AttestoClient.UserInfo (AttestoClient v0.6.0)

Verify signed OpenID Connect UserInfo responses.

This verifier covers OIDC Core §5.3.2 signed UserInfo responses: it verifies the authorization server signature, requires iss and aud to identify the issuer and relying party, and returns the string-keyed claims. When the caller supplies :id_token_sub, the UserInfo sub must match the ID Token subject.

Summary

Types

error()

verify_opt()

Functions

verify(jwt, opts)

Verify a signed UserInfo JWT.

Types

error()

@type error() ::
  :missing_issuer
  | :missing_client_id
  | :invalid_jwks
  | :invalid_metadata
  | :issuer_mismatch
  | :unsupported_alg
  | :invalid_token
  | :invalid_signature
  | :unsupported_critical_header
  | :unexpected_typ
  | :invalid_issuer
  | :invalid_audience
  | :invalid_claims
  | :sub_mismatch
  | :expired
  | :invalid_iat
  | :not_yet_valid
  | AttestoClient.Discovery.error()

verify_opt()

@type verify_opt() ::
  {:issuer, String.t()}
  | {:client_id, String.t()}
  | {:id_token_sub, String.t()}
  | {:jwks, AttestoClient.Verifier.jwks()}
  | {:metadata, map()}
  | {:jwks_uri, String.t()}
  | {:accepted_algs, [Attesto.SigningAlg.alg()]}
  | {:now, integer() | DateTime.t()}
  | {:req_options, keyword()}
  | {:well_known, AttestoClient.Discovery.well_known()}

Functions

verify(jwt, opts)

@spec verify(String.t(), [verify_opt()]) :: {:ok, map()} | {:error, error()}

Verify a signed UserInfo JWT.

Required options: :issuer and :client_id. Pass :id_token_sub to bind the UserInfo response back to a previously verified ID Token.