View Source OIDC.Auth (oidc v0.5.0)
Create and verify OpenID Connect challenges for a specific OP
Link to this section Summary
Functions
Generates an OpenID Connect challenge or raise an exception if a parameter is missing
Generates an OpenID Connect request URI from a challenge and associated options
Verifies an OpenID Connect challenge against the OP's response
Link to this section Types
Specs
challenge_opt() :: {:acr_values, [OIDC.acr()]} | {:claims, OIDC.claims()} | {:client_config, module()} | {:client_id, OIDC.client_id()} | {:display, String.t()} | {:id_token_iat_max_time_gap, non_neg_integer()} | {:issuer, OIDC.issuer()} | {:login_hint, String.t()} | {:max_age, non_neg_integer()} | {:oauth2_metadata_updater_opts, Keyword.t()} | {:prompt, String.t()} | {:redirect_uri, String.t()} | {:response_mode, OIDC.response_mode()} | {:response_type, OIDC.response_type()} | {:scope, [OIDC.scope()]} | {:server_metadata, OIDC.server_metadata()} | {:ui_locales, [OIDC.ui_locale()]} | {:use_nonce, :when_mandatory | :always}
Specs
challenge_opts() :: [challenge_opt()]
Specs
Specs
verify_opt() :: {:jti_register, module()} | {:tesla_auth_middleware_opts, Keyword.t()} | {:tesla_middlewares, [Tesla.Client.middleware()]}
Specs
verify_opts() :: [verify_opt()]
Link to this section Functions
Specs
gen_challenge(challenge_opts()) :: OIDC.Auth.Challenge.t() | no_return()
Generates an OpenID Connect challenge or raise an exception if a parameter is missing
This challenge is to be passed back to verify_challenge/2
when redirected back from the
OpenID Provider
Note that a code verifier is automatically generated when supported by the OP and a code is requested by the response type.
options
Options
:acr_values
: voluntary set of ACRs to be requested via the"acr_values"
parameter:claims
: claims requested in the"claims"
parameter:client_config
[Mandatory]: a module that implements theOIDC.Auth.ClientConfig
behaviour:client_id
[Mandatory]: the client id of the application using this library and initiating the request:dispay
: the display OpenID Connect parameter (mostly unused):id_token_iat_max_time_gap
: max time gap to accept an ID token, in seconds. Defaults to 0:issuer
[Mandatory]: the OpenID Provider (OP) issuer. Metadata and JWKs are automatically retrieved from it:login_hint
: the login hint OpenID Connect parameter:max_age
: the max age OpenID Connect parameter:oauth2_metadata_updater_opts
: options that will be passed toOauth2MetadataUpdater
:prompt
: the prompt OpenID Connect parameter:redirect_uri
[Mandatory]: the redirect URI the OP has to use for redirect:response_mode
: one of:"query"
"fragment"
"form_post"
nil
which means that the OP decides for the response mode
:response_type
[Mandatory]: one of:"code"
"id_token"
"id_token token"
"code token"
"code id_token"
"code id_token token"
:scope
: a list of scopes ([String.t()]
) to be requested. The"openid"
scope is automatically requested:server_metadata
: server metadata that takes precedence over those automatically retrieve on the OP configuration (requested from the issuer). Usefull when the OP does not support OpenID Connect discovery, or the override one or more parametersui_locales
: the ui locales OpenID Connect parameter:use_nonce
: one of::when_mandatory
[Default]: a nonce is included when using the implicit and hybrid flows:always
: always include a nonce (i.e. also in the code flow in which it is optional)
Specs
request_uri(OIDC.Auth.Challenge.t(), challenge_opts()) :: URI.t()
Generates an OpenID Connect request URI from a challenge and associated options
Specs
verify_response(op_response(), OIDC.Auth.Challenge.t(), verify_opts()) :: {:ok, OIDC.Auth.OPResponseSuccess.t()} | {:error, OIDC.Auth.OPResponseError.t()} | {:error, Exception.t()}
Verifies an OpenID Connect challenge against the OP's response
options
Options
:jti_register
: a module implementing theJTIRegister
behaviour, used to check against ID token replay:tesla_middlewares
:Tesla
middlewares added to outbound request (for exemple requests to the token endpoint):tesla_auth_middleware_opts
: additionalKeyword.t()
options to be passed as options to theTeslaOAuth2ClientAuth
authentication middleware