Signed OpenID Connect Request Object verification (JAR, RFC 9101 / OIDC §6.1).
This module verifies a compact JWT request object against trusted client JWKs supplied by the host. It deliberately rejects unsigned request objects: a host that wants request objects is opting into integrity protection, not a second unsigned parameter encoding.
Summary
Functions
Verify and return a string-keyed parameter map from a signed request object.
Types
@type verify_error() ::
:invalid_request_object
| :request_not_supported
| :invalid_signature
| :invalid_issuer
| :invalid_audience
| :expired
| :not_yet_valid
| :unsupported_critical_header
@type verify_opts() :: [ now: DateTime.t() | non_neg_integer(), issuer: String.t(), audience: String.t() | [String.t()] ]
Functions
@spec verify(String.t(), map() | [map()] | map(), verify_opts()) :: {:ok, map()} | {:error, verify_error()}
Verify and return a string-keyed parameter map from a signed request object.