Verifies and decodes the id_token returned from Moneyhub's token
endpoint.
The id_token is a JWS signed by Moneyhub's own key (published at
{identity_url}/oidc/certs, see MoneyHub.Auth.JWKS). Its payload
carries the resolved values of every claim requested via
MoneyHub.Claims - most importantly the connected user's sub (when
registering a new user) and, for payment/recurring-payment/standing-order
flows, the resulting resource id under the matching mh:* claim.
Summary
Functions
Extracts a single mh:* (or any top-level) claim value from decoded
id_token claims, returning :error if absent.
Verifies the signature on a compact JWS id_token against Moneyhub's
published JWKS and returns its decoded claims.
Types
Functions
Extracts a single mh:* (or any top-level) claim value from decoded
id_token claims, returning :error if absent.
Useful after verify/2 to pull out, for example, the new user's sub
or a created payment's id from claims["mh:payment"].
@spec verify(String.t(), MoneyHub.Config.t()) :: {:ok, claims()} | {:error, MoneyHub.Error.t()}
Verifies the signature on a compact JWS id_token against Moneyhub's
published JWKS and returns its decoded claims.
Also performs basic structural validation: aud must include
config.client_id, and exp must not be in the past.