oidc v0.5.0

View Source OIDC.IDToken (oidc v0.5.0)

ID Token validation

Link to this section Summary

Types

claims()

The ID token claims, for instance

serialized()

The serialized ID Token, for instance

verification_data()

Data needed to verify an ID Token

Functions

verify(serialized_id_token, client_conf, verification_data)

Verifies an ID Token

verify_hash(token_hash_name, token, claims, jwk)

Verifies an hash-claim of an ID token

verify_hash_if_present(token_hash_name, token, claims, jwk)

Verifies an hash-claim of an ID token, if present in the ID token

Link to this section Types

Link to this type

claims()

View Source

Specs

claims() :: %{optional(String.t()) => any()}

The ID token claims, for instance:

%{
   "aud" => "client_1",
   "exp" => 1588689766,
   "iat" => 1588689736,
   "iss" => "https://example.com",
   "sub" => "user_1"
 }
Link to this type

serialized()

View Source

Specs

serialized() :: String.t()

The serialized ID Token, for instance:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Link to this type

verification_data()

View Source

Specs

verification_data() :: %{
  :client_id => OIDC.client_id(),
  :issuer => OIDC.issuer(),
  optional(:auth_time_required) => boolean(),
  optional(:id_token_iat_max_time_gap) => non_neg_integer(),
  optional(:jti_register) => module(),
  optional(:mandatory_acrs) => [OIDC.acr()],
  optional(:nonce) => OIDC.nonce(),
  optional(:oauth2_metadata_updater_opts) => Keyword.t(),
  optional(:server_metadata) => OIDC.server_metadata(),
  optional(atom()) => any()
}

Data needed to verify an ID Token

Link to this section Functions

Link to this function

verify(serialized_id_token, client_conf, verification_data)

View Source

Specs

verify(serialized(), OIDC.ClientConfig.t(), verification_data()) ::
  {:ok, {claims(), JOSEUtils.JWK.t()}} | {:error, Exception.t()}

Verifies an ID Token

This function verifies:

  • the signature of the ID Token
  • the standard claims against their validation rules and validation data:
    • "iss"
    • "aud"
    • "azp"
    • "exp"
    • "iat"
    • "nonce"
    • "acr"
    • "auth_time"

It also decrypts the ID token if it is encrypted.

It does not verifies the "c_hash" and "at_hash" claims. See verify_hash/4 and verify_hash_if_present/4 for this.

Link to this function

verify_hash(token_hash_name, token, claims, jwk)

View Source

Specs

verify_hash(String.t(), String.t(), claims(), JOSEUtils.JWK.t()) ::
  :ok | {:error, Exception.t()}

Verifies an hash-claim of an ID token

The token hash name is one of:

  • "c_hash"
  • "at_hash"

The JWK to be passed as a parameter is the JWK that has been used to validate the ID token signature.

Link to this function

verify_hash_if_present(token_hash_name, token, claims, jwk)

View Source

Specs

verify_hash_if_present(String.t(), String.t(), claims(), JOSEUtils.JWK.t()) ::
  :ok | {:error, Exception.t()}

Verifies an hash-claim of an ID token, if present in the ID token

The token hash name is one of:

  • "c_hash"
  • "at_hash"

The JWK to be passed as a parameter is the JWK that has been used to validate the ID token signature.