magnet.buddy-auth.jwt-oidc
See https://openid.net/specs/openid-connect-core-1_0.html, https://openid.net/specs/openid-connect-basic-1_0.html and https://openid.net/specs/openid-connect-discovery-1_0.html for terminology and details.
See https://openid.net/specs/openid-connect-core-1_0.html, https://openid.net/specs/openid-connect-basic-1_0.html and https://openid.net/specs/openid-connect-discovery-1_0.html for terminology and details.
authfnclj
(authfn {:keys [claims jwks-uri pubkeys-expire-in max-cached-tokens]
:or {pubkeys-expire-in one-day max-cached-tokens default-mct}
:as options})create-pubkey-cacheclj
(create-pubkey-cache pubkeys-expire-in)Create a cache for JWK public keys.
pubkeys-expire-in is the TTL for the entries of the cache,
expressed in seconds
Create a cache for JWK public keys. `pubkeys-expire-in` is the TTL for the entries of the cache, expressed in seconds
create-token-cacheclj
(create-token-cache max-cached-tokens)Create a cache for validated tokens.
The cache is limited in size to max-cached-tokens, and uses a LRU
eviction strategy when the limit is reached. Individually, each
token is evicted when its time to live (TTL), expressed in
milli-seconds, is reached.
Create a cache for validated tokens. The cache is limited in size to `max-cached-tokens`, and uses a LRU eviction strategy when the limit is reached. Individually, each token is evicted when its time to live (TTL), expressed in milli-seconds, is reached.
default-mctclj
Default value for the number of cached tokens
Default value for the number of cached tokens
failed-validation-ttlclj
TTL for failed token validations, expressed in milli-seconds
TTL for failed token validations, expressed in milli-seconds
get-jwksclj
(get-jwks pubkey-cache jwks-uri)Get the public keys from the JWKS at jwks-uri, using pubkey-cache for caching results.
Returns a collection with the public keys or nil if the JWKS content
is not available, or doesn't contain valid public keys.
Get the public keys from the JWKS at `jwks-uri`, using `pubkey-cache` for caching results. Returns a collection with the public keys or `nil` if the JWKS content is not available, or doesn't contain valid public keys.
get-jwks*clj
(get-jwks* jwks-uri)Get the public keys from the JSON Web Key Set at jwks-uri.
Returns a collection with the public keys extracted from the JWKS, or
nil if it can't retrieve them.
Get the public keys from the JSON Web Key Set at `jwks-uri`. Returns a collection with the public keys extracted from the JWKS, or `nil` if it can't retrieve them.
get-urlclj
(get-url url)Retrieve given url. Uses timeout for the connection and follows redirects.
Returns nil if the connection cannot be stablished, the
content cannot be retrieved or the status response is not 2xx.
Retrieve given `url`. Uses timeout for the connection and follows redirects. Returns `nil` if the connection cannot be stablished, the content cannot be retrieved or the status response is not 2xx.
set-ttlclj
(set-ttl {:keys [sub exp] :as token})Set the TTL cache value (expressed in milli-seconds) for token
Set the TTL cache value (expressed in milli-seconds) for `token`
symmetric-key-typesclj
See https://tools.ietf.org/html/rfc7518#section-6.4 for details
See https://tools.ietf.org/html/rfc7518#section-6.4 for details
symmetric-signature-algsclj
See https://tools.ietf.org/html/rfc7518#section-3.1 and
https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
for details. jws/decode-header returns the standard algorithm
names as lower-case keywords, so specify them here as such.
See https://tools.ietf.org/html/rfc7518#section-3.1 and https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms for details. `jws/decode-header` returns the standard algorithm names as lower-case keywords, so specify them here as such.
timeoutclj
Timeout, in milli-seconds, for JWK keys retrieval through HTTP request
Timeout, in milli-seconds, for JWK keys retrieval through HTTP request
validate-single-keyclj
(validate-single-key token pubkey {:keys [iss aud] :as claims})Validate OpenId Connect ID token, using pubkey.
The claims map should contain at least the following keys:
:iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for.
If the token is valid, a map is returned with the following keys:
:sub The identity (subject) extracted from the token (if valid).
:exp The expiry time (exp) extracted from the token (if valid), as a number representing the number of seconds from 1970-01-01T00:00:00Z as measured in UTC.
If the token is not valid, it returns nil.
Validate OpenId Connect ID `token`, using `pubkey`.
The `claims` map should contain at least the following keys:
:iss Case-sensitive URL for the Issuer Identifier.
:aud Audience(s) the ID Token is intended for.
If the token is valid, a map is returned with the following keys:
:sub The identity (subject) extracted from the token (if valid).
:exp The expiry time (exp) extracted from the token (if valid), as a
number representing the number of seconds from 1970-01-01T00:00:00Z
as measured in UTC.
If the token is not valid, it returns `nil`.validate-tokenclj
(validate-token config token)Validate OpenID Connect ID token, caching results to speed up recurrent validations.
Returns the :sub claim from the token, or nil if the token is invalid.
config is a map with at least the following keys:
:pubkey-cache A clojure.core.cache compatible instance, to cache the public keys
of the Issuer.
:token-cache A clojure.core.cache compatible instance, to cache token validation results.
:jwks-uri The URL of the config (OpenID Connect Provider) JSON Web Key Set document.
:claims A map with the claims that the token must satisfy. At least
the following keys must exist:
:iss Case-sensitive URL for the Issuer Identifier.
:aud Audience(s) the ID Token is intended for.
Validate OpenID Connect ID `token`, caching results to speed up recurrent validations.
Returns the `:sub` claim from the token, or `nil` if the token is invalid.
`config` is a map with at least the following keys:
:pubkey-cache A `clojure.core.cache` compatible instance, to cache the public keys
of the Issuer.
:token-cache A `clojure.core.cache` compatible instance, to cache token validation results.
:jwks-uri The URL of the config (OpenID Connect Provider) JSON Web Key Set document.
:claims A map with the claims that the token must satisfy. At least
the following keys must exist:
:iss Case-sensitive URL for the Issuer Identifier.
:aud Audience(s) the ID Token is intended for.validate-token*clj
(validate-token* token pubkeys {:keys [iss aud] :as claims})Validate an OpenId Connect ID token against the token issuer.
pubkeys is a collection of public keys that can have signed the
token. The claims map should contain at least the following
keys:
:iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for.
A map is returned with the following keys:
:sub The identity (subject) extracted from the token if valid. Otherwise, nil.
:exp The expiry time (exp) extracted from the token if valid, as a number
representing the number of seconds from 1970-01-01T00:00:00Z as
measured in UTC. Otherwise, nil.
Validate an OpenId Connect ID `token` against the token issuer.
`pubkeys` is a collection of public keys that can have signed the
token. The `claims` map should contain at least the following
keys:
:iss Case-sensitive URL for the Issuer Identifier.
:aud Audience(s) the ID Token is intended for.
A map is returned with the following keys:
:sub The identity (subject) extracted from the token if valid. Otherwise, `nil`.
:exp The expiry time (exp) extracted from the token if valid, as a number
representing the number of seconds from 1970-01-01T00:00:00Z as
measured in UTC. Otherwise, `nil`.cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close