Attesto.OpenIDDiscovery (Attesto v0.6.5)

Copy Markdown View Source

OpenID Connect Discovery 1.0 - OpenID Provider Metadata (§3).

Build the JSON document a Relying Party fetches from /.well-known/openid-configuration to discover the OpenID Provider: its endpoints, the response/grant types it supports, the signing algorithms it uses for ID Tokens, and the scopes and claims it can return.

This module builds on Attesto.Discovery rather than adding an OIDC mode flag to it. The two metadata documents are distinct: RFC 8414 Authorization Server Metadata and OpenID Connect Discovery §3 Provider Metadata have different required-field sets (OIDC mandates subject_types_supported, id_token_signing_alg_values_supported, claims_supported, claim_types_supported, and a scopes_supported list that MUST contain "openid"), and they are served from different well-known URLs. Keeping a dedicated builder keeps each document's contract clear instead of overloading the OAuth builder with OIDC-only obligations. The shared OAuth fields (issuer, token_endpoint, jwks_uri, grant_types_supported, code_challenge_methods_supported, dpop_signing_alg_values_supported, and any host-supplied OAuth fields) are produced by Attesto.Discovery.metadata/2 and merged in, so there is one source of truth for them.

Attesto fills the fields it can derive or fix by protocol:

  • issuer, token_endpoint, and jwks_uri via Attesto.Discovery.
  • subject_types_supported is ["public"] - Attesto does not mint pairwise subject identifiers.
  • id_token_signing_alg_values_supported defaults to the algorithms of the configured verification keys (RSA defaults to RS256).
  • claim_types_supported is ["normal"] - Attesto returns claims directly, not aggregated or distributed (OpenID Connect Core §5.6).
  • response_types_supported defaults to ["code"] - the Authorization Code Flow.
  • code_challenge_methods_supported is ["S256"] (via Attesto.Discovery).
  • request_parameter_supported defaults to false - Attesto does not consume a request JWT parameter (OpenID Connect Core §6.1).

Everything host-specific - the authorization_endpoint, userinfo_endpoint, and the catalog of scopes_supported and claims_supported the host actually serves - is supplied through opts and merged in. nil opt values are dropped so the document only advertises what the host actually implements. The library guarantees only that, when scopes_supported is provided, it includes the reserved "openid" scope (OpenID Connect Core §3.1.2.1).

The result is a string-keyed map ready to serialise as the endpoint's JSON body.

Summary

Functions

metadata(config, opts \\ [])

Build the OpenID Provider Metadata document for config.

Functions

metadata(config, opts \\ [])

@spec metadata(
  Attesto.Config.t(),
  keyword()
) :: %{required(String.t()) => term()}

Build the OpenID Provider Metadata document for config.

The shared OAuth fields are produced by Attesto.Discovery.metadata/2; see its docs for :jwks_uri, :grant_types_supported, the host endpoint URLs (:authorization_endpoint, :userinfo_endpoint, ...), and :token_endpoint_auth_methods_supported.

OIDC-specific options:

  • :response_types_supported - defaults to ["code"] (Authorization Code Flow).
  • :request_parameter_supported - defaults to false.
  • :scopes_supported - if given, the reserved "openid" scope is added when absent (OpenID Connect Core §3.1.2.1). Included only if given.
  • :claims_supported, :acr_values_supported, :display_values_supported, :claims_locales_supported, :ui_locales_supported, :claims_parameter_supported, :request_uri_parameter_supported, :require_request_uri_registration, :op_policy_uri, :op_tos_uri - included only if given.

subject_types_supported, id_token_signing_alg_values_supported, and claim_types_supported are fixed by protocol and always present.

Any other opt key is ignored.