tesla_oauth2_client_auth v1.0.0

TeslaOAuth2ClientAuth.ClientSecretJWT (tesla_oauth2_client_auth v1.0.0) View Source

Tesla middleware that implements the "client_secret_jwt" authentication scheme for https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

The client configuration must contain a "client_secret" member whose value is the client secret (a String.t()) or a JWK in its "jwks" attribute that is suited for signature and has a "kty" of "oct".

To determine the MAC algorithm to use, this middleware:

  • uses the client's "token_endpoint_auth_signing_alg" value if present, and check it against the server metadata "token_endpoint_auth_signing_alg_values_supported"
  • otherwise uses the "token_endpoint_auth_signing_alg_values_supported" server metadata and picks one algorithm that is suitable for MACing
  • otherwise raises

Note that the body of the Tesla.Env must be a map to be later serialized with the Tesla.Middleware.FormUrlencoded.

The options of this middleware are:

  • :jwt_lifetime: the lifetime of the JWT in seconds. Defaults to 30
  • :jwt_jti_callback: a (TeslaOAuth2ClientAuth.opts() -> String.t()) function that returns the "jti" field of the JWT. Defaults to a random 16-bytes base64 encoded string
  • :jwt_additional_claims: claims added to the JWT. They have precedence over the default claims