APIacAuthBearer.Validator.JWT (apiac_auth_bearer v2.0.0) View Source
An implementation of RFC9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens.
This validator accepts the following options:
:issuer[mandatory]: an OAuth2 issuer whose metadata and keys will be resolved automatically:client_config: a(APIacAuthBearer.Validator.opts() -> %{required(String.t()) => any()})function that returns the RS (resource server) configuration in case encryption is used. The following fields are to be set:"at_encrypted_response_alg"[mandatory]: the algorithm used to decrypt bearer token"jwks"[mandatory]: RS' symmetric or asymmetric keys used to decrypt the token%{ "at_encrypted_response_alg" => "ECDH-ES", "jwks" => %{ "keys" => [ %{ "crv" => "P-256", "d" => "cNX22qgnyRI_3Ue6-2HRENiomTR6XzDK-VWtF9KJd5I", "kty" => "EC", "x" => "Kg0BnGxocTYC6X2kSdzEM61G-h-l70d-Xq97ZMq7RWY", "y" => "htuiRWbDtzeZyAvezbWE31oEZiorhQiCa-792CWmPdY" } ] } }
:oauth2_metadata_updater_opts: options that will be passed toOauth2MetadataUpdater:server_metadata: server metadata that takes precedence over those automatically retrieve from the server (requested from the issuer). Useful when the OP does not support OAuth2 metadata or OpenID Connect discovery, or to override one or more parameters
Note that the "at_encrypted_response_alg" parameter is not registered at the IANA. This
is because an OAuth2 RS is not specified as an OAuth2 client. This can be a special case of
an OAuth2 client, and is by certain AS implementations, but it's not specified as such. This
library uses the terms :client_config and "at_encrypted_response_alg" to make it easier
to use with backends that do indeed treat RSes as a special type of OAuth2 client.
The APIacAuthBearer :resource_indicator is also mandatory for this validator per the
specification.