AttestoClient.SignedIntrospection (AttestoClient v0.6.0)

Copy Markdown View Source

Verify RFC 9701 signed token introspection responses.

This is the client-side mirror of Attesto.SignedIntrospection.response_jwt/4. A resource server that requests application/token-introspection+jwt receives a signed JWT wrapping the RFC 7662 response in token_introspection; this module verifies the authorization server signature and registered claims.

Summary

Types

error()
verify_opt()

Functions

verify(jwt, opts)

Verify a signed introspection response JWT.

Types

error()

@type error() ::
  :missing_issuer
  | :missing_audience
  | :invalid_jwks
  | :invalid_metadata
  | :issuer_mismatch
  | :unsupported_alg
  | :invalid_token
  | :invalid_signature
  | :unsupported_critical_header
  | :invalid_typ
  | :invalid_issuer
  | :invalid_audience
  | :invalid_claims
  | :invalid_iat
  | :not_yet_valid
  | :expired
  | AttestoClient.Discovery.error()

verify_opt()

@type verify_opt() ::
  {:issuer, String.t()}
  | {:audience, String.t()}
  | {:jwks, AttestoClient.Verifier.jwks()}
  | {:metadata, map()}
  | {:jwks_uri, String.t()}
  | {:accepted_algs, [Attesto.SigningAlg.alg()]}
  | {:now, integer() | DateTime.t()}
  | {:req_options, keyword()}
  | {:well_known, AttestoClient.Discovery.well_known()}

Functions

verify(jwt, opts)

@spec verify(String.t(), [verify_opt()]) :: {:ok, map()} | {:error, error()}

Verify a signed introspection response JWT.

Required options: :issuer and :audience (the introspecting client or resource server). JWKS may be supplied through :jwks, :metadata, :jwks_uri, or fetched through discovery from :issuer.