Attesto.RequestObject.Policy (Attesto v0.6.13)

Copy Markdown View Source

Verification policy for signed authorization request objects (JAR, RFC 9101).

Policy expressed as data the caller passes to Attesto.AuthorizationRequest.validate/2, which threads it into Attesto.RequestObject.verify/3. The default %Policy{} is the generic OpenID Connect §6.1 / RFC 9101 baseline (a signed request object is verified, but nbf/exp/typ are not required). The FAPI 2.0 Message Signing §5.3.1 profile is the named fapi_message_signing/0 constructor - profile data, not a feature flag and not a backwards-compatibility shim.

Summary

Types

t()

Functions

fapi_message_signing()

The FAPI 2.0 Message Signing §5.3.1 profile for signed request objects

generic()

The generic OpenID Connect §6.1 / RFC 9101 baseline: a signed request object is verified, but nbf/exp/typ are not required. Equivalent to %Policy{}.

require_request_object?(policy)

Whether this policy requires the authorization request to carry a signed request object (FAPI 2.0 Message Signing §5.3.1). When true, a request that presents no request object is rejected rather than processed from its plain parameters.

to_verify_opts(policy)

Flatten the policy to Attesto.RequestObject.verify/3 options, dropping nil values so verify/3 keeps its own defaults (notably accepted_algs, which defaults to Attesto.SigningAlg.fapi_algs/0) and the non-verification presence fields ([:require_request_object]).

Types

t()

@type t() :: %Attesto.RequestObject.Policy{
  accepted_algs: [Attesto.SigningAlg.alg()] | nil,
  accepted_typ: [String.t() | nil] | nil,
  max_lifetime_seconds: pos_integer() | nil,
  max_nbf_age_seconds: pos_integer() | nil,
  require_exp: boolean(),
  require_nbf: boolean(),
  require_request_object: boolean()
}

Functions

fapi_message_signing()

@spec fapi_message_signing() :: t()

The FAPI 2.0 Message Signing §5.3.1 profile for signed request objects:

  • a signed request object is REQUIRED - an authorization request that carries none is rejected (FAPI 2.0 Message Signing §5.3.1, which mandates that clients send the request as a signed JWT);
  • nbf REQUIRED, no more than 60 minutes in the past;
  • exp REQUIRED, no more than 60 minutes after nbf;
  • JOSE header typ must be "oauth-authz-req+jwt".

accepted_algs is left nil to inherit Attesto.RequestObject.verify/3's default (Attesto.SigningAlg.fapi_algs/0: PS256, ES256, EdDSA).

Note: pinning typ to exactly "oauth-authz-req+jwt" (rejecting an absent or other typ) is stricter than §5.3.1's literal "shall accept that typ"; it is the RFC 9101 §10.8 explicit-typing defence against cross-JWT confusion, and is what the FAPI conformance suite exercises. A deployment wanting the softer reading can build a %Policy{} with accepted_typ: ["oauth-authz-req+jwt", nil].

generic()

@spec generic() :: t()

The generic OpenID Connect §6.1 / RFC 9101 baseline: a signed request object is verified, but nbf/exp/typ are not required. Equivalent to %Policy{}.

require_request_object?(policy)

@spec require_request_object?(t()) :: boolean()

Whether this policy requires the authorization request to carry a signed request object (FAPI 2.0 Message Signing §5.3.1). When true, a request that presents no request object is rejected rather than processed from its plain parameters.

to_verify_opts(policy)

@spec to_verify_opts(t()) :: keyword()

Flatten the policy to Attesto.RequestObject.verify/3 options, dropping nil values so verify/3 keeps its own defaults (notably accepted_algs, which defaults to Attesto.SigningAlg.fapi_algs/0) and the non-verification presence fields ([:require_request_object]).