AttestoClient.JARM (AttestoClient v0.6.0)

Copy Markdown View Source

Verify JWT Secured Authorization Response Mode (JARM) responses, the client-side mirror of Attesto.JARM.response_jwt/4.

When a client requests a JWT response mode, the authorization server returns the authorization response as a single signed JWT (the response parameter). This verifies that JWT - signature, issuer, audience, and expiry - and returns the response parameters (FAPI 2.0 Message Signing §5.4 / the JARM spec). It is a verifier, not a flow runner: the host extracts response from the redirect (or form post) and passes it here.

Checks (JARM §2.4)

  • Signature verifies against one of the authorization server's JWKS keys, restricted to an algorithm allow-list (:accepted_algs, default the FAPI algorithms PS256/ES256/EdDSA - none is never accepted). When the JWT header carries a kid, only the matching key is tried.
  • iss equals the expected authorization server identifier (:issuer).
  • aud equals, or (an all-string array) contains, the client's client_id (:client_id); a mixed-type aud array is malformed.
  • iat, when present, is a non-negative NumericDate not meaningfully in the future (a 60-second clock-skew tolerance).
  • exp is present and in the future.

On success it returns {:ok, claims}, the full claim set - the caller reads the response parameters (code/state on success, or error/ error_description/state on an error response).

Summary

Types

error()
jwks()
verify_opt()

Functions

verify(response_jwt, jwks, opts)

Verify a JARM response JWT against the authorization server's jwks, returning {:ok, claims} or {:error, reason}.

Types

error()

@type error() ::
  :invalid_jwks
  | :missing_issuer
  | :missing_client_id
  | :unsupported_alg
  | :invalid_signature
  | :invalid_issuer
  | :invalid_audience
  | :invalid_iat
  | :not_yet_valid
  | :missing_exp
  | :expired

jwks()

@type jwks() :: %{optional(String.t()) => term()} | [map()]

verify_opt()

@type verify_opt() ::
  {:issuer, String.t()}
  | {:client_id, String.t()}
  | {:accepted_algs, [String.t()]}
  | {:now, integer()}

Functions

verify(response_jwt, jwks, opts)

@spec verify(String.t(), jwks(), [verify_opt()]) :: {:ok, map()} | {:error, error()}

Verify a JARM response JWT against the authorization server's jwks, returning {:ok, claims} or {:error, reason}.

Required options: :issuer (the expected authorization server identifier) and :client_id (the expected audience). Optional: :accepted_algs (default the FAPI algorithms) and :now (Unix seconds, for tests).