Returns the qualified redirect-uri of an `openid-profile`.

Lens for the `expires` field from a [[AccessToken]] record. See [[active.clojure.openid/make-access-token]].

Lens for the `extra-data` field from a [[AccessToken]] record. See [[active.clojure.openid/make-access-token]].

Lens for the `id-token` field from a [[AccessToken]] record. See [[active.clojure.openid/make-access-token]].

Lens for the `refresh-token` field from a [[AccessToken]] record. See [[active.clojure.openid/make-access-token]].

Lens for the `token` field from a [[AccessToken]] record. See [[active.clojure.openid/make-access-token]].

Lens for the `type` field from a [[AccessToken]] record. See [[active.clojure.openid/make-access-token]].

Is object a `AccessToken` record? See [[active.clojure.openid/make-access-token]].

Construct a `Authenticated` record.

`user-info`: access via [[active.clojure.openid/authenticated-user-info]]

Lens for the `user-info` field from a [[Authenticated]] record. See [[active.clojure.openid/authenticated]].

Is object a `Authenticated` record? See [[active.clojure.openid/authenticated]].

Construct a `AuthenticationStarted` record.

`state-profile-map`: access via [[active.clojure.openid/authentication-started-state-profile-map]]
`original-uri`: access via [[active.clojure.openid/authentication-started-original-uri]]

Lens for the `original-uri` field from a [[AuthenticationStarted]] record. See [[active.clojure.openid/authentication-started]].

Lens for the `state-profile-map` field from a [[AuthenticationStarted]] record. See [[active.clojure.openid/authentication-started]].

Is object a `AuthenticationStarted` record? See [[active.clojure.openid/authentication-started]].

Lens for the `name` field from a [[AvailableLogin]] record. See [[active.clojure.openid/make-available-login]].

Lens for the `uri` field from a [[AvailableLogin]] record. See [[active.clojure.openid/make-available-login]].

Is object a `AvailableLogin` record? See [[active.clojure.openid/make-available-login]].

This decodes user-info from the JWT of the access-token.
See configuration setting [[openid-config/openid-client-user-info-from]].

This fetches user info with another request to user-info endpoint.
See configuration setting [[openid-config/openid-client-user-info-from]].

Lens for the `availables` field from a [[Logins]] record. See [[active.clojure.openid/make-logins]].

Lens for the `state-profile-map` field from a [[Logins]] record. See [[active.clojure.openid/make-logins]].

Lens for the `unavailables` field from a [[Logins]] record. See [[active.clojure.openid/make-logins]].

Is object a `Logins` record? See [[active.clojure.openid/make-logins]].

Render a logout form from given `user-info`.  You need to POST to the IDP's
logout endpoint if the user's id-token is too large to be a parameter in a GET
request due to too many claims in the token.

Render a logout link from given `user-info`.  You can use this GET request to
the IDP's logout endpoint if the user's id-token is small enough to be a
parameter in a GET request when it does not include too many claims.

Construct a `AccessToken` record.

`token`: access via [[active.clojure.openid/access-token-token]]
`type`: access via [[active.clojure.openid/access-token-type]]
`refresh-token`: access via [[active.clojure.openid/access-token-refresh-token]]
`id-token`: access via [[active.clojure.openid/access-token-id-token]]
`expires`: access via [[active.clojure.openid/access-token-expires]]
`extra-data`: access via [[active.clojure.openid/access-token-extra-data]]

Construct a `AvailableLogin` record.

`uri`: access via [[active.clojure.openid/available-login-uri]]
`name`: access via [[active.clojure.openid/available-login-name]]

Construct a `Logins` record.

`state-profile-map`: access via [[active.clojure.openid/logins-state-profile-map]]
`availables`: access via [[active.clojure.openid/logins-availables]]
`unavailables`: access via [[active.clojure.openid/logins-unavailables]]

Construct a `NoAccessToken` record.

`error-message`: access via [[active.clojure.openid/no-access-token-error-message]]

Construct a `NoUserInfo` record.

`error-message`: access via [[active.clojure.openid/no-user-info-error-message]]

Construct a `OpenidInstanceNotAvailable` record.

`name`: access via [[active.clojure.openid/openid-instance-not-available-name]]
`tried-endpoint`: access via [[active.clojure.openid/openid-instance-not-available-tried-instance]]
`error-msg`: access via [[active.clojure.openid/openid-instance-not-available-error-msg]]

Construct a `OpenidProfile` (Wraps all necessary information for a openid identity provider profile.) record.

`name`: access via [[active.clojure.openid/openid-profile-name]]
`provider-config`: access via [[active.clojure.openid/openid-profile-openid-provider-config]]
`client-id`: access via [[active.clojure.openid/openid-profile-client-id]]
`client-secret`: access via [[active.clojure.openid/openid-profile-client-secret]]
`scopes`: access via [[active.clojure.openid/openid-profile-scopes]]
`base-uri`: access via [[active.clojure.openid/openid-profile-base-uri]]
`user-info-from`: access via [[active.clojure.openid/openid-profile-user-info-from]]
`http-client-opts-map`: access via [[active.clojure.openid/openid-profile-http-client-opts-map]]

See make-openid-profiles!

Takes a [[active.clojure.config/Configuration]] and extracts all
configured [[OpenidProfile]]s from the config.

If any openid instance is not available, returns
an [[%openid-instance-not-available]]] condition instead of
an [[OpenidProfile]] for that instance..

Construct a `OpenidProviderConfig` record.

`authorize-endpoint`: access via [[active.clojure.openid/openid-provider-config-authorize-endpoint]]
`token-endpoint`: access via [[active.clojure.openid/openid-provider-config-token-endpoint]]
`userinfo-endpoint`: access via [[active.clojure.openid/openid-provider-config-userinfo-endpoint]]
`end-session-endpoint`: access via [[active.clojure.openid/openid-provider-config-end-session-endpoint]]
`check-session-endpoint`: access via [[active.clojure.openid/openid-provider-config-check-session-endpoint]]
`supports-backchannel-logout?`: access via [[active.clojure.openid/openid-provider-config-supports-backchannel-logout?]]

Construct a `UnavailableLogin` record.

`name`: access via [[active.clojure.openid/unavailable-login-name]]
`error`: access via [[active.clojure.openid/unavailable-login-error]]

Construct a `UserInfo` record.

`id` (The user ID the user is known to the IDP. Maybe nil.): access via [[active.clojure.openid/user-info-id]]
`name` (The display name of the user, at least firstname and lastname. Maybe nil.): access via [[active.clojure.openid/user-info-name]]
`email` (The email address of the user. Maybe nil.): access via [[active.clojure.openid/user-info-email]]
`groups` (The groups the user is a member of. Maybe nil.): access via [[active.clojure.openid/user-info-groups]]
`claims` (The rest of the claims obtained from the IDP. Maybe nil.): access via [[active.clojure.openid/user-info-claims]]
`openid-profile` (The configured profile of the IDP which that this data got obtained.): access via [[active.clojure.openid/user-info-openid-profile]]
`logout-info` (The information needed to logout the user, see [[UserLogoutInfo]].): access via [[active.clojure.openid/user-info-logout-info]]
`access-token` (The raw access token from the IDP.): access via [[active.clojure.openid/user-info-access-token]]

Retrieve [[UserInfo]] for logged in user from `request`.
Use this function in your handler to obtain information about your user.

Lens for the `error-message` field from a [[NoAccessToken]] record. See [[active.clojure.openid/make-no-access-token]].

Is object a `NoAccessToken` record? See [[active.clojure.openid/make-no-access-token]].

Lens for the `error-message` field from a [[NoUserInfo]] record. See [[active.clojure.openid/make-no-user-info]].

Is object a `NoUserInfo` record? See [[active.clojure.openid/make-no-user-info]].

Lens for the `error-msg` field from a [[OpenidInstanceNotAvailable]] record. See [[active.clojure.openid/make-openid-instance-not-available]].

Lens for the `name` field from a [[OpenidInstanceNotAvailable]] record. See [[active.clojure.openid/make-openid-instance-not-available]].

Lens for the `tried-endpoint` field from a [[OpenidInstanceNotAvailable]] record. See [[active.clojure.openid/make-openid-instance-not-available]].

Is object a `OpenidInstanceNotAvailable` record? See [[active.clojure.openid/make-openid-instance-not-available]].

Lens for the `base-uri` field from a [[OpenidProfile]] record. See [[active.clojure.openid/make-openid-profile]].

Lens for the `client-id` field from a [[OpenidProfile]] record. See [[active.clojure.openid/make-openid-profile]].

Lens for the `client-secret` field from a [[OpenidProfile]] record. See [[active.clojure.openid/make-openid-profile]].

Lens for the `http-client-opts-map` field from a [[OpenidProfile]] record. See [[active.clojure.openid/make-openid-profile]].

Lens for the `name` field from a [[OpenidProfile]] record. See [[active.clojure.openid/make-openid-profile]].

Lens for the `provider-config` field from a [[OpenidProfile]] record. See [[active.clojure.openid/make-openid-profile]].

Wraps all necessary information for a openid identity provider profile.

Lens for the `scopes` field from a [[OpenidProfile]] record. See [[active.clojure.openid/make-openid-profile]].

Lens for the `user-info-from` field from a [[OpenidProfile]] record. See [[active.clojure.openid/make-openid-profile]].

Is object a `OpenidProfile` record? See [[active.clojure.openid/make-openid-profile]].

Lens for the `authorize-endpoint` field from a [[OpenidProviderConfig]] record. See [[active.clojure.openid/make-openid-provider-config]].

Lens for the `check-session-endpoint` field from a [[OpenidProviderConfig]] record. See [[active.clojure.openid/make-openid-provider-config]].

Lens for the `end-session-endpoint` field from a [[OpenidProviderConfig]] record. See [[active.clojure.openid/make-openid-provider-config]].

Lens for the `supports-backchannel-logout?` field from a [[OpenidProviderConfig]] record. See [[active.clojure.openid/make-openid-provider-config]].

Lens for the `token-endpoint` field from a [[OpenidProviderConfig]] record. See [[active.clojure.openid/make-openid-provider-config]].

Lens for the `userinfo-endpoint` field from a [[OpenidProviderConfig]] record. See [[active.clojure.openid/make-openid-provider-config]].

Is object a `OpenidProviderConfig` record? See [[active.clojure.openid/make-openid-provider-config]].

Construct a `UserLogoutInfo` (All the informationen needed to render either a logout link or a logout form.) record.

`uri`: access via [[active.clojure.openid/user-logout-info-uri]]
`params-map`: access via [[active.clojure.openid/user-logout-info-params-map]]

The keyword the authentication-state lives in the session map.

The keyword the session lives in the in the request/response map.

Construct a `Unauthenticated` record.

Is object a `Unauthenticated` record? See [[active.clojure.openid/unauthenticated]].

Lens for the `error` field from a [[UnavailableLogin]] record. See [[active.clojure.openid/make-unavailable-login]].

Lens for the `name` field from a [[UnavailableLogin]] record. See [[active.clojure.openid/make-unavailable-login]].

Is object a `UnavailableLogin` record? See [[active.clojure.openid/make-unavailable-login]].

Lens for the `access-token` field (The raw access token from the IDP.) from a [[UserInfo]] record. See [[active.clojure.openid/make-user-info]].

Lens for the `claims` field (The rest of the claims obtained from the IDP. Maybe nil.) from a [[UserInfo]] record. See [[active.clojure.openid/make-user-info]].

Lens for the `email` field (The email address of the user. Maybe nil.) from a [[UserInfo]] record. See [[active.clojure.openid/make-user-info]].

Lens for the `groups` field (The groups the user is a member of. Maybe nil.) from a [[UserInfo]] record. See [[active.clojure.openid/make-user-info]].

Lens for the `id` field (The user ID the user is known to the IDP. Maybe nil.) from a [[UserInfo]] record. See [[active.clojure.openid/make-user-info]].

Lens for the `logout-info` field (The information needed to logout the user, see [[UserLogoutInfo]].) from a [[UserInfo]] record. See [[active.clojure.openid/make-user-info]].

Lens for the `name` field (The display name of the user, at least firstname and lastname. Maybe nil.) from a [[UserInfo]] record. See [[active.clojure.openid/make-user-info]].

Lens for the `openid-profile` field (The configured profile of the IDP which that this data got obtained.) from a [[UserInfo]] record. See [[active.clojure.openid/make-user-info]].

Is object a `UserInfo` record? See [[active.clojure.openid/make-user-info]].

Lens for the `params-map` field from a [[UserLogoutInfo]] record. See [[active.clojure.openid/really-make-user-logout-info]].

All the informationen needed to render either a logout link or a logout form.

Lens for the `uri` field from a [[UserLogoutInfo]] record. See [[active.clojure.openid/really-make-user-logout-info]].

Is object a `UserLogoutInfo` record? See [[active.clojure.openid/really-make-user-logout-info]].

Convenience middleware stack for OpenID authentication that combines all
other middlewares that its implementation depends on.

Currently, this is [[ring-session/wrap-session]].  To avoid having more than
one instance of the `session-store`, you have three options:

- Use optional argument `:session-store` to pass in your global session store.

- Bind one instance of this middleware to a variable and use the variable if
  you need this middleware in different places.

- Put your own [[ring-session/wrap-session]] in your middleware stack and use
  [[wrap-openid-authentication*]] instead of this middleware.

See [[wrap-openid-authentication*]] for OpenID-specific documentation and
options.

Middleware that shortcuts execution of the `handler` and redirects the user
to the login page.

It also takes care of the openid authentication process states `unauthenticated`,
`authentication started`, `authenticated`.

The state `authentication started` is the most complicated one: There, the
middleware tries to obtain tokens and user data from the IDP and needs to
validate the data.

- `:login-handler`: Handler that the middleware calls if currently
unauthenticated.  The login handler should display links to IDPs to start the
authentication process.  The login handler gets called with three arguments:
   - `request`: The current request
   - `availables`: List of [[Available]] IDPs
   - `unavailables`: List of [[Unavailable]] IDPs
If not `:login-handler` is given, it defaults to [[default-login-handler]].

- `:logout-endpoint`: The endpoint for the IDP to redirect to after
user-initated logout.  This is needed to remove the auth information from the
session.  Defaults to [[default-logout-endpoint]].  This must match the
route that [[wrap-openid-logout]] uses.

- `:error-handler`: Handler thet the middleware calls in case of some
unexpected error.  The error handler gets called with these arguments:
   - `request`: The current request
   - `error-string`: A string that describes the error
   - `original-uri`: The URI of the original request, useful to try request
     again
   - and optionally an `exception`
Defaults to [[default-error-handler]].

- `:stubborn-idp-login-endpoint`: Some IDPs (or their admins) might require a
specific login endpoint URI that is different from the recommended base URI.
You can set that endpoint here, it gets concatenated onto base URI.
Defaults to the empty string.

Wrapper that removes authentication information from the current session.
Use together with [[wrap-openid-authentication]].
Must be the handler of the route that [[wrap-openid-authentication]] uses
as its `logout-endpoint`.

- `:logout-handler`: The handler that this wrapper calls.  It gets called
with `request`.  Defaults to [[default-logout-handler]] which redirects
to `/`.

Our implementation uses sessions, so we need [[ring-session/wrap-session]] middleware.
This is a convenience wrapper around [[ring-session/wrap-session]] that sets
some useful defaults and optionally accepts and uses a given `session-store`.