magnet.buddy-auth.jwt-oidc
See https://openid.net/specs/openid-connect-core-1_0.html, https://openid.net/specs/openid-connect-basic-1_0.html and https://openid.net/specs/openid-connect-discovery-1_0.html for terminology and details.
See https://openid.net/specs/openid-connect-core-1_0.html, https://openid.net/specs/openid-connect-basic-1_0.html and https://openid.net/specs/openid-connect-discovery-1_0.html for terminology and details.
authfnclj
(authfn {:keys [claims jwks-uri pubkeys-expire-in max-cached-tokens
jwks-retrieval-timeout jwks-retrieval-retries logger]
:or {pubkeys-expire-in one-day
max-cached-tokens default-mct
jwks-retrieval-timeout default-jwks-retrieval-timeout
jwks-retrieval-retries default-jwks-retrieval-retries}
:as options})create-pubkey-cacheclj
(create-pubkey-cache pubkeys-expire-in)Create a cache for JWK public keys.
pubkeys-expire-in is the TTL for the entries of the cache,
expressed in seconds
Create a cache for JWK public keys. `pubkeys-expire-in` is the TTL for the entries of the cache, expressed in seconds
create-token-cacheclj
(create-token-cache max-cached-tokens)Create a cache for validated tokens.
The cache is limited in size to max-cached-tokens, and uses a LRU
eviction strategy when the limit is reached. Individually, each
token is evicted when its time to live (TTL), expressed in
milli-seconds, is reached.
Create a cache for validated tokens. The cache is limited in size to `max-cached-tokens`, and uses a LRU eviction strategy when the limit is reached. Individually, each token is evicted when its time to live (TTL), expressed in milli-seconds, is reached.
default-jwks-retrieval-retriesclj
Default retry attempts for JKW keys retrieval
Default retry attempts for JKW keys retrieval
default-jwks-retrieval-timeoutclj
Default timeout for JWK keys retrieval through HTTP request, specified in milli-seconds
Default timeout for JWK keys retrieval through HTTP request, specified in milli-seconds
default-mctclj
Default value for the number of cached tokens
Default value for the number of cached tokens
failed-validation-ttlclj
TTL for failed token validations, expressed in milli-seconds
TTL for failed token validations, expressed in milli-seconds
get-jwksclj
(get-jwks pubkey-cache jwks-uri logger connection-policy)Get the public keys from the JWKS at jwks-uri, using pubkey-cache for caching results.
Uses timeout and retries configuration as specified in
connection-policy for the connection. Returns a collection with
the public keys or nil if the JWKS content is not available, or
doesn't contain valid public keys.
Get the public keys from the JWKS at `jwks-uri`, using `pubkey-cache` for caching results. Uses timeout and retries configuration as specified in `connection-policy` for the connection. Returns a collection with the public keys or `nil` if the JWKS content is not available, or doesn't contain valid public keys.
get-jwks*clj
(get-jwks* jwks-uri logger connection-policy)Get the public keys from the JSON Web Key Set at jwks-uri.
Uses timeout and retries configuration as specified in
connection-policy for the connection.
Returns a collection with the public keys extracted from the JWKS,
or nil if it can't retrieve them. Logs to logger any relevant
issues that may prevent the key set from being retrieved.
Get the public keys from the JSON Web Key Set at `jwks-uri`. Uses timeout and retries configuration as specified in `connection-policy` for the connection. Returns a collection with the public keys extracted from the JWKS, or `nil` if it can't retrieve them. Logs to `logger` any relevant issues that may prevent the key set from being retrieved.
get-urlclj
(get-url url logger {:keys [timeout retries] :as connection-policy})Retrieve given url.
Uses timeout and retries configuration as specified in
connection-policy for the connection and follows redirects. Logs to
logger any relevant issues that may prevent the url from being
retrieved. Returns nil if the connection cannot be stablished, the
content cannot be retrieved or the status response is not 2xx.
Retrieve given `url`. Uses timeout and retries configuration as specified in `connection-policy` for the connection and follows redirects. Logs to `logger` any relevant issues that may prevent the url from being retrieved. Returns `nil` if the connection cannot be stablished, the content cannot be retrieved or the status response is not 2xx.
initial-delayclj
Initial delay for retries, specified in milliseconds.
Initial delay for retries, specified in milliseconds.
max-delayclj
Maximun delay for a connection retry, specified in milliseconds. We
are using truncated binary exponential backoff, with max-delay as
the ceiling for the retry delay.
Maximun delay for a connection retry, specified in milliseconds. We are using truncated binary exponential backoff, with `max-delay` as the ceiling for the retry delay.
set-ttlclj
(set-ttl {:keys [sub exp] :as token})Set the TTL cache value (expressed in milli-seconds) for token
Set the TTL cache value (expressed in milli-seconds) for `token`
symmetric-key-typesclj
See https://tools.ietf.org/html/rfc7518#section-6.4 for details
See https://tools.ietf.org/html/rfc7518#section-6.4 for details
symmetric-signature-algsclj
See https://tools.ietf.org/html/rfc7518#section-3.1 and
https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
for details. jws/decode-header returns the standard algorithm
names as lower-case keywords, so specify them here as such.
See https://tools.ietf.org/html/rfc7518#section-3.1 and https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms for details. `jws/decode-header` returns the standard algorithm names as lower-case keywords, so specify them here as such.
validate-single-keyclj
(validate-single-key token pubkey claims logger)Validate OpenId Connect ID token, using pubkey.
The claims map should contain at least the following keys:
:iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for.
If the token is valid, a map is returned with the following keys:
:sub The identity (subject) extracted from the token (if valid).
:exp The expiry time (exp) extracted from the token (if valid), as a number representing the number of seconds from 1970-01-01T00:00:00Z as measured in UTC.
If the token is not valid, it returns nil.
Validate OpenId Connect ID `token`, using `pubkey`.
The `claims` map should contain at least the following keys:
:iss Case-sensitive URL for the Issuer Identifier.
:aud Audience(s) the ID Token is intended for.
If the token is valid, a map is returned with the following keys:
:sub The identity (subject) extracted from the token (if valid).
:exp The expiry time (exp) extracted from the token (if valid), as a
number representing the number of seconds from 1970-01-01T00:00:00Z
as measured in UTC.
If the token is not valid, it returns `nil`.validate-tokenclj
(validate-token config token logger connection-policy)Validate OpenID Connect ID token, caching results to speed up recurrent validations.
Returns the :sub claim from the token, or nil if the token is
invalid. Logs to logger any relevant issues that may prevent
tokens from begin validated. Uses timeout and retries configuration
as specified in connection-policy to retrieve the JWK signing keys.
config is a map with at least the following keys:
:pubkey-cache A clojure.core.cache compatible instance, to cache the public keys
of the Issuer.
:token-cache A clojure.core.cache compatible instance, to cache token validation results.
:jwks-uri The URL of the config (OpenID Connect Provider) JSON Web Key Set document.
:claims A map with the claims that the token must satisfy. At least
the following keys must exist:
:iss Case-sensitive URL for the Issuer Identifier.
:aud Audience(s) the ID Token is intended for.
Validate OpenID Connect ID `token`, caching results to speed up recurrent validations.
Returns the `:sub` claim from the token, or `nil` if the token is
invalid. Logs to `logger` any relevant issues that may prevent
tokens from begin validated. Uses timeout and retries configuration
as specified in `connection-policy` to retrieve the JWK signing keys.
`config` is a map with at least the following keys:
:pubkey-cache A `clojure.core.cache` compatible instance, to cache the public keys
of the Issuer.
:token-cache A `clojure.core.cache` compatible instance, to cache token validation results.
:jwks-uri The URL of the config (OpenID Connect Provider) JSON Web Key Set document.
:claims A map with the claims that the token must satisfy. At least
the following keys must exist:
:iss Case-sensitive URL for the Issuer Identifier.
:aud Audience(s) the ID Token is intended for.validate-token*clj
(validate-token* token pubkeys claims logger)Validate an OpenId Connect ID token against the token issuer.
pubkeys is a collection of public keys that can have signed the
token. The claims map should contain at least the following
keys:
:iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for.
A map is returned with the following keys:
:sub The identity (subject) extracted from the token if valid. Otherwise, nil.
:exp The expiry time (exp) extracted from the token if valid, as a number
representing the number of seconds from 1970-01-01T00:00:00Z as
measured in UTC. Otherwise, nil.
Validate an OpenId Connect ID `token` against the token issuer.
`pubkeys` is a collection of public keys that can have signed the
token. The `claims` map should contain at least the following
keys:
:iss Case-sensitive URL for the Issuer Identifier.
:aud Audience(s) the ID Token is intended for.
A map is returned with the following keys:
:sub The identity (subject) extracted from the token if valid. Otherwise, `nil`.
:exp The expiry time (exp) extracted from the token if valid, as a number
representing the number of seconds from 1970-01-01T00:00:00Z as
measured in UTC. Otherwise, `nil`.cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close