Token generation and validation using Nimbus OAuth SDK.
Token generation and validation using Nimbus OAuth SDK.
(generate-access-token)Generates a bearer access token and returns its string value.
Generates a bearer access token and returns its string value.
(generate-authorization-code)Generates a cryptographically random authorization code using the Nimbus SDK
AuthorizationCode class, which produces a 256-bit SecureRandom base64url value.
Generates a cryptographically random authorization code using the Nimbus SDK `AuthorizationCode` class, which produces a 256-bit `SecureRandom` base64url value.
(generate-id-token
{:keys [issuer key-set active-signing-key-id id-token-ttl-seconds clock]
:as config}
user-id
client-id
claims
{:keys [nonce auth-time azp access-token additional-audiences]})Generates a signed OIDC ID token as a JWT string. Takes a provider-config
map (matching the ProviderConfig schema), a user-id (set as the sub
claim), a client-id (set as the aud claim), a claims map of additional
claims to include, and an opts map supporting :nonce for replay protection,
:auth-time for the authentication timestamp, :azp to include the authorized
party claim per OIDC Core §2, :access-token to compute the at_hash claim
per OIDC Core §3.1.3.6, and :additional-audiences for multi-audience tokens.
When :additional-audiences is provided, the aud claim contains the client-id
plus the additional audiences (deduplicated), and azp is set automatically.
Generates a signed OIDC ID token as a JWT string. Takes a `provider-config` map (matching the `ProviderConfig` schema), a `user-id` (set as the `sub` claim), a `client-id` (set as the `aud` claim), a `claims` map of additional claims to include, and an `opts` map supporting `:nonce` for replay protection, `:auth-time` for the authentication timestamp, `:azp` to include the authorized party claim per OIDC Core §2, `:access-token` to compute the `at_hash` claim per OIDC Core §3.1.3.6, and `:additional-audiences` for multi-audience tokens. When `:additional-audiences` is provided, the `aud` claim contains the `client-id` plus the additional audiences (deduplicated), and `azp` is set automatically.
(generate-refresh-token)Generates a cryptographically random refresh token using the Nimbus SDK
RefreshToken class, which produces a 256-bit SecureRandom base64url value.
Generates a cryptographically random refresh token using the Nimbus SDK `RefreshToken` class, which produces a 256-bit `SecureRandom` base64url value.
(generate-rsa-key)(generate-rsa-key key-size)Generates an RSA key pair for signing tokens. The key-size parameter
specifies the key size in bits and defaults to 2048 when called with no
arguments. Returns an RSAKey instance configured for signature use.
Generates an RSA key pair for signing tokens. The `key-size` parameter specifies the key size in bits and defaults to 2048 when called with no arguments. Returns an `RSAKey` instance configured for signature use.
(jwks {:keys [key-set] :as config})Returns the JWKS (JSON Web Key Set) for the given provider-config as a map
with a :keys vector containing the public keys in JWK format, suitable for
exposing at the jwks_uri discovery endpoint.
Returns the JWKS (JSON Web Key Set) for the given `provider-config` as a map with a `:keys` vector containing the public keys in JWK format, suitable for exposing at the `jwks_uri` discovery endpoint.
(normalize-to-jwk-set key-or-set)Normalizes a key input to a JWKSet. If the input is already a JWKSet, it
passes through unchanged. If it is a single RSAKey, it wraps it in a
one-element JWKSet.
Normalizes a key input to a `JWKSet`. If the input is already a `JWKSet`, it passes through unchanged. If it is a single `RSAKey`, it wraps it in a one-element `JWKSet`.
Malli schema for OIDC provider configuration.
Malli schema for OIDC provider configuration.
(validate-id-token {:keys [issuer key-set clock] :as config}
token
expected-client-id)Validates an ID token's signature and claims against the given
provider-config. Verifies that the token string was signed with a key from
the provider's key set, that the issuer matches, that expected-client-id
appears in the audience list (supporting both single and multi-audience tokens),
and that the token has not expired. Returns the validated claims as a keyword
map, or throws ex-info on failure.
Validates an ID token's signature and claims against the given `provider-config`. Verifies that the `token` string was signed with a key from the provider's key set, that the issuer matches, that `expected-client-id` appears in the audience list (supporting both single and multi-audience tokens), and that the token has not expired. Returns the validated claims as a keyword map, or throws `ex-info` on failure.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |