View Source oidcc_provider_configuration (Oidcc v3.2.0)

Tooling to load and parse Openid Configuration

Records

To use the record, import the definition:

  -include_lib(["oidcc/include/oidcc_provider_configuration.hrl"]).

Telemetry

See 'Elixir.Oidcc.ProviderConfiguration'

Summary

Types

error/0

opts/0

Configure configuration loading / parsing

quirks/0

Allow Specification Non-compliance

t/0

Record containing OpenID and OAuth 2.0 Configuration

Functions

decode_configuration(Configuration)

See also: decode_configuration/2.

decode_configuration(Configuration, Opts)

Decode JSON into a oidcc_provider_configuration:t() record

load_configuration(Issuer)

See also: load_configuration/2.

load_configuration(Issuer, Opts)

Load OpenID Configuration into a oidcc_provider_configuration:t() record

load_jwks(JwksUri, Opts)

Load JWKs into a jose_jwk:key() record

Types

error/0

(since 3.0.0 -------------------------------------------------------------------)

-type error() ::
    invalid_content_type |
    {issuer_mismatch, Issuer :: binary()} |
    oidcc_decode_util:error() |
    oidcc_http_util:error().

opts/0

(since 3.0.0 -------------------------------------------------------------------)

-type opts() ::
    #{fallback_expiry => timeout(),
      request_opts => oidcc_http_util:request_opts(),
      quirks => quirks()}.

Configure configuration loading / parsing

Parameters

fallback_expiry - How long to keep configuration cached if the server doesn't specify expiry
request_opts - config for HTTP request

quirks/0

(since 3.0.0 -------------------------------------------------------------------)

-type quirks() :: #{allow_unsafe_http => boolean(), document_overrides => map()}.

Allow Specification Non-compliance

Exceptions

allow_unsafe_http - Allow unsafe HTTP. Use this for development providers and never in production.
document_overrides - a map to merge with the real OIDD document, in case the OP left out some values.

t/0

(since 3.0.0 -------------------------------------------------------------------)

-type t() ::
    #oidcc_provider_configuration{issuer :: uri_string:uri_string(),
                                  authorization_endpoint :: uri_string:uri_string(),
                                  token_endpoint :: uri_string:uri_string() | undefined,
                                  userinfo_endpoint :: uri_string:uri_string() | undefined,
                                  jwks_uri :: uri_string:uri_string() | undefined,
                                  registration_endpoint :: uri_string:uri_string() | undefined,
                                  scopes_supported :: [binary()] | undefined,
                                  response_types_supported :: [binary()],
                                  response_modes_supported :: [binary()],
                                  grant_types_supported :: [binary()],
                                  acr_values_supported :: [binary()] | undefined,
                                  subject_types_supported :: [pairwise | public],
                                  id_token_signing_alg_values_supported :: [binary()],
                                  id_token_encryption_alg_values_supported ::
                                      [binary()] | undefined,
                                  id_token_encryption_enc_values_supported ::
                                      [binary()] | undefined,
                                  userinfo_signing_alg_values_supported :: [binary()] | undefined,
                                  userinfo_encryption_alg_values_supported ::
                                      [binary()] | undefined,
                                  userinfo_encryption_enc_values_supported ::
                                      [binary()] | undefined,
                                  request_object_signing_alg_values_supported ::
                                      [binary()] | undefined,
                                  request_object_encryption_alg_values_supported ::
                                      [binary()] | undefined,
                                  request_object_encryption_enc_values_supported ::
                                      [binary()] | undefined,
                                  token_endpoint_auth_methods_supported :: [binary()],
                                  token_endpoint_auth_signing_alg_values_supported ::
                                      [binary()] | undefined,
                                  display_values_supported :: [binary()] | undefined,
                                  claim_types_supported :: [normal | aggregated | distributed],
                                  claims_supported :: [binary()] | undefined,
                                  service_documentation :: uri_string:uri_string() | undefined,
                                  claims_locales_supported :: [binary()] | undefined,
                                  ui_locales_supported :: [binary()] | undefined,
                                  claims_parameter_supported :: boolean(),
                                  request_parameter_supported :: boolean(),
                                  request_uri_parameter_supported :: boolean(),
                                  require_request_uri_registration :: boolean(),
                                  op_policy_uri :: uri_string:uri_string() | undefined,
                                  op_tos_uri :: uri_string:uri_string() | undefined,
                                  revocation_endpoint :: uri_string:uri_string() | undefined,
                                  revocation_endpoint_auth_methods_supported :: [binary()],
                                  revocation_endpoint_auth_signing_alg_values_supported ::
                                      [binary()] | undefined,
                                  introspection_endpoint :: uri_string:uri_string() | undefined,
                                  introspection_endpoint_auth_methods_supported :: [binary()],
                                  introspection_endpoint_auth_signing_alg_values_supported ::
                                      [binary()] | undefined,
                                  code_challenge_methods_supported :: [binary()] | undefined,
                                  end_session_endpoint :: uri_string:uri_string() | undefined,
                                  require_pushed_authorization_requests :: boolean(),
                                  pushed_authorization_request_endpoint ::
                                      uri_string:uri_string() | undefined,
                                  authorization_signing_alg_values_supported ::
                                      [binary()] | undefined,
                                  authorization_encryption_alg_values_supported ::
                                      [binary()] | undefined,
                                  authorization_encryption_enc_values_supported ::
                                      [binary()] | undefined,
                                  authorization_response_iss_parameter_supported :: boolean(),
                                  dpop_signing_alg_values_supported :: [binary()] | undefined,
                                  require_signed_request_object :: boolean(),
                                  mtls_endpoint_aliases :: #{binary() => uri_string:uri_string()},
                                  extra_fields :: #{binary() => term()},
                                  tls_client_certificate_bound_access_tokens :: boolean()}.

Record containing OpenID and OAuth 2.0 Configuration

See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata, https://datatracker.ietf.org/doc/html/draft-jones-oauth-discovery-01#section-4.1 and https://openid.net/specs/openid-connect-rpinitiated-1_0.html#OPMetadata

All unrecognized fields are stored in extra_fields.

Functions

decode_configuration(Configuration)

(since 3.0.0)

-spec decode_configuration(Configuration) -> {ok, t()} | {error, error()} when Configuration :: map().

See also: decode_configuration/2.

decode_configuration(Configuration, Opts)

(since 3.1.0)

-spec decode_configuration(Configuration, Opts) -> {ok, t()} | {error, error()}
                        when Configuration :: map(), Opts :: opts().

Decode JSON into a oidcc_provider_configuration:t() record

Examples

  {ok, {{"HTTP/1.1",200,"OK"}, _Headers, Body}} =
    httpc:request("https://accounts.google.com/.well-known/openid-configuration"),
 
  {ok, DecodedJson} = your_json_lib:decode(Body),
 
  {ok, #oidcc_provider_configuration{}} =
    oidcc_provider_configuration:decode_configuration(DecodedJson).

load_configuration(Issuer)

(since 3.1.0)

-spec load_configuration(Issuer) ->
                      {ok, {Configuration :: t(), Expiry :: pos_integer()}} | {error, error()}
                      when Issuer :: uri_string:uri_string().

See also: load_configuration/2.

load_configuration(Issuer, Opts)

(since 3.0.0)

-spec load_configuration(Issuer, Opts) ->
                      {ok, {Configuration :: t(), Expiry :: pos_integer()}} | {error, error()}
                      when Issuer :: uri_string:uri_string(), Opts :: opts().

Load OpenID Configuration into a oidcc_provider_configuration:t() record

Examples

  {ok, #oidcc_provider_configuration{}} =
    oidcc_provider_configuration:load_configuration("https://accounts.google.com").

load_jwks(JwksUri, Opts)

(since 3.0.0)

-spec load_jwks(JwksUri, Opts) ->
             {ok, {Jwks :: jose_jwk:key(), Expiry :: pos_integer()}} | {error, term()}
             when JwksUri :: uri_string:uri_string(), Opts :: opts().

Load JWKs into a jose_jwk:key() record

Examples

  {ok, #jose_jwk{}} =
    oidcc_provider_configuration:load_jwks("https://www.googleapis.com/oauth2/v3/certs").