private_key_jwt client authentication verification (RFC 7523 / OIDC Core).
The host owns client registration and key storage. This module only verifies a compact client assertion against trusted client JWKs supplied by the host and checks the standard claims:
issandsubequal the OAuthclient_idaudcontains the expected token endpoint/audienceexpis in the futureiat, when present, is not meaningfully in the futurejtiis present for replay tracking by the caller
The JOSE algorithm is resolved from the trusted JWK's alg member when
present, otherwise from the key shape. It is never accepted just because the
presented JWT header names it.
Summary
Functions
The required client_assertion_type value for private_key_jwt.
Peek iss from an assertion without trusting it.
Verify a client assertion against the client's trusted JWK Set.
Types
@type verify_error() ::
:invalid_assertion
| :invalid_signature
| :invalid_client_id
| :invalid_audience
| :expired
| :not_yet_valid
| :missing_jti
| :unsupported_critical_header
@type verify_opts() :: [ now: DateTime.t() | non_neg_integer(), max_lifetime: pos_integer(), accepted_algs: [Attesto.SigningAlg.alg()] ]
Functions
@spec assertion_type() :: String.t()
The required client_assertion_type value for private_key_jwt.
Peek iss from an assertion without trusting it.
@spec verify( String.t(), String.t(), String.t() | [String.t()], map() | [map()] | map(), verify_opts() ) :: {:ok, map()} | {:error, verify_error()}
Verify a client assertion against the client's trusted JWK Set.
trusted_jwks may be an RFC 7517 JWK Set (%{"keys" => [...]}), a single
public JWK map, or a list of public JWK maps.
Opts:
:accepted_algs- the JOSE algorithms a candidate trusted key may use. Defaults toSigningAlg.fapi_algs/0(PS256, ES256, EdDSA), keeping the FAPI 2 client-authentication gate. A non-FAPI profile can widen this.