nova_auth_oidc_jwt (nova_auth_oidc v0.1.3)

View Source

JWT bearer token validation for API protection. Validates JWTs issued by a configured OIDC provider using the provider's JWKS (fetched and cached by oidcc_provider_configuration_worker).

Usage

%% In a Nova security callback
case nova_auth_oidc_jwt:validate_bearer(my_oidc_config, Req) of
    {ok, Actor} -> {true, Actor};
    {error, _} -> {false, 401, #{}, ~"unauthorized"}
end

Summary

Functions

Validate a JWT bearer token from the request's Authorization header. Uses the first configured provider for validation.

Validate a JWT bearer token using a specific provider.

Validate a raw JWT binary against the provider's JWKS.

Functions

validate_bearer(AuthMod, Req)

-spec validate_bearer(module(), cowboy_req:req()) -> {ok, nova_auth:actor()} | {error, term()}.

Validate a JWT bearer token from the request's Authorization header. Uses the first configured provider for validation.

validate_bearer(AuthMod, Provider, Req)

-spec validate_bearer(module(), atom(), cowboy_req:req()) -> {ok, nova_auth:actor()} | {error, term()}.

Validate a JWT bearer token using a specific provider.

validate_claims(AuthMod, Provider, Claims)

validate_token(AuthMod, Provider, Token)

-spec validate_token(module(), atom(), binary()) -> {ok, nova_auth:actor()} | {error, term()}.

Validate a raw JWT binary against the provider's JWKS.

Steps:

  1. Get provider configuration and JWKS from the worker
  2. Decode and verify the JWT signature
  3. Validate standard claims (exp, iss, aud)
  4. Apply claims mapping
  5. Return the actor map