Core protocols and schemas for OIDC provider extensibility.
Defines the ClaimsProvider protocol for supplying user claims to ID tokens,
along with storage protocols (ClientStore, AuthorizationCodeStore,
TokenStore) for pluggable persistence.
Core protocols and schemas for OIDC provider extensibility. Defines the [[ClaimsProvider]] protocol for supplying user claims to ID tokens, along with storage protocols ([[ClientStore]], [[AuthorizationCodeStore]], [[TokenStore]]) for pluggable persistence.
Protocol for storing and retrieving authorization codes.
Protocol for storing and retrieving authorization codes.
(delete-authorization-code this code)Deletes an authorization code.
Takes an authorization code string and removes it from storage. Authorization codes are single-use, so they should be deleted after being exchanged for tokens. Returns true if deleted successfully.
Deletes an authorization code. Takes an authorization code string and removes it from storage. Authorization codes are single-use, so they should be deleted after being exchanged for tokens. Returns true if deleted successfully.
(get-authorization-code this code)Retrieves authorization code metadata.
Takes an authorization code string and looks up its associated metadata. Returns
a map with keys [:user-id :client-id :redirect-uri :scope :nonce :expiry]
and optionally :code-challenge, :code-challenge-method, and :resource
if found, or nil if the code doesn't exist or has been deleted.
Retrieves authorization code metadata. Takes an authorization code string and looks up its associated metadata. Returns a map with keys `[:user-id :client-id :redirect-uri :scope :nonce :expiry]` and optionally `:code-challenge`, `:code-challenge-method`, and `:resource` if found, or nil if the code doesn't exist or has been deleted.
(save-authorization-code this
code
user-id
client-id
redirect-uri
scope
nonce
expiry
code-challenge
code-challenge-method
resource)Saves an authorization code with associated metadata.
Takes an authorization code string, user identifier, OAuth2 client identifier,
the redirect URI from the authorization request, a vector of scope strings, an
optional nonce for replay protection, an expiration timestamp (milliseconds
since epoch), optional PKCE code-challenge and code-challenge-method
strings, and an optional resource vector of target resource indicator URIs
(per RFC 8707). Stores the code and metadata. Returns true if saved successfully.
Saves an authorization code with associated metadata. Takes an authorization code string, user identifier, OAuth2 client identifier, the redirect URI from the authorization request, a vector of scope strings, an optional nonce for replay protection, an expiration timestamp (milliseconds since epoch), optional PKCE `code-challenge` and `code-challenge-method` strings, and an optional `resource` vector of target resource indicator URIs (per RFC 8707). Stores the code and metadata. Returns true if saved successfully.
Provides user claims for ID token generation.
Implementations supply the claims map included in ID tokens based on the authenticated user and the requested scopes.
Provides user claims for ID token generation. Implementations supply the claims map included in ID tokens based on the authenticated user and the requested scopes.
(get-claims this user-id scope)Returns a claims map for the given user-id and scope vector.
The returned map must include at minimum :sub. Additional claims such as
:name, :email, etc. should be included based on the requested scopes.
Returns a claims map for the given `user-id` and `scope` vector. The returned map must include at minimum `:sub`. Additional claims such as `:name`, `:email`, etc. should be included based on the requested scopes.
Malli schema for OAuth2/OIDC client configuration.
Malli schema for OAuth2/OIDC client configuration.
Protocol for managing OAuth2/OIDC client registrations.
Protocol for managing OAuth2/OIDC client registrations.
(get-client this client-id)Retrieves client configuration by client-id.
Takes an OAuth2 client identifier and looks up the client configuration. Returns the client configuration map matching the ClientConfig schema if found, or nil if the client doesn't exist.
Retrieves client configuration by client-id. Takes an OAuth2 client identifier and looks up the client configuration. Returns the client configuration map matching the ClientConfig schema if found, or nil if the client doesn't exist.
(register-client this client-config)Registers a new client.
Takes a client configuration map matching the ClientConfig schema. Stores the client and generates a client-id if one isn't provided. Returns the registered client configuration including the client-id.
Registers a new client. Takes a client configuration map matching the ClientConfig schema. Stores the client and generates a client-id if one isn't provided. Returns the registered client configuration including the client-id.
(update-client this client-id updated-config)Updates an existing client's configuration.
Merges updated-config into the existing client config for client-id, preserving
fields not present in updated-config. Returns the updated client config, or nil
if the client does not exist.
Updates an existing client's configuration. Merges `updated-config` into the existing client config for `client-id`, preserving fields not present in `updated-config`. Returns the updated client config, or nil if the client does not exist.
Protocol for managing access and refresh tokens.
Protocol for managing access and refresh tokens.
(get-access-token this token)Retrieves access token metadata.
Takes an access token string and looks up its associated metadata. Returns a map
with keys [:user-id :client-id :scope :expiry] if found, or nil if the token
doesn't exist or has been revoked.
Retrieves access token metadata. Takes an access token string and looks up its associated metadata. Returns a map with keys `[:user-id :client-id :scope :expiry]` if found, or nil if the token doesn't exist or has been revoked.
(get-refresh-token this token)Retrieves refresh token metadata.
Takes a refresh token string and looks up its associated metadata. Returns a map
with keys [:user-id :client-id :scope] if found, or nil if the token doesn't
exist or has been revoked.
Retrieves refresh token metadata. Takes a refresh token string and looks up its associated metadata. Returns a map with keys `[:user-id :client-id :scope]` if found, or nil if the token doesn't exist or has been revoked.
(revoke-token this token)Revokes a token.
Takes a token string (either access or refresh token) and revokes it, preventing it from being used in future requests. Returns true if revoked successfully.
Revokes a token. Takes a token string (either access or refresh token) and revokes it, preventing it from being used in future requests. Returns true if revoked successfully.
(save-access-token this token user-id client-id scope expiry resource)Saves an access token.
Takes an access token string, user identifier, OAuth2 client identifier, a vector
of scope strings, an expiration timestamp (milliseconds since epoch), and an optional
resource vector of target resource indicator URIs (per RFC 8707). Stores the token
and its metadata. Returns true if saved successfully.
Saves an access token. Takes an access token string, user identifier, OAuth2 client identifier, a vector of scope strings, an expiration timestamp (milliseconds since epoch), and an optional `resource` vector of target resource indicator URIs (per RFC 8707). Stores the token and its metadata. Returns true if saved successfully.
(save-refresh-token this token user-id client-id scope expiry resource)Saves a refresh token.
Takes a refresh token string, user identifier, OAuth2 client identifier, a vector
of scope strings, an optional expiration timestamp (milliseconds since epoch, or
nil for no expiry), and an optional resource vector of target resource indicator
URIs (per RFC 8707). Stores the token and its metadata. Returns true if saved
successfully.
Saves a refresh token. Takes a refresh token string, user identifier, OAuth2 client identifier, a vector of scope strings, an optional expiration timestamp (milliseconds since epoch, or `nil` for no expiry), and an optional `resource` vector of target resource indicator URIs (per RFC 8707). Stores the token and its metadata. Returns true if saved successfully.
(validate-resource-indicators resources)Validates that each resource indicator is an absolute URI without a fragment component per RFC 8707.
Takes a vector of resource URI strings. Throws ex-info with {:error "invalid_target"}
if any URI is not absolute or contains a fragment.
Validates that each resource indicator is an absolute URI without a fragment component per RFC 8707.
Takes a vector of resource URI strings. Throws `ex-info` with `{:error "invalid_target"}`
if any URI is not absolute or contains a fragment.cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |