oidc v0.5.0

View Source OIDC.Auth (oidc v0.5.0)

Create and verify OpenID Connect challenges for a specific OP

Link to this section Summary

Types

challenge_opt()
challenge_opts()
op_response()
verify_opt()
verify_opts()

Functions

gen_challenge(opts)

Generates an OpenID Connect challenge or raise an exception if a parameter is missing

request_uri(challenge, opts)

Generates an OpenID Connect request URI from a challenge and associated options

verify_response(op_response, challenge, verify_opts \\ [])

Verifies an OpenID Connect challenge against the OP's response

Link to this section Types

Link to this type

challenge_opt()

View Source

Specs

challenge_opt() ::
  {:acr_values, [OIDC.acr()]}
  | {:claims, OIDC.claims()}
  | {:client_config, module()}
  | {:client_id, OIDC.client_id()}
  | {:display, String.t()}
  | {:id_token_iat_max_time_gap, non_neg_integer()}
  | {:issuer, OIDC.issuer()}
  | {:login_hint, String.t()}
  | {:max_age, non_neg_integer()}
  | {:oauth2_metadata_updater_opts, Keyword.t()}
  | {:prompt, String.t()}
  | {:redirect_uri, String.t()}
  | {:response_mode, OIDC.response_mode()}
  | {:response_type, OIDC.response_type()}
  | {:scope, [OIDC.scope()]}
  | {:server_metadata, OIDC.server_metadata()}
  | {:ui_locales, [OIDC.ui_locale()]}
  | {:use_nonce, :when_mandatory | :always}
Link to this type

challenge_opts()

View Source

Specs

challenge_opts() :: [challenge_opt()]
Link to this type

op_response()

View Source

Specs

op_response() :: %{optional(String.t()) => any()}
Link to this type

verify_opt()

View Source

Specs

verify_opt() ::
  {:jti_register, module()}
  | {:tesla_auth_middleware_opts, Keyword.t()}
  | {:tesla_middlewares, [Tesla.Client.middleware()]}
Link to this type

verify_opts()

View Source

Specs

verify_opts() :: [verify_opt()]

Link to this section Functions

Link to this function

gen_challenge(opts)

View Source

Specs

gen_challenge(challenge_opts()) :: OIDC.Auth.Challenge.t() | no_return()

Generates an OpenID Connect challenge or raise an exception if a parameter is missing

This challenge is to be passed back to verify_challenge/2 when redirected back from the OpenID Provider

Note that a code verifier is automatically generated when supported by the OP and a code is requested by the response type.

options

 Options

  • :acr_values: voluntary set of ACRs to be requested via the "acr_values" parameter
  • :claims: claims requested in the "claims" parameter
  • :client_config [Mandatory]: a module that implements the OIDC.Auth.ClientConfig behaviour
  • :client_id [Mandatory]: the client id of the application using this library and initiating the request
  • :dispay: the display OpenID Connect parameter (mostly unused)
  • :id_token_iat_max_time_gap: max time gap to accept an ID token, in seconds. Defaults to 0
  • :issuer [Mandatory]: the OpenID Provider (OP) issuer. Metadata and JWKs are automatically retrieved from it
  • :login_hint: the login hint OpenID Connect parameter
  • :max_age: the max age OpenID Connect parameter
  • :oauth2_metadata_updater_opts: options that will be passed to Oauth2MetadataUpdater
  • :prompt: the prompt OpenID Connect parameter
  • :redirect_uri [Mandatory]: the redirect URI the OP has to use for redirect
  • :response_mode: one of:
    • "query"
    • "fragment"
    • "form_post"
    • nil which means that the OP decides for the response mode
  • :response_type [Mandatory]: one of:
    • "code"
    • "id_token"
    • "id_token token"
    • "code token"
    • "code id_token"
    • "code id_token token"
  • :scope: a list of scopes ([String.t()]) to be requested. The "openid" scope is automatically requested
  • :server_metadata: server metadata that takes precedence over those automatically retrieve on the OP configuration (requested from the issuer). Usefull when the OP does not support OpenID Connect discovery, or the override one or more parameters
  • ui_locales: the ui locales OpenID Connect parameter
  • :use_nonce: one of:
    • :when_mandatory [Default]: a nonce is included when using the implicit and hybrid flows
    • :always: always include a nonce (i.e. also in the code flow in which it is optional)
Link to this function

request_uri(challenge, opts)

View Source

Specs

request_uri(OIDC.Auth.Challenge.t(), challenge_opts()) :: URI.t()

Generates an OpenID Connect request URI from a challenge and associated options

Link to this function

verify_response(op_response, challenge, verify_opts \\ [])

View Source

Specs

verify_response(op_response(), OIDC.Auth.Challenge.t(), verify_opts()) ::
  {:ok, OIDC.Auth.OPResponseSuccess.t()}
  | {:error, OIDC.Auth.OPResponseError.t()}
  | {:error, Exception.t()}

Verifies an OpenID Connect challenge against the OP's response

options

 Options

  • :jti_register: a module implementing the JTIRegister behaviour, used to check against ID token replay
  • :tesla_middlewares: Tesla middlewares added to outbound request (for exemple requests to the token endpoint)
  • :tesla_auth_middleware_opts: additional Keyword.t() options to be passed as options to the TeslaOAuth2ClientAuth authentication middleware