Core OIDC provider setup and configuration.
Core OIDC provider setup and configuration.
(authorize provider request user-id)Handles authorization approval after user authentication.
Takes a Provider instance, a parsed authorization request, and the user ID of the user who approved the request. Generates an authorization code, stores it, and builds the redirect URL to send the user back to the client. Returns the redirect URL string.
Handles authorization approval after user authentication. Takes a Provider instance, a parsed authorization request, and the user ID of the user who approved the request. Generates an authorization code, stores it, and builds the redirect URL to send the user back to the client. Returns the redirect URL string.
(create-provider {:keys [issuer signing-key signing-keys active-signing-key-id
access-token-ttl-seconds id-token-ttl-seconds
authorization-code-ttl-seconds
refresh-token-ttl-seconds rotate-refresh-tokens clock
client-store code-store token-store claims-provider]
:as config})Creates an OIDC provider instance.
Takes a configuration map containing required keys :issuer (provider issuer URL),
:authorization-endpoint, :token-endpoint, and :jwks-uri. Optional keys include
:signing-key (RSAKey for signing tokens, generated if not provided),
:access-token-ttl-seconds (defaults to 3600), :id-token-ttl-seconds (defaults to
3600), :authorization-code-ttl-seconds (defaults to 600), :client-store,
:code-store, :token-store (all three store implementations created in-memory if
not provided), and :claims-provider (required for ID token claims).
Validates the configuration and returns a Provider instance with all stores and settings initialized.
Creates an OIDC provider instance. Takes a configuration map containing required keys `:issuer` (provider issuer URL), `:authorization-endpoint`, `:token-endpoint`, and `:jwks-uri`. Optional keys include `:signing-key` (RSAKey for signing tokens, generated if not provided), `:access-token-ttl-seconds` (defaults to 3600), `:id-token-ttl-seconds` (defaults to 3600), `:authorization-code-ttl-seconds` (defaults to 600), `:client-store`, `:code-store`, `:token-store` (all three store implementations created in-memory if not provided), and `:claims-provider` (required for ID token claims). Validates the configuration and returns a Provider instance with all stores and settings initialized.
(deny-authorization _provider request error-code error-description)Handles authorization denial.
Takes a Provider instance, a parsed authorization request, an OAuth2 error code, and an error description. Builds an error response and constructs the redirect URL to send the user back to the client with the error information. Returns the redirect URL string.
Handles authorization denial. Takes a Provider instance, a parsed authorization request, an OAuth2 error code, and an error description. Builds an error response and constructs the redirect URL to send the user back to the client with the error information. Returns the redirect URL string.
(discovery-metadata provider)Returns OpenID Connect Discovery metadata for the provider.
Takes a Provider instance and extracts the relevant configuration keys to build the OpenID Connect Discovery metadata document. Returns the discovery metadata map containing issuer, endpoints, supported features, and other OIDC configuration.
Returns OpenID Connect Discovery metadata for the provider. Takes a Provider instance and extracts the relevant configuration keys to build the OpenID Connect Discovery metadata document. Returns the discovery metadata map containing issuer, endpoints, supported features, and other OIDC configuration.
(dynamic-read-client provider client-id access-token)Reads a dynamically registered client's configuration per RFC 7592.
Takes a Provider instance, a client-id, and the bearer access-token
presented by the caller. Returns the client configuration if the token is
valid, or a 401 error response otherwise.
Reads a dynamically registered client's configuration per RFC 7592. Takes a Provider instance, a `client-id`, and the bearer `access-token` presented by the caller. Returns the client configuration if the token is valid, or a 401 error response otherwise.
(dynamic-register-client provider request)Dynamically registers a new OAuth2/OIDC client per RFC 7591.
Takes a Provider instance and a registration request map in snake_case wire
format. Validates the request, generates credentials, stores the client, and
returns the registration response in snake_case wire format. Throws ex-info
with "invalid_client_metadata" on validation errors.
Dynamically registers a new OAuth2/OIDC client per RFC 7591. Takes a Provider instance and a registration request map in snake_case wire format. Validates the request, generates credentials, stores the client, and returns the registration response in snake_case wire format. Throws `ex-info` with `"invalid_client_metadata"` on validation errors.
(get-client provider client-id)Retrieves a client configuration.
Takes a Provider instance and a client identifier. Looks up the client configuration in the client store. Returns the client configuration map if found, or nil if the client doesn't exist.
Retrieves a client configuration. Takes a Provider instance and a client identifier. Looks up the client configuration in the client store. Returns the client configuration map if found, or nil if the client doesn't exist.
(jwks provider)Returns JWKS for the provider.
Takes a Provider instance and generates the JSON Web Key Set containing the provider's public signing keys. Returns the JWKS map suitable for serving at the JWKS endpoint.
Returns JWKS for the provider. Takes a Provider instance and generates the JSON Web Key Set containing the provider's public signing keys. Returns the JWKS map suitable for serving at the JWKS endpoint.
(parse-authorization-request provider query-string)Parses and validates an authorization request.
Takes a Provider instance and the query string from the authorization endpoint request. Validates the request parameters against the registered client configuration. Returns the validated authorization request map. Throws ex-info on validation errors.
Parses and validates an authorization request. Takes a Provider instance and the query string from the authorization endpoint request. Validates the request parameters against the registered client configuration. Returns the validated authorization request map. Throws ex-info on validation errors.
Malli schema for provider setup configuration.
Malli schema for provider setup configuration.
(register-client provider client-config)Registers a new OAuth2/OIDC client.
Takes a Provider instance and a client configuration map. Stores the client configuration in the client store and returns the registered client configuration including the generated client-id.
Registers a new OAuth2/OIDC client. Takes a Provider instance and a client configuration map. Stores the client configuration in the client store and returns the registered client configuration including the generated client-id.
(registration-handler provider & opts)Creates a Ring handler for dynamic client registration.
Takes a Provider instance and optional keyword arguments forwarded to
oidc-provider.ring/registration-handler. When :initial-access-token is
provided, POST requests require a matching Bearer token.
Creates a Ring handler for dynamic client registration. Takes a Provider instance and optional keyword arguments forwarded to [[oidc-provider.ring/registration-handler]]. When `:initial-access-token` is provided, POST requests require a matching Bearer token.
(token-request provider params authorization-header)Handles token endpoint request.
Takes a Provider instance, token request parameters from the form body (as
produced by Ring's wrap-params / wrap-keyword-params middleware), and an
optional Authorization header value for client authentication. Multi-value
resource parameters (RFC 8707) should already be present in params —
Ring's wrap-params automatically yields a vector for repeated form fields.
Validates the request, exchanges the authorization code for tokens, and
generates access tokens and ID tokens. Returns the token response map
containing tokens and metadata. Throws ex-info on validation or processing
errors.
Handles token endpoint request. Takes a Provider instance, token request parameters from the form body (as produced by Ring's `wrap-params` / `wrap-keyword-params` middleware), and an optional Authorization header value for client authentication. Multi-value `resource` parameters (RFC 8707) should already be present in `params` — Ring's `wrap-params` automatically yields a vector for repeated form fields. Validates the request, exchanges the authorization code for tokens, and generates access tokens and ID tokens. Returns the token response map containing tokens and metadata. Throws ex-info on validation or processing errors.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |