flwr_oauth2

Types

AccessTokenResponse

This type is returned by this module for a parsed access token response.

pub type AccessTokenResponse {
  TokenErrorResponse(
    status: Int,
    error: String,
    error_description: option.Option(String),
    error_uri: option.Option(String),
  )
  AccessTokenResponse(
    access_token: String,
    token_type: String,
    expires_in: option.Option(Int),
    refresh_token: option.Option(String),
    scope: List(String),
  )
}

Constructors

```
TokenErrorResponse(
  status: Int,
  error: String,
  error_description: option.Option(String),
  error_uri: option.Option(String),
)
```
If the access token response contains errors a TokenErrorResponse will be returned. It contains the HTTP status, the error code string, optionally an error description and an error URI.
```
AccessTokenResponse(
  access_token: String,
  token_type: String,
  expires_in: option.Option(Int),
  refresh_token: option.Option(String),
  scope: List(String),
)
```
If the access token request was successful a AccessTokenResponse is returned. it contains the access token, its type, the time when it will expire, a refresh token if present, and the final scope.

AuthorizationCodeGrantRedirectUri

</>

This defines a redirect url defined by RFC6749 Authorization Code Grant.

pub type AuthorizationCodeGrantRedirectUri {
  AuthorizationCodeGrantRedirectUri(
    oauth_server: uri.Uri,
    response_type: ResponseType,
    redirect_uri: option.Option(uri.Uri),
    client_id: ClientId,
    scope: List(String),
    state: option.Option(State),
  )
  AuthorizationCodeGrantRedirectUriWithPKCE(
    oauth_server: uri.Uri,
    response_type: ResponseType,
    redirect_uri: option.Option(uri.Uri),
    client_id: ClientId,
    scope: List(String),
    state: option.Option(State),
    code_challenge: String,
  )
}

Constructors

AuthorizationCodeGrantRedirectUri(
  oauth_server: uri.Uri,
  response_type: ResponseType,
  redirect_uri: option.Option(uri.Uri),
  client_id: ClientId,
  scope: List(String),
  state: option.Option(State),
)

Represents a standard redirect url without any extensions.

AuthorizationCodeGrantRedirectUriWithPKCE(
  oauth_server: uri.Uri,
  response_type: ResponseType,
  redirect_uri: option.Option(uri.Uri),
  client_id: ClientId,
  scope: List(String),
  state: option.Option(State),
  code_challenge: String,
)

Represents a redirect url with a PKCE code challenge. See RFC7636.

The type of client authentication that should be used with the OAuth 2.0 Server. An OAuth 2.0 Server can support multiple kinds of client authentication. When the incorrect kind is used, the OAuth 2.0 Server will respond with an error. For the error information see RFC6749 Error Response.

pub type ClientAuthentication {
  ClientSecretBasic(client_id: ClientId, client_secret: Secret)
  ClientSecretPost(client_id: ClientId, client_secret: Secret)
  PublicAuthentication(client_id: ClientId)
}

Constructors

```
ClientSecretBasic(client_id: ClientId, client_secret: Secret)
```
Use this type if the OAuth 2.0 Server accepts HTTP Basic authentication, which sets the Authorization header in the HTTP request. For example:
```
Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
```
```
ClientSecretPost(client_id: ClientId, client_secret: Secret)
```
Use this type if the OAuth 2.0 Server accepts the credentials via a POST request. In that case the credentials are sent URL encoded. For example:
```
client_id=asdf&client_secret=hjkl
```
```
PublicAuthentication(client_id: ClientId)
```
Use this type if the client is public and there is not client secret to be included.

ClientId

</>

Type to indicate the client ID. Mostly used to have type-safe parameters, so client id, client secret, etc are not mixed up. See RFC6749

pub type ClientId {
  ClientId(value: String)
}

Constructors

```
ClientId(value: String)
```

Error

</>

Errors returned by this module

pub type Error {
  SecretExpired
  InvalidUri
}

Constructors

```
SecretExpired
```
Will be returned if an expired secret is used.
```
InvalidUri
```
Will be returned if an invalid URL is provided

ResponseType

</>

Type to indicate the response type of the authorization code and implicit grant. Must always be “code” for the authorizatin code grant and alway be “token” for the implicit grant. For more information see RFC6749.

pub type ResponseType {
  Code
  Token
}

Constructors

```
Code
```
```
Token
```

Scope

</>

Type alias for the scope. A scope is a list of strings. See RFC6749

pub type Scope =
  List(String)

Secret

</>

Type to indicate the client secret. Mostly used to have type-safe parameters, so client id, client secret, etc are not mixed up. See RFC6749

pub type Secret {
  Secret(value: String)
  SecretWithExpiration(
    value: String,
    expires_at: timestamp.Timestamp,
  )
}

Constructors

```
Secret(value: String)
```
A normal OAuth 2.0 client secret
```
SecretWithExpiration(
  value: String,
  expires_at: timestamp.Timestamp,
)
```
A client secret with an expiration date attached. Can be used to check if the secret expired.

State

</>

Type to indicate the state. Mostly used to have type-safe parameters, so other string parameters are not mixed up. See RFC6749

pub type State {
  State(value: String)
}

Constructors

```
State(value: String)
```

TokenRequest

</>

The essential requests of OAuth 2.0. The token requests includes all the different Grant Types defined in RFC6749.

pub type TokenRequest {
  AuthorizationCodeGrantTokenRequest(
    token_endpoint: uri.Uri,
    authentication: ClientAuthentication,
    redirect_uri: option.Option(uri.Uri),
    code: String,
  )
  AuthorizationCodeGrantTokenRequestWithPKCE(
    token_endpoint: uri.Uri,
    authentication: ClientAuthentication,
    redirect_uri: option.Option(uri.Uri),
    code: String,
    code_verifier: String,
  )
  ResourceOwnerCredentialsGrantTokenRequest(
    token_endpoint: uri.Uri,
    authentication: ClientAuthentication,
    username: String,
    password: String,
    scope: List(String),
  )
  RefreshTokenGrantRequest(
    token_endpoint: uri.Uri,
    authentication: ClientAuthentication,
    refresh_token: String,
    scope: List(String),
  )
  ClientCredentialsGrantTokenRequest(
    token_endpoint: uri.Uri,
    authentication: ClientAuthentication,
    scope: List(String),
  )
}

Constructors

AuthorizationCodeGrantTokenRequest(
  token_endpoint: uri.Uri,
  authentication: ClientAuthentication,
  redirect_uri: option.Option(uri.Uri),
  code: String,
)

A token request for the Authorization Code Grant Type. Use the AuthorizationCodeGrantRedirectUri to retrieve the code. See RFC6749 Authorization Code Grant.

AuthorizationCodeGrantTokenRequestWithPKCE(
  token_endpoint: uri.Uri,
  authentication: ClientAuthentication,
  redirect_uri: option.Option(uri.Uri),
  code: String,
  code_verifier: String,
)

A token request for the Authorization Code Grant Type with a PKCE code verifier. Use the AuthorizationCodeGrantRedirectUri to retrieve the code. See RFC6749 Authorization Code Grant and RFC7636.

ResourceOwnerCredentialsGrantTokenRequest(
  token_endpoint: uri.Uri,
  authentication: ClientAuthentication,
  username: String,
  password: String,
  scope: List(String),
)

A token request for the Resource Owner Password Grant Type. See RFC6749 Resource Owner Password Grant.

```
RefreshTokenGrantRequest(
  token_endpoint: uri.Uri,
  authentication: ClientAuthentication,
  refresh_token: String,
  scope: List(String),
)
```
This token request is used to refresh an expired access token. After a successful token request, the OAuth 2.0 Server can respond with an access token and/or a refresh token. The refresh token can be used to get a new access token. See RFC6749 Refreshing an Access Token.

ClientCredentialsGrantTokenRequest(
  token_endpoint: uri.Uri,
  authentication: ClientAuthentication,
  scope: List(String),
)

This token request is used to retrieve an access token using the client id and client secret. See RFC6749 Client Credentials Grant.

Values

make_redirect_uri

</>

pub fn make_redirect_uri(
  redirect_config: AuthorizationCodeGrantRedirectUri,
) -> uri.Uri

Creates the uri that the resource owner should be redirected too.

parse_scope

</>

pub fn parse_scope(scope: String) -> List(String)

Parses a string containing the space separated scopes.

Example

parse_scope("scope1 scope2")

parse_token_response

</>

pub fn parse_token_response(
  response: response.Response(String),
) -> Result(AccessTokenResponse, json.DecodeError)

Parses a token response and returns the access and refresh token if valid response, otherwise the error response.

random_state

</>

pub fn random_state(length: Int) -> State

Generates a random State with the specified length including only uppercase and lowercase letters If length <= 0 returns an empty string

random_state32

</>

pub fn random_state32() -> State

Generates a random 32 character long State

secret_is_valid

</>

pub fn secret_is_valid(secret: Secret) -> Bool

Checks if a given secret is not expired. Returns always true for secrets that cannot expire.

to_http_request

</>

pub fn to_http_request(
  request: TokenRequest,
) -> Result(request.Request(String), Error)

Creates a http request from the given TokenRequest, but does not send. Sending the request is done by the user of the function.