dev.gethop.buddy-auth.jwt-oidc.impl.core

Liking cljdoc? Tell your friends :D

Clojure only.

backoff-ms
create-pubkey-cache
create-token-cache
failed-validation-ttl
get-jwks
get-jwks-from-jwks-uri
get-jwks-from-well-known
get-url
initial-delay
max-delay
symmetric-key-types
symmetric-signature-algs
validate-token
validate-token*

backoff-ms^clj

Retry policy back-off configuration (specified in milliseconds

Retry policy back-off configuration (specified in milliseconds

source raw docstring

create-pubkey-cache^clj

(create-pubkey-cache pubkeys-expire-in)

Create a cache for JWK public keys. pubkeys-expire-in is the TTL for the entries of the cache, expressed in seconds

Create a cache for JWK public keys.
`pubkeys-expire-in` is the TTL for the entries of the cache,
expressed in seconds

source raw docstring

create-token-cache^clj

(create-token-cache max-cached-tokens)

Create a cache for validated tokens. The cache is limited in size to max-cached-tokens, and uses a LRU eviction strategy when the limit is reached. Individually, each token is evicted when its time to live (TTL), expressed in milli-seconds, is reached.

Create a cache for validated tokens.
The cache is limited in size to `max-cached-tokens`, and uses a LRU
eviction strategy when the limit is reached. Individually, each
token is evicted when its time to live (TTL), expressed in
milli-seconds, is reached.

source raw docstring

failed-validation-ttl^clj

TTL for failed token validations, expressed in milli-seconds

TTL for failed token validations, expressed in milli-seconds

source raw docstring

get-jwks^clj

(get-jwks {:keys [pubkey-cache jwks-uri well-known-url] :as context})

Get the public keys from the JWKS.

The JWKS can be retrieved either from the well-known-url OpenID Connect Provider configuration, or from a specific jwks-uri. Uses pubkey-cache for caching results. Uses timeout and retries configuration as specified in connection-policy for the connection.

Returns a collection with the public keys or nil if the JWKS content is not available, or doesn't contain valid public keys.

Get the public keys from the JWKS.

The JWKS can be retrieved either from the `well-known-url` OpenID
Connect Provider configuration, or from a specific `jwks-uri`. Uses
`pubkey-cache` for caching results. Uses timeout and retries
configuration as specified in `connection-policy` for the
connection.

Returns a collection with the public keys or `nil` if the JWKS
content is not available, or doesn't contain valid public keys.

source raw docstring

get-jwks-from-jwks-uri^clj

(get-jwks-from-jwks-uri {:keys [logger connection-policy] :as _context}
                        jwks-uri)

Get the public keys from the JSON Web Key Set at jwks-uri. Uses timeout and retries configuration as specified in connection-policy for the connection.

Returns a collection with the public keys extracted from the JWKS, or nil if it can't retrieve them. Logs to logger any relevant issues that may prevent the key set from being retrieved.

Get the public keys from the JSON Web Key Set at `jwks-uri`.
Uses timeout and retries configuration as specified in
`connection-policy` for the connection.

Returns a collection with the public keys extracted from the JWKS,
or `nil` if it can't retrieve them. Logs to `logger` any relevant
issues that may prevent the key set from being retrieved.

source raw docstring

get-jwks-from-well-known^clj

(get-jwks-from-well-known {:keys [logger connection-policy] :as context}
                          well-known-url)

Get the public keys from the OIDC Provider JWKS, using the ".well-known" URL. Retrieves the configuration from well-know-url, from there the JWKS URI, and from that URI the actual JWKS. Uses connection-policy for time-outs and retries, and logs success or failure to logger. Returns a collection with the public keys or nil if the JWKS content is not available, or doesn't contain valid public keys.

Get the public keys from the OIDC Provider JWKS, using the ".well-known" URL.
Retrieves the configuration from `well-know-url`, from there the
JWKS URI, and from that URI the actual JWKS. Uses
`connection-policy` for time-outs and retries, and logs success or
failure to `logger`.
Returns a collection with the public keys or `nil` if the JWKS
content is not available, or doesn't contain valid public keys.

source raw docstring

get-url^clj

(get-url url logger {:keys [timeout retries] :as connection-policy})

Retrieve given url. Uses timeout and retries configuration as specified in connection-policy for the connection and follows redirects. Logs to logger any relevant issues that may prevent the url from being retrieved.

Returns nil if the connection cannot be stablished, the content cannot be retrieved or the status response is not 2xx.

Retrieve given `url`.
Uses timeout and retries configuration as specified in
`connection-policy` for the connection and follows redirects. Logs to
`logger` any relevant issues that may prevent the url from being
retrieved.

Returns `nil` if the connection cannot be stablished, the
content cannot be retrieved or the status response is not 2xx.

source raw docstring

initial-delay^clj

Initial delay for retries, specified in milliseconds.

Initial delay for retries, specified in milliseconds.

source raw docstring

max-delay^clj

Maximun delay for a connection retry, specified in milliseconds. We are using truncated binary exponential backoff, with max-delay as the ceiling for the retry delay.

Maximun delay for a connection retry, specified in milliseconds. We
are using truncated binary exponential backoff, with `max-delay` as
the ceiling for the retry delay.

source raw docstring

symmetric-key-types^clj

See https://tools.ietf.org/html/rfc7518#section-6.4 for details

See https://tools.ietf.org/html/rfc7518#section-6.4 for details

source raw docstring

symmetric-signature-algs^clj

See https://tools.ietf.org/html/rfc7518#section-3.1 and https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms for details. jws/decode-header returns the standard algorithm names as lower-case keywords, so specify them here as such.

See https://tools.ietf.org/html/rfc7518#section-3.1 and
https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
for details. `jws/decode-header` returns the standard algorithm
names as lower-case keywords, so specify them here as such.

source raw docstring

validate-token^clj

(validate-token {:keys [logger] :as context} token)

Validate OpenID Connect ID token, caching results to speed up recurrent validations. Returns the :sub claim from the token, or nil if the token is invalid. context is a map with at least the following keys:

:pubkey-cache A clojure.core.cache compatible instance, to cache the public keys of the Issuer. :token-cache A clojure.core.cache compatible instance, to cache token validation results. :claims A map with the claims that the token must satisfy. At least the following keys must exist: :iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for. :logger A logger compatible with Duct/logger protocol. Any relevant issues that may prevent tokens from begin validated are sent to this logger. :connection-policiy Optional: A policy for timeouts and retries when trying to retrieve the JWKS signing keys. :jwks-uri Optional: The URL of the config (OpenID Connect Provider) JSON Web Key Set document. :well-known-url Optional: The URL of the OpenID Connect Provider where Discovery document is available at.

Validate OpenID Connect ID `token`, caching results to speed up recurrent validations.
Returns the `:sub` claim from the token, or `nil` if the token is
invalid. `context` is a map with at least the following keys:

:pubkey-cache A `clojure.core.cache` compatible instance, to cache the public keys
            of the Issuer.
:token-cache A `clojure.core.cache` compatible instance, to cache token validation results.
:claims A map with the claims that the token must satisfy. At least
        the following keys must exist:
           :iss Case-sensitive URL for the Issuer Identifier.
           :aud Audience(s) the ID Token is intended for.
:logger A logger compatible with Duct/logger protocol. Any relevant
        issues that may prevent tokens from begin validated are sent to
        this logger.
:connection-policiy Optional: A policy for timeouts and retries when
        trying to retrieve the JWKS signing keys.
:jwks-uri Optional: The URL of the config (OpenID Connect Provider)
        JSON Web Key Set document.
:well-known-url Optional: The URL of the OpenID Connect Provider
        where Discovery document is available at.

source raw docstring

validate-token*^clj

(validate-token* token pubkeys claims logger)

Validate an OpenId Connect ID token against the token issuer. pubkeys is a collection of public keys that can have signed the token. The claims map should contain at least the following keys:

:iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for.

A map is returned with the following keys:

:sub The identity (subject) extracted from the token if valid. Otherwise, nil.

:exp The expiry time (exp) extracted from the token if valid, as a number representing the number of seconds from 1970-01-01T00:00:00Z as measured in UTC. Otherwise, nil.

Validate an OpenId Connect ID `token` against the token issuer.
`pubkeys` is a collection of public keys that can have signed the
token. The `claims` map should contain at least the following
keys:

  :iss Case-sensitive URL for the Issuer Identifier.
  :aud Audience(s) the ID Token is intended for.

A map is returned with the following keys:

  :sub The identity (subject) extracted from the token if valid. Otherwise, `nil`.

  :exp The expiry time (exp) extracted from the token if valid, as a number
       representing the number of seconds from 1970-01-01T00:00:00Z as
       measured in UTC. Otherwise, `nil`.

source raw docstring

cljdoc is a website building & hosting documentation for Clojure/Script libraries

Keyboard shortcuts Report a problem cljdoc on GitHub

× close