tesla_oauth2_client_auth v1.0.0

TeslaOAuth2ClientAuth.PrivateKeyJWT (tesla_oauth2_client_auth v1.0.0) View Source

Tesla middleware that implements the "private_key_jwt" authentication scheme for https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

The client configuration must contain a "jwks" member whose value is a list of JWKs, including private keys. This middleware will sign the JWTs with the first encryption key found that conforms to the signature algorithm.

To determine the signature algorithm to use, this middleware:

  • uses the client's "token_endpoint_auth_signing_alg" value if present, and check it against the server metadata "token_endpoint_auth_signing_alg_values_supported"
  • otherwise uses the "token_endpoint_auth_signing_alg_values_supported" server metadata and picks one algorithm that is suitable for signing
  • otherwise raises

The options of this middleware are:

  • :jwt_lifetime: the lifetime of the JWT in seconds. Defaults to 30
  • :jwt_jti_callback: a (TeslaOAuth2ClientAuth.opts() -> String.t()) function that returns the "jti" field of the JWT. Defaults to a random 16-bytes base64 encoded string
  • :jwt_additional_claims: claims added to the JWT. They have precedence over the default claims