()}",`
+	`provider_email: user.email,`
+	`provider_data: %{"sub" => "google_123", "email" => user.email}`
+	`})`
+
+	`{:ok, identity} =`
+	`%Accounts.UserIdentity{}`
+	`\|> Accounts.UserIdentity.changeset(Map.put(attrs, :user_id, user.id))`
+	`\|> MyApp.Repo.insert()`
+
+	`identity`
+	`end`
+
+	`def oauth_user_info(email \\ nil) do`
+	`email = email \|\| unique_user_email()`
+
+	`%{`
+	`"sub" => "oauth_#{System.unique_integer()}",`
+	`"email" => email,`
+	`"name" => "Test User"`
+	`}`
+	`end`
	`end`

OAuth

Jump to file