Core OIDC provider setup and configuration.
Provides create-provider for initialization, domain functions like
token-request and dynamic-register-client that return pure data,
and Ring response functions like token-response, registration-response,
revocation-response, and userinfo-response that return Ring response
maps with plain Clojure data as bodies. Use Ring middleware such as
wrap-json-response to handle JSON serialization.
Core OIDC provider setup and configuration. Provides [[create-provider]] for initialization, domain functions like [[token-request]] and [[dynamic-register-client]] that return pure data, and Ring response functions like [[token-response]], [[registration-response]], [[revocation-response]], and [[userinfo-response]] that return Ring response maps with plain Clojure data as bodies. Use Ring middleware such as `wrap-json-response` to handle JSON serialization.
(authorization-error-response provider e)Returns a Ring response for an authorization endpoint error.
Dispatches on the :type key in ex-data via oidc-provider.error/request-error?.
Non-redirectable errors (:redirect false — invalid redirect_uri or unknown
client_id) return a 400 response with the error in the body. Redirectable errors
build a 302 error redirect using the :redirect_uri and :state from ex-data.
Returns a Ring response for an authorization endpoint error. Dispatches on the `:type` key in `ex-data` via [[oidc-provider.error/request-error?]]. Non-redirectable errors (`:redirect false` — invalid `redirect_uri` or unknown `client_id`) return a 400 response with the error in the body. Redirectable errors build a 302 error redirect using the `:redirect_uri` and `:state` from ex-data.
(authorize provider request user-id)(authorize provider request user-id auth-time)Handles authorization approval after user authentication.
Takes a Provider instance, a parsed authorization request, and the user ID of
the user who approved the request. Generates an authorization code, stores it,
and builds the redirect URL to send the user back to the client. Optionally
accepts auth-time (epoch seconds) so the auth_time claim appears in the
resulting ID token per OIDC Core §3.1.2.1. Returns the redirect URL string.
Handles authorization approval after user authentication. Takes a Provider instance, a parsed authorization request, and the user ID of the user who approved the request. Generates an authorization code, stores it, and builds the redirect URL to send the user back to the client. Optionally accepts `auth-time` (epoch seconds) so the `auth_time` claim appears in the resulting ID token per OIDC Core §3.1.2.1. Returns the redirect URL string.
(create-provider {:keys [issuer signing-key signing-keys active-signing-key-id
access-token-ttl-seconds id-token-ttl-seconds
authorization-code-ttl-seconds
refresh-token-ttl-seconds rotate-refresh-tokens
grant-types-supported clock client-store code-store
token-store claims-provider allow-http-issuer]
:as config})Creates an OIDC provider instance.
Takes a configuration map containing required keys :issuer (provider issuer URL),
:authorization-endpoint, and :token-endpoint. Optional keys include
:jwks-uri (required for OIDC; omit for plain OAuth2),
:signing-key (RSAKey for signing tokens, generated if :jwks-uri is provided),
:access-token-ttl-seconds (defaults to 3600), :id-token-ttl-seconds (defaults to
3600), :authorization-code-ttl-seconds (defaults to 600 per the RFC 6749 §4.1.2
maximum recommendation; shorter values are recommended for production), :client-store,
:code-store, :token-store (all three store implementations created in-memory if
not provided), and :claims-provider (required for ID token claims).
The issuer URL is validated per RFC 8414 §2: it must use HTTPS with no query or
fragment component. Set :allow-http-issuer to true to permit HTTP issuers
during local development.
Without RFC 8707 resource indicators or a client-level :default-resource setting,
access tokens have no audience binding. Configure :default-resource on client
registrations to scope tokens to specific resource servers by default.
Validates the configuration and returns a Provider instance with all stores and settings initialized.
Creates an OIDC provider instance. Takes a configuration map containing required keys `:issuer` (provider issuer URL), `:authorization-endpoint`, and `:token-endpoint`. Optional keys include `:jwks-uri` (required for OIDC; omit for plain OAuth2), `:signing-key` (RSAKey for signing tokens, generated if `:jwks-uri` is provided), `:access-token-ttl-seconds` (defaults to 3600), `:id-token-ttl-seconds` (defaults to 3600), `:authorization-code-ttl-seconds` (defaults to 600 per the RFC 6749 §4.1.2 maximum recommendation; shorter values are recommended for production), `:client-store`, `:code-store`, `:token-store` (all three store implementations created in-memory if not provided), and `:claims-provider` (required for ID token claims). The issuer URL is validated per RFC 8414 §2: it must use HTTPS with no query or fragment component. Set `:allow-http-issuer` to `true` to permit HTTP issuers during local development. Without RFC 8707 resource indicators or a client-level `:default-resource` setting, access tokens have no audience binding. Configure `:default-resource` on client registrations to scope tokens to specific resource servers by default. Validates the configuration and returns a Provider instance with all stores and settings initialized.
(deny-authorization {:keys [provider-config] :as _provider}
request
error-code
error-description)Handles authorization denial.
Takes a Provider instance, a parsed authorization request, an OAuth2 error code, and an error description. Builds an error response and constructs the redirect URL to send the user back to the client with the error information. Returns the redirect URL string.
Handles authorization denial. Takes a Provider instance, a parsed authorization request, an OAuth2 error code, and an error description. Builds an error response and constructs the redirect URL to send the user back to the client with the error information. Returns the redirect URL string.
(discovery-metadata provider)Returns OpenID Connect Discovery metadata for the provider.
Takes a Provider instance and extracts the relevant configuration keys to build the OpenID Connect Discovery metadata document. Returns the discovery metadata map containing issuer, endpoints, supported features, and other OIDC configuration.
Returns OpenID Connect Discovery metadata for the provider. Takes a Provider instance and extracts the relevant configuration keys to build the OpenID Connect Discovery metadata document. Returns the discovery metadata map containing issuer, endpoints, supported features, and other OIDC configuration.
(dynamic-delete-client provider client-id access-token)Deregisters a dynamically registered client per RFC 7592 §2.3.
Takes a Provider instance, a client-id, and the bearer access-token.
Returns nil on success. Throws ex-info with "invalid_token" on auth
failure.
Deregisters a dynamically registered client per RFC 7592 §2.3. Takes a Provider instance, a `client-id`, and the bearer `access-token`. Returns nil on success. Throws `ex-info` with `"invalid_token"` on auth failure.
(dynamic-read-client provider client-id access-token)Reads a dynamically registered client's configuration per RFC 7592.
Takes a Provider instance, a client-id, and the bearer access-token
presented by the caller. Returns the client configuration map if the token
is valid. Throws ex-info with "invalid_token" when the client is
unknown or the token does not match.
Reads a dynamically registered client's configuration per RFC 7592. Takes a Provider instance, a `client-id`, and the bearer `access-token` presented by the caller. Returns the client configuration map if the token is valid. Throws `ex-info` with `"invalid_token"` when the client is unknown or the token does not match.
(dynamic-register-client provider request)Dynamically registers a new OAuth2/OIDC client per RFC 7591.
Takes a Provider instance and a registration request map in snake_case wire
format. Validates the request, generates credentials, stores the client, and
returns the registration response in snake_case wire format. Throws ex-info
with "invalid_client_metadata" on validation errors.
Dynamically registers a new OAuth2/OIDC client per RFC 7591. Takes a Provider instance and a registration request map in snake_case wire format. Validates the request, generates credentials, stores the client, and returns the registration response in snake_case wire format. Throws `ex-info` with `"invalid_client_metadata"` on validation errors.
(dynamic-update-client provider client-id access-token body)Updates a dynamically registered client's metadata per RFC 7592 §2.2.
Takes a Provider instance, a client-id, the bearer access-token, and the
updated metadata body map. Returns the updated client configuration.
Throws ex-info with "invalid_token" on auth failure or
"invalid_client_metadata" on validation errors.
Updates a dynamically registered client's metadata per RFC 7592 §2.2. Takes a Provider instance, a `client-id`, the bearer `access-token`, and the updated metadata `body` map. Returns the updated client configuration. Throws `ex-info` with `"invalid_token"` on auth failure or `"invalid_client_metadata"` on validation errors.
(get-client provider client-id)Retrieves a client configuration.
Takes a Provider instance and a client identifier. Looks up the client configuration in the client store. Returns the client configuration map if found, or nil if the client doesn't exist.
Retrieves a client configuration. Takes a Provider instance and a client identifier. Looks up the client configuration in the client store. Returns the client configuration map if found, or nil if the client doesn't exist.
(jwks provider)Returns JWKS for the provider.
Takes a Provider instance and generates the JSON Web Key Set containing the provider's public signing keys. Returns the JWKS map suitable for serving at the JWKS endpoint.
Returns JWKS for the provider. Takes a Provider instance and generates the JSON Web Key Set containing the provider's public signing keys. Returns the JWKS map suitable for serving at the JWKS endpoint.
(parse-authorization-request provider params)Validates an authorization request.
Takes a Provider instance and a params map with keyword keys (as produced by
Ring's wrap-params and wrap-keyword-params middleware). Validates the request
parameters against the registered client configuration. Returns the validated
authorization request map. Throws ex-info on validation errors.
Validates an authorization request. Takes a Provider instance and a `params` map with keyword keys (as produced by Ring's `wrap-params` and `wrap-keyword-params` middleware). Validates the request parameters against the registered client configuration. Returns the validated authorization request map. Throws `ex-info` on validation errors.
Malli schema for provider setup configuration.
Malli schema for provider setup configuration.
(register-client provider client-config)Registers a new OAuth2/OIDC client.
Takes a Provider instance and a client configuration map that must conform to
the oidc-provider.protocol/ClientRegistration schema. Throws AssertionError
if the config is invalid. Stores the client in the client store and returns the
registered client configuration including the generated client-id.
Registers a new OAuth2/OIDC client. Takes a Provider instance and a client configuration map that must conform to the [[oidc-provider.protocol/ClientRegistration]] schema. Throws `AssertionError` if the config is invalid. Stores the client in the client store and returns the registered client configuration including the generated client-id.
(registration-response provider request)Returns a Ring response for dynamic client registration (RFC 7591) and client configuration management (RFC 7592).
Dispatches on HTTP method: POST for registration, GET for client read, PUT for
client metadata update, and DELETE for deregistration. Takes a Provider
instance and a Ring request whose :body has already been parsed to a
keyword map (e.g. via wrap-json-body or wrap-keyword-params).
To gate registration access, use application-level middleware.
Returns a Ring response for dynamic client registration (RFC 7591) and client configuration management (RFC 7592). Dispatches on HTTP method: POST for registration, GET for client read, PUT for client metadata update, and DELETE for deregistration. Takes a Provider instance and a Ring `request` whose `:body` has already been parsed to a keyword map (e.g. via `wrap-json-body` or `wrap-keyword-params`). To gate registration access, use application-level middleware.
(revocation-response provider request)Returns a Ring response for RFC 7009 token revocation.
Only accepts POST requests with application/x-www-form-urlencoded content
type. Returns 200 on success, 400 for missing token, or 401 on auth failure.
Returns a Ring response for RFC 7009 token revocation. Only accepts POST requests with `application/x-www-form-urlencoded` content type. Returns 200 on success, 400 for missing token, or 401 on auth failure.
Malli schema for an incoming Ring request map.
Malli schema for an incoming Ring request map.
Malli schema for an outgoing Ring response map.
Malli schema for an outgoing Ring response map.
(token-request provider params authorization-header)Handles token endpoint request.
Takes a Provider instance, token request parameters from the form body (as
produced by Ring's wrap-params / wrap-keyword-params middleware), and an
optional Authorization header value for client authentication. Multi-value
resource parameters (RFC 8707) should already be present in params —
Ring's wrap-params automatically yields a vector for repeated form fields.
Validates the request, exchanges the authorization code for tokens, and
generates access tokens and ID tokens. Returns the token response map
containing tokens and metadata. Throws ex-info on validation or processing
errors.
Handles token endpoint request. Takes a Provider instance, token request parameters from the form body (as produced by Ring's `wrap-params` / `wrap-keyword-params` middleware), and an optional Authorization header value for client authentication. Multi-value `resource` parameters (RFC 8707) should already be present in `params` — Ring's `wrap-params` automatically yields a vector for repeated form fields. Validates the request, exchanges the authorization code for tokens, and generates access tokens and ID tokens. Returns the token response map containing tokens and metadata. Throws ex-info on validation or processing errors.
(token-response provider request)Returns a Ring response for the OAuth2 token endpoint (RFC 6749 §3.2).
Only accepts POST requests with application/x-www-form-urlencoded content
type. Success responses include Cache-Control: no-store and Pragma: no-cache
headers per RFC 6749 §5.1.
Returns a Ring response for the OAuth2 token endpoint (RFC 6749 §3.2). Only accepts POST requests with `application/x-www-form-urlencoded` content type. Success responses include `Cache-Control: no-store` and `Pragma: no-cache` headers per RFC 6749 §5.1.
(userinfo-response provider request)Returns a Ring response for the OIDC UserInfo endpoint (OIDC Core §5.3).
Accepts GET and POST requests with a Bearer token in the Authorization header. Looks up the access token, validates expiry, retrieves user claims filtered by the token's scope, and returns them as a Clojure map.
Returns a Ring response for the OIDC UserInfo endpoint (OIDC Core §5.3). Accepts GET and POST requests with a Bearer token in the Authorization header. Looks up the access token, validates expiry, retrieves user claims filtered by the token's scope, and returns them as a Clojure map.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |