Token endpoint implementation for OAuth2/OIDC.
Token endpoint implementation for OAuth2/OIDC.
(authenticate-client params authorization-header client-store)Authenticates an OAuth2 client from request parameters or Basic auth header.
Resolves the client identity from params (:client_id / :client_secret)
or the authorization-header (HTTP Basic), looks the client up in
client-store, and verifies credentials. Returns the client config map on
success. Throws ex-info on missing, unknown, or mismatched credentials.
Authenticates an OAuth2 client from request parameters or Basic auth header. Resolves the client identity from `params` (`:client_id` / `:client_secret`) or the `authorization-header` (HTTP Basic), looks the client up in `client-store`, and verifies credentials. Returns the client config map on success. Throws `ex-info` on missing, unknown, or mismatched credentials.
Default grant types when :grant-types-supported is not configured.
Default grant types when `:grant-types-supported` is not configured.
(handle-authorization-code-grant {:keys [code redirect_uri code_verifier]}
client
provider-config
code-store
token-store
claims-provider)Exchanges an authorization code for tokens per RFC 6749 §4.1.3.
Validates the client is authorized for the authorization_code grant, verifies
the code against code-store, checks redirect URI and PKCE, then issues access,
refresh, and (when openid scope is present) ID tokens via token-store and
claims-provider. Returns a token response map.
Exchanges an authorization code for tokens per RFC 6749 §4.1.3. Validates the client is authorized for the `authorization_code` grant, verifies the code against `code-store`, checks redirect URI and PKCE, then issues access, refresh, and (when `openid` scope is present) ID tokens via `token-store` and `claims-provider`. Returns a token response map.
(handle-client-credentials-grant {:keys [scope resource]}
client
provider-config
token-store)Issues an access token for the client itself per RFC 6749 §4.4.
Validates the client is authorized for the client_credentials grant and is
confidential, resolves the requested scope against the client's allowed scopes,
and stores the token via token-store. When no resource parameter is present
in the request and the client has a :default-resource configured, the default
is used for audience binding. Returns a token response map.
Issues an access token for the client itself per RFC 6749 §4.4. Validates the client is authorized for the `client_credentials` grant and is confidential, resolves the requested scope against the client's allowed scopes, and stores the token via `token-store`. When no `resource` parameter is present in the request and the client has a `:default-resource` configured, the default is used for audience binding. Returns a token response map.
(handle-refresh-token-grant {:keys [refresh_token scope resource]}
client
provider-config
token-store)Issues a new access token from a refresh token per RFC 6749 §6.
Validates the client is authorized for the refresh_token grant, verifies the
token against token-store, enforces scope down-scoping and resource constraints,
and optionally rotates the refresh token. Returns a token response map.
Issues a new access token from a refresh token per RFC 6749 §6. Validates the client is authorized for the `refresh_token` grant, verifies the token against `token-store`, enforces scope down-scoping and resource constraints, and optionally rotates the refresh token. Returns a token response map.
(handle-token-request params
authorization-header
provider-config
client-store
code-store
token-store
claims-provider)Handles token endpoint requests.
Takes the parsed params map (as produced by Ring's wrap-params and
wrap-keyword-params middleware), the authorization-header for client
authentication, and the usual provider stores. Multi-value resource
parameters (RFC 8707) should already be present in params as a string or
vector — Ring's wrap-params handles this automatically for repeated form
fields. Validates the request, authenticates the client, and dispatches to
the appropriate grant handler. Returns a token response map. Throws ex-info
on validation or processing errors.
Handles token endpoint requests. Takes the parsed `params` map (as produced by Ring's `wrap-params` and `wrap-keyword-params` middleware), the `authorization-header` for client authentication, and the usual provider stores. Multi-value `resource` parameters (RFC 8707) should already be present in `params` as a string or vector — Ring's `wrap-params` handles this automatically for repeated form fields. Validates the request, authenticates the client, and dispatches to the appropriate grant handler. Returns a token response map. Throws `ex-info` on validation or processing errors.
(parse-basic-auth authorization-header)Parses an HTTP Basic Authorization header into client credentials.
Decodes the Base64-encoded client_id:client_secret pair from the header
value. Returns a map with :client-id and :client-secret keys, or nil
when the header is absent, not a Basic scheme, or malformed.
Parses an HTTP Basic Authorization header into client credentials. Decodes the Base64-encoded `client_id:client_secret` pair from the header value. Returns a map with `:client-id` and `:client-secret` keys, or `nil` when the header is absent, not a Basic scheme, or malformed.
Malli schema for token request parameters.
Malli schema for token request parameters.
Malli schema for token response.
Malli schema for token response.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |