Authorization endpoint implementation for OAuth2/OIDC.
Authorization endpoint implementation for OAuth2/OIDC.
Malli schema for authorization request parameters.
Malli schema for authorization request parameters.
Malli schema for authorization response.
Malli schema for authorization response.
(build-redirect-url {:keys [redirect-uri params]})Builds the redirect URL with query parameters.
Takes an authorization response map (from handle-authorization-approval or
handle-authorization-denial) containing a redirect URI and parameters. URL-encodes
the parameters and appends them to the redirect URI as query parameters, properly
handling whether the URI already contains a query string. Returns the complete
redirect URL string.
Builds the redirect URL with query parameters. Takes an authorization response map (from [[handle-authorization-approval]] or [[handle-authorization-denial]]) containing a redirect URI and parameters. URL-encodes the parameters and appends them to the redirect URI as query parameters, properly handling whether the URI already contains a query string. Returns the complete redirect URL string.
(handle-authorization-approval parsed-request
user-id
provider-config
code-store)(handle-authorization-approval {:keys [response_type client_id redirect_uri
scope state nonce code_challenge
code_challenge_method resource]}
user-id
provider-config
code-store
auth-time)Handles user approval of authorization request.
Takes a parsed authorization request (from parse-authorization-request), the
user ID of the approving user, provider configuration, an AuthorizationCodeStore,
and an optional auth-time (epoch seconds) indicating when the user last
authenticated. When :max-age was present in the authorization request, the host
application should supply auth-time so that the auth_time claim appears in
the resulting ID token per OIDC Core §3.1.2.1. Returns an authorization response
map containing the redirect URI and response parameters (including the code and
optional state). Currently supports response_type "code"; throws ex-info for
unsupported response types.
Handles user approval of authorization request. Takes a parsed authorization request (from [[parse-authorization-request]]), the user ID of the approving user, provider configuration, an AuthorizationCodeStore, and an optional `auth-time` (epoch seconds) indicating when the user last authenticated. When `:max-age` was present in the authorization request, the host application should supply `auth-time` so that the `auth_time` claim appears in the resulting ID token per OIDC Core §3.1.2.1. Returns an authorization response map containing the redirect URI and response parameters (including the code and optional state). Currently supports response_type "code"; throws ex-info for unsupported response types.
(handle-authorization-denial {:keys [redirect_uri state]}
error-code
error-description
provider-config)Handles user denial of authorization request.
Takes a parsed authorization request, an OAuth2 error code (defaults to
"access_denied" if not provided), a human-readable error description, and
provider configuration. Includes the iss response parameter per RFC 9207.
Returns the response map with the error, optional error description, and
optional state parameter.
Handles user denial of authorization request. Takes a parsed authorization request, an OAuth2 error code (defaults to "access_denied" if not provided), a human-readable error description, and provider configuration. Includes the `iss` response parameter per RFC 9207. Returns the response map with the error, optional error description, and optional state parameter.
(parse-authorization-request params client-store)Validates a pre-parsed authorization request.
Takes a params map with keyword keys (as produced by Ring's wrap-params and
wrap-keyword-params middleware) and a client-store implementing
oidc-provider.protocol/ClientStore. Validates against AuthorizationRequest,
looks up the client, and validates the redirect URI, response type, scopes, PKCE,
and resource indicator parameters. Returns the validated request map.
The :resource parameter may be a string (single value) or a vector (multiple
values); it is normalized to a vector. When the request has no :resource parameter
and the client has a :default-resource configured, the default is applied
automatically. When prompt is present, its value is parsed and validated per
OIDC Core §3.1.2.1 and the result is included as :prompt-values — a set of
keywords (e.g., #{:login :consent}). Throws ex-info on validation errors or
if the client is unknown.
Validates a pre-parsed authorization request.
Takes a `params` map with keyword keys (as produced by Ring's `wrap-params` and
`wrap-keyword-params` middleware) and a `client-store` implementing
[[oidc-provider.protocol/ClientStore]]. Validates against [[AuthorizationRequest]],
looks up the client, and validates the redirect URI, response type, scopes, PKCE,
and resource indicator parameters. Returns the validated request map.
The `:resource` parameter may be a string (single value) or a vector (multiple
values); it is normalized to a vector. When the request has no `:resource` parameter
and the client has a `:default-resource` configured, the default is applied
automatically. When `prompt` is present, its value is parsed and validated per
OIDC Core §3.1.2.1 and the result is included as `:prompt-values` — a set of
keywords (e.g., `#{:login :consent}`). Throws `ex-info` on validation errors or
if the client is unknown.(validate-max-age max-age-seconds auth-time-seconds clock)Checks whether the user's authentication is still fresh per OIDC Core §3.1.2.1.
Takes max-age-seconds from the authorization request, auth-time-seconds
(epoch seconds when the user last authenticated), and a java.time.Clock.
Returns true if the elapsed time since authentication is within max-age,
false if re-authentication is required.
Checks whether the user's authentication is still fresh per OIDC Core §3.1.2.1. Takes `max-age-seconds` from the authorization request, `auth-time-seconds` (epoch seconds when the user last authenticated), and a `java.time.Clock`. Returns `true` if the elapsed time since authentication is within `max-age`, `false` if re-authentication is required.
(validate-prompt-none {:keys [redirect_uri state prompt-values]}
authenticated?
provider-config)Checks whether prompt=none was requested and the user is not authenticated.
Host applications should call this after resolving the user's authentication
state. If :prompt-values contains :none and authenticated? is false,
returns an error redirect response map with a login_required error code per
OIDC Core §3.1.2.6. Returns nil when no error applies — the host app should
proceed normally.
Checks whether `prompt=none` was requested and the user is not authenticated. Host applications should call this after resolving the user's authentication state. If `:prompt-values` contains `:none` and `authenticated?` is false, returns an error redirect response map with a `login_required` error code per OIDC Core §3.1.2.6. Returns `nil` when no error applies — the host app should proceed normally.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |