See https://openid.net/specs/openid-connect-core-1_0.html, https://openid.net/specs/openid-connect-basic-1_0.html and https://openid.net/specs/openid-connect-discovery-1_0.html for terminology and details.
See https://openid.net/specs/openid-connect-core-1_0.html, https://openid.net/specs/openid-connect-basic-1_0.html and https://openid.net/specs/openid-connect-discovery-1_0.html for terminology and details.
(authfn {:keys [claims jwks-uri pubkeys-expire-in max-cached-tokens
jwks-retrieval-timeout jwks-retrieval-retries logger]
:or {pubkeys-expire-in one-day
max-cached-tokens default-mct
jwks-retrieval-timeout default-jwks-retrieval-timeout
jwks-retrieval-retries default-jwks-retrieval-retries}
:as options})
(create-pubkey-cache pubkeys-expire-in)
Create a cache for JWK public keys.
pubkeys-expire-in
is the TTL for the entries of the cache,
expressed in seconds
Create a cache for JWK public keys. `pubkeys-expire-in` is the TTL for the entries of the cache, expressed in seconds
(create-token-cache max-cached-tokens)
Create a cache for validated tokens.
The cache is limited in size to max-cached-tokens
, and uses a LRU
eviction strategy when the limit is reached. Individually, each
token is evicted when its time to live (TTL), expressed in
milli-seconds, is reached.
Create a cache for validated tokens. The cache is limited in size to `max-cached-tokens`, and uses a LRU eviction strategy when the limit is reached. Individually, each token is evicted when its time to live (TTL), expressed in milli-seconds, is reached.
Default retry attempts for JKW keys retrieval
Default retry attempts for JKW keys retrieval
Default timeout for JWK keys retrieval through HTTP request, specified in milli-seconds
Default timeout for JWK keys retrieval through HTTP request, specified in milli-seconds
Default value for the number of cached tokens
Default value for the number of cached tokens
TTL for failed token validations, expressed in milli-seconds
TTL for failed token validations, expressed in milli-seconds
(get-jwks pubkey-cache jwks-uri logger connection-policy)
Get the public keys from the JWKS at jwks-uri
, using pubkey-cache
for caching results.
Uses timeout and retries configuration as specified in
connection-policy
for the connection. Returns a collection with
the public keys or nil
if the JWKS content is not available, or
doesn't contain valid public keys.
Get the public keys from the JWKS at `jwks-uri`, using `pubkey-cache` for caching results. Uses timeout and retries configuration as specified in `connection-policy` for the connection. Returns a collection with the public keys or `nil` if the JWKS content is not available, or doesn't contain valid public keys.
(get-jwks* jwks-uri logger connection-policy)
Get the public keys from the JSON Web Key Set at jwks-uri
.
Uses timeout and retries configuration as specified in
connection-policy
for the connection.
Returns a collection with the public keys extracted from the JWKS,
or nil
if it can't retrieve them. Logs to logger
any relevant
issues that may prevent the key set from being retrieved.
Get the public keys from the JSON Web Key Set at `jwks-uri`. Uses timeout and retries configuration as specified in `connection-policy` for the connection. Returns a collection with the public keys extracted from the JWKS, or `nil` if it can't retrieve them. Logs to `logger` any relevant issues that may prevent the key set from being retrieved.
(get-url url logger {:keys [timeout retries] :as connection-policy})
Retrieve given url
.
Uses timeout and retries configuration as specified in
connection-policy
for the connection and follows redirects. Logs to
logger
any relevant issues that may prevent the url from being
retrieved. Returns nil
if the connection cannot be stablished, the
content cannot be retrieved or the status response is not 2xx.
Retrieve given `url`. Uses timeout and retries configuration as specified in `connection-policy` for the connection and follows redirects. Logs to `logger` any relevant issues that may prevent the url from being retrieved. Returns `nil` if the connection cannot be stablished, the content cannot be retrieved or the status response is not 2xx.
Initial delay for retries, specified in milliseconds.
Initial delay for retries, specified in milliseconds.
Maximun delay for a connection retry, specified in milliseconds. We
are using truncated binary exponential backoff, with max-delay
as
the ceiling for the retry delay.
Maximun delay for a connection retry, specified in milliseconds. We are using truncated binary exponential backoff, with `max-delay` as the ceiling for the retry delay.
(set-ttl {:keys [sub exp] :as token})
Set the TTL cache value (expressed in milli-seconds) for token
Set the TTL cache value (expressed in milli-seconds) for `token`
See https://tools.ietf.org/html/rfc7518#section-6.4 for details
See https://tools.ietf.org/html/rfc7518#section-6.4 for details
See https://tools.ietf.org/html/rfc7518#section-3.1 and
https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
for details. jws/decode-header
returns the standard algorithm
names as lower-case keywords, so specify them here as such.
See https://tools.ietf.org/html/rfc7518#section-3.1 and https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms for details. `jws/decode-header` returns the standard algorithm names as lower-case keywords, so specify them here as such.
(validate-single-key token pubkey {:keys [iss aud] :as claims})
Validate OpenId Connect ID token
, using pubkey
.
The claims
map should contain at least the following keys:
:iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for.
If the token is valid, a map is returned with the following keys:
:sub The identity (subject) extracted from the token (if valid).
:exp The expiry time (exp) extracted from the token (if valid), as a number representing the number of seconds from 1970-01-01T00:00:00Z as measured in UTC.
If the token is not valid, it returns nil
.
Validate OpenId Connect ID `token`, using `pubkey`. The `claims` map should contain at least the following keys: :iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for. If the token is valid, a map is returned with the following keys: :sub The identity (subject) extracted from the token (if valid). :exp The expiry time (exp) extracted from the token (if valid), as a number representing the number of seconds from 1970-01-01T00:00:00Z as measured in UTC. If the token is not valid, it returns `nil`.
(validate-token config token logger connection-policy)
Validate OpenID Connect ID token
, caching results to speed up recurrent validations.
Returns the :sub
claim from the token, or nil
if the token is
invalid. Logs to logger
any relevant issues that may prevent
tokens from begin validated. Uses timeout and retries configuration
as specified in connection-policy
to retrieve the JWK signing keys.
config
is a map with at least the following keys:
:pubkey-cache A clojure.core.cache
compatible instance, to cache the public keys
of the Issuer.
:token-cache A clojure.core.cache
compatible instance, to cache token validation results.
:jwks-uri The URL of the config (OpenID Connect Provider) JSON Web Key Set document.
:claims A map with the claims that the token must satisfy. At least
the following keys must exist:
:iss Case-sensitive URL for the Issuer Identifier.
:aud Audience(s) the ID Token is intended for.
Validate OpenID Connect ID `token`, caching results to speed up recurrent validations. Returns the `:sub` claim from the token, or `nil` if the token is invalid. Logs to `logger` any relevant issues that may prevent tokens from begin validated. Uses timeout and retries configuration as specified in `connection-policy` to retrieve the JWK signing keys. `config` is a map with at least the following keys: :pubkey-cache A `clojure.core.cache` compatible instance, to cache the public keys of the Issuer. :token-cache A `clojure.core.cache` compatible instance, to cache token validation results. :jwks-uri The URL of the config (OpenID Connect Provider) JSON Web Key Set document. :claims A map with the claims that the token must satisfy. At least the following keys must exist: :iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for.
(validate-token* token pubkeys {:keys [iss aud] :as claims})
Validate an OpenId Connect ID token
against the token issuer.
pubkeys
is a collection of public keys that can have signed the
token. The claims
map should contain at least the following
keys:
:iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for.
A map is returned with the following keys:
:sub The identity (subject) extracted from the token if valid. Otherwise, nil
.
:exp The expiry time (exp) extracted from the token if valid, as a number
representing the number of seconds from 1970-01-01T00:00:00Z as
measured in UTC. Otherwise, nil
.
Validate an OpenId Connect ID `token` against the token issuer. `pubkeys` is a collection of public keys that can have signed the token. The `claims` map should contain at least the following keys: :iss Case-sensitive URL for the Issuer Identifier. :aud Audience(s) the ID Token is intended for. A map is returned with the following keys: :sub The identity (subject) extracted from the token if valid. Otherwise, `nil`. :exp The expiry time (exp) extracted from the token if valid, as a number representing the number of seconds from 1970-01-01T00:00:00Z as measured in UTC. Otherwise, `nil`.
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close