See https://openid.net/specs/openid-connect-core-1_0.html, https://openid.net/specs/openid-connect-basic-1_0.html and https://openid.net/specs/openid-connect-discovery-1_0.html for terminology and details.
See https://openid.net/specs/openid-connect-core-1_0.html, https://openid.net/specs/openid-connect-basic-1_0.html and https://openid.net/specs/openid-connect-discovery-1_0.html for terminology and details.
(authfn {:keys [claims jwks-uri pubkeys-expire-in max-cached-tokens]
:or {pubkeys-expire-in one-day max-cached-tokens default-mct}
:as options})
(create-pubkey-cache pubkeys-expire-in)
Create a cache for JWK public keys.
pubkeys-expire-in
is the TTL for the entries of the cache,
expressed in seconds
Create a cache for JWK public keys. `pubkeys-expire-in` is the TTL for the entries of the cache, expressed in seconds
(create-token-cache max-cached-tokens)
Create a cache for validated tokens.
The cache is limited in size to max-cached-tokens
, and uses a LRU
eviction strategy when the limit is reached. Individually, each
token is evicted when its time to live (TTL), expressed in
milli-seconds, is reached.
Create a cache for validated tokens. The cache is limited in size to `max-cached-tokens`, and uses a LRU eviction strategy when the limit is reached. Individually, each token is evicted when its time to live (TTL), expressed in milli-seconds, is reached.
Default value for the number of cached tokens
Default value for the number of cached tokens
TTL for failed token validations, expressed in milli-seconds
TTL for failed token validations, expressed in milli-seconds
(get-jwks pubkey-cache jwks-uri)
Get the public keys from the JWKS at jwks-uri
, using pubkey-cache
for caching results.
Returns a collection with the public keys or nil
if the JWKS content
is not available, or doesn't contain valid public keys.
Get the public keys from the JWKS at `jwks-uri`, using `pubkey-cache` for caching results. Returns a collection with the public keys or `nil` if the JWKS content is not available, or doesn't contain valid public keys.
(get-jwks* jwks-uri)
Get the public keys from the JSON Web Key Set at jwks-uri
.
Returns a collection with the public keys extracted from the JWKS, or
nil
if it can't retrieve them.
Get the public keys from the JSON Web Key Set at `jwks-uri`. Returns a collection with the public keys extracted from the JWKS, or `nil` if it can't retrieve them.
(get-url url)
Retrieve given url
. Uses timeout for the connection and follows redirects.
Returns nil
if the connection cannot be stablished, the
content cannot be retrieved or the status response is not 2xx.
Retrieve given `url`. Uses timeout for the connection and follows redirects. Returns `nil` if the connection cannot be stablished, the content cannot be retrieved or the status response is not 2xx.
(set-ttl {:keys [sub exp] :as token})
Set the TTL cache value (expressed in milli-seconds) for token
Set the TTL cache value (expressed in milli-seconds) for `token`
See https://tools.ietf.org/html/rfc7518#section-6.4 for details
See https://tools.ietf.org/html/rfc7518#section-6.4 for details
See https://tools.ietf.org/html/rfc7518#section-3.1 and
https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
for details. jws/decode-header
returns the standard algorithm
names as lower-case keywords, so specify them here as such.
See https://tools.ietf.org/html/rfc7518#section-3.1 and https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms for details. `jws/decode-header` returns the standard algorithm names as lower-case keywords, so specify them here as such.
Timeout, in milli-seconds, for JWK keys retrieval through HTTP request
Timeout, in milli-seconds, for JWK keys retrieval through HTTP request
(validate-single-key token pubkey {:keys [iss aud] :as claims})
Validate OpenId Connect ID token
, using pubkey
.
The claims
map should contain at least the following keys:
:iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for.
If the token is valid, a map is returned with the following keys:
:sub The identity (subject) extracted from the token (if valid).
:exp The expiry time (exp) extracted from the token (if valid), as a number representing the number of seconds from 1970-01-01T00:00:00Z as measured in UTC.
If the token is not valid, it returns nil
.
Validate OpenId Connect ID `token`, using `pubkey`. The `claims` map should contain at least the following keys: :iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for. If the token is valid, a map is returned with the following keys: :sub The identity (subject) extracted from the token (if valid). :exp The expiry time (exp) extracted from the token (if valid), as a number representing the number of seconds from 1970-01-01T00:00:00Z as measured in UTC. If the token is not valid, it returns `nil`.
(validate-token config token)
Validate OpenID Connect ID token
, caching results to speed up recurrent validations.
Returns the :sub
claim from the token, or nil
if the token is invalid.
config
is a map with at least the following keys:
:pubkey-cache A clojure.core.cache
compatible instance, to cache the public keys
of the Issuer.
:token-cache A clojure.core.cache
compatible instance, to cache token validation results.
:jwks-uri The URL of the config (OpenID Connect Provider) JSON Web Key Set document.
:claims A map with the claims that the token must satisfy. At least
the following keys must exist:
:iss Case-sensitive URL for the Issuer Identifier.
:aud Audience(s) the ID Token is intended for.
Validate OpenID Connect ID `token`, caching results to speed up recurrent validations. Returns the `:sub` claim from the token, or `nil` if the token is invalid. `config` is a map with at least the following keys: :pubkey-cache A `clojure.core.cache` compatible instance, to cache the public keys of the Issuer. :token-cache A `clojure.core.cache` compatible instance, to cache token validation results. :jwks-uri The URL of the config (OpenID Connect Provider) JSON Web Key Set document. :claims A map with the claims that the token must satisfy. At least the following keys must exist: :iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for.
(validate-token* token pubkeys {:keys [iss aud] :as claims})
Validate an OpenId Connect ID token
against the token issuer.
pubkeys
is a collection of public keys that can have signed the
token. The claims
map should contain at least the following
keys:
:iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for.
A map is returned with the following keys:
:sub The identity (subject) extracted from the token if valid. Otherwise, nil
.
:exp The expiry time (exp) extracted from the token if valid, as a number
representing the number of seconds from 1970-01-01T00:00:00Z as
measured in UTC. Otherwise, nil
.
Validate an OpenId Connect ID `token` against the token issuer. `pubkeys` is a collection of public keys that can have signed the token. The `claims` map should contain at least the following keys: :iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for. A map is returned with the following keys: :sub The identity (subject) extracted from the token if valid. Otherwise, `nil`. :exp The expiry time (exp) extracted from the token if valid, as a number representing the number of seconds from 1970-01-01T00:00:00Z as measured in UTC. Otherwise, `nil`.
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close