ExMCP.Authorization.IdJag (ex_mcp v0.9.0)

View Source

ID-JAG (Identity JWT Authorization Grant) creation and validation.

ID-JAG is a JWT with typ="oauth-id-jag+jwt" that carries identity information from an IdP to an authorization server in the enterprise-managed authorization flow.

Summary

Functions

create(opts)

Creates and signs an ID-JAG JWT.

id_jag?(token)

Checks if a JWT has the ID-JAG typ header.

typ()

Returns the ID-JAG typ header value.

validate(token, opts)

Validates an ID-JAG JWT.

Functions

create(opts)

@spec create(keyword()) :: {:ok, String.t()} | {:error, term()}

Creates and signs an ID-JAG JWT.

Options

  • :private_key (required) - JWK private key for signing (IdP's key)
  • :issuer (required) - The IdP issuer identifier
  • :subject (required) - The user's subject identifier
  • :audience (required) - The authorization server's issuer URI
  • :resource (required) - The MCP server resource URI
  • :client_id (required) - The OAuth client identifier
  • :scope - Requested scope (optional)
  • :alg - Signing algorithm (default: "RS256")
  • :kid - Key ID to include in header
  • :lifetime - Token lifetime in seconds (default: 300)
  • :additional_claims - Extra claims to include

id_jag?(token)

@spec id_jag?(String.t()) :: boolean()

Checks if a JWT has the ID-JAG typ header.

typ()

Returns the ID-JAG typ header value.

validate(token, opts)

@spec validate(
  String.t(),
  keyword()
) :: {:ok, map()} | {:error, term()}

Validates an ID-JAG JWT.

Options

  • :idp_keys (required) - JWK or list of JWKs from the IdP
  • :expected_audience (required) - Expected audience (AS issuer)
  • :expected_resource (required) - Expected resource (MCP server URI)
  • :max_lifetime - Maximum allowed lifetime in seconds (default: 600)