oauth2_token_manager v0.1.0 OAuth2TokenManager View Source
Manages OAuth2 tokens and OpenID Connect claims and ID tokens
Options
:auto_introspect
: if set totrue
, access and refresh tokens are automatically inspected when they are registered, so as to gather additional useful information about them. The authorization server may not be configured to allow a client to inspect its own tokens. Defaults totrue
:min_introspect_interval
: the minimum time interval in seconds to introspect a token on the authorization server. Defaults to30
:min_userinfo_refresh_interval
: the minimum time interval in seconds to request the userinfo endpoint of the authorization server when requesting claims. Defaults to30
:oauth2_metadata_updater_opts
: options pased toOauth2MetadataUpdater
:revoke_on_delete
: when set totrue
, the calls toOAuth2TokenManager.AccessToken.delete/4
andOAuth2TokenManager.RefreshToken.delete/4
automatically trigger token revocation on the authorization server. Defaults totrue
:server_metadata
: additional server metadata that takes precedence over that which is returned from the autorization server:tesla_middlewares
: Tesla middlewares added to requests:tesla_auth_middleware_opts
: options added to the Tesla authentication middleware selected for client authentication. See alsoTeslaOAuth2ClientAuth
Client configuration
Client configuration is passed as a parameter to some functions. It must contain at least:
"client_id"
: the client id of the client"client_secret"
for use with the client secret basic authentication scheme. The client authentication scheme is determined by the"token_endpoint_auth_method"
and defaults to"client_secret_basic"
if not set. This is used on the following endpoints:"token_endpoint"
"introspection_endpoint"
"revocation_endpoint"
When not using the defaults, the client might also have the following configuration fields set:
"token_endpoint_auth_method"
"userinfo_signed_response_alg"
"userinfo_encrypted_response_alg"
"userinfo_encrypted_response_enc"
"jwks"
"jwks_uri"
Environment options
OAuth2TokenManager.Store
: the token store implementation. Defaults toOAuth2TokenManager.Store.Local
:tesla_middlewares
: allows adding Tesla middlewares for all request. Example:config :oauth2_token_manager, :tesla_middlewares, [Tesla.Middleware.Logger]
Examples
iex> cc
%{"client_id" => "client1", "client_secret" => "clientpassword1"}
iex> OAuth2TokenManager.AccessToken.get("https://repentant-brief-fishingcat.gigalixirapp.com", "cThpjg2-HzfS_7fvNkCYeEUBkCUpmKFSjzb6iebl5TU", cc, nil)
{:ok, {"0mUB13mvdDkrsUECnMhK-EGKvL0", "bearer"}}
iex> OAuth2TokenManager.AccessToken.introspect("0mUB13mvdDkrsUECnMhK-EGKvL0", "https://repentant-brief-fishingcat.gigalixirapp.com", cc)
{:ok,
%{
"active" => true,
"client_id" => "client1",
"exp" => 1590345951,
"iat" => 1590345771,
"iss" => "https://repentant-brief-fishingcat.gigalixirapp.com",
"scope" => ["interbank_transfer", "openid", "read_account_information",
"read_balance"],
"sub" => "cThpjg2-HzfS_7fvNkCYeEUBkCUpmKFSjzb6iebl5TU"
}}
iex> OAuth2TokenManager.AccessToken.get("https://repentant-brief-fishingcat.gigalixirapp.com", "cThpjg2-HzfS_7fvNkCYeEUBkCUpmKFSjzb6iebl5TU", cc, ["read_balance", "read_account_information"])
{:ok, {"4kWo-XDBXzCgwgndK7UTbQE_O6Y", "bearer"}}
iex> OAuth2TokenManager.AccessToken.introspect("4kWo-XDBXzCgwgndK7UTbQE_O6Y", "https://repentant-brief-fishingcat.gigalixirapp.com", cc)
{:ok,
%{
"active" => true,
"client_id" => "client1",
"exp" => 1590346428,
"iat" => 1590345828,
"iss" => "https://repentant-brief-fishingcat.gigalixirapp.com",
"scope" => ["read_account_information", "read_balance"],
"sub" => "cThpjg2-HzfS_7fvNkCYeEUBkCUpmKFSjzb6iebl5TU"
}}
iex> OAuth2TokenManager.Claims.get_claims("https://repentant-brief-fishingcat.gigalixirapp.com", "cThpjg2-HzfS_7fvNkCYeEUBkCUpmKFSjzb6iebl5TU", cc)
{:ok, %{"sub" => "cThpjg2-HzfS_7fvNkCYeEUBkCUpmKFSjzb6iebl5TU"}}
iex> OAuth2TokenManager.Claims.get_id_token("https://repentant-brief-fishingcat.gigalixirapp.com", "cThpjg2-HzfS_7fvNkCYeEUBkCUpmKFSjzb6iebl5TU")
{:ok,
"eyJhbGciOiJSUzI1NiJ9.eyJhY3IiOiIxLWZhY3RvciIsImFtciI6WyJwd2QiXSwiYXVkIjoiY2xpZW50MSIsImF1dGhfdGltZSI6MTU5MDM0NTM2NSwiZXhwIjoxNTkwMzQ1ODMxLCJpYXQiOjE1OTAzNDU3NzEsImlzcyI6Imh0dHBzOi8vcmVwZW50YW50LWJyaWVmLWZpc2hpbmdjYXQuZ2lnYWxpeGlyYXBwLmNvbSIsInN1YiI6ImNUaHBqZzItSHpmU183ZnZOa0NZZUVVQmtDVXBtS0ZTanpiNmllYmw1VFUifQ.mT3fXJUEeB3nqQDkl7B4RmNo9aQG1xldVw2xBO9gF1e1tew3H3XH_lyzzAcubK47sQDQzSOC6CIMqsFsi2Dr12_62y_QYjo8T3_Pi3TS9RLJUKJQb4_AU1cIbuCCG7iCxBWLHuPGspc_gJrDg_kYskVhnz-0j9cyRBCL1wycuVDAOkRxMAwvnFDUtY57aQWXUknUwIQn4cOpV1CbpT2cLZFo-7EAiukq8GeHmIeYZASctFQZVQ8krwbg3MwknAZ-xfmZ7kT8gobxCexVO8XUZrB_1ht74mynYN1S9ZJT-_ut7dDU621bI-5btUysBTlBhtrvt4mBiOdbDNV8V6Guqw"}
iex> OAuth2TokenManager.AccessToken.delete("4kWo-XDBXzCgwgndK7UTbQE_O6Y", "https://repentant-brief-fishingcat.gigalixirapp.com", cc)
:ok
Link to this section Summary
Types
User claims, usually those returned by the userinfo endpoint
Client configuration as per RFC7591
ID token in its JWE or JWS form
OAuth2 AS / OpenID Connect OP server metadata as per RFC 8414
Token metadata
The token type, for instance "Bearer"
Functions
Determines if a token is valid from a token's metadata
Link to this section Types
Specs
access_token() :: String.t()
Specs
access_token_type() :: String.t()
Specs
User claims, usually those returned by the userinfo endpoint
Specs
Client configuration as per RFC7591
Used fields include:
"client_id"
(mandatory)"jwks"
and"jwks_uri"
for ID token decryption"token_endpoint_auth_method"
to determine which authentication method use to access the token endpoint
Specs
client_id() :: String.t()
Specs
endpoint() :: :token | :revocation | :introspection | :userinfo
Specs
id_token() :: String.t()
ID token in its JWE or JWS form
Specs
issuer() :: String.t()
Specs
opt() :: {:auto_introspect, boolean()} | {:min_introspect_interval, non_neg_integer()} | {:min_userinfo_refresh_interval, non_neg_integer()} | {:oauth2_metadata_updater_opts, Keyword.t()} | {:revoke_on_delete, boolean()} | {:server_metadata, server_metadata()} | {:tesla_middlewares, Tesla.Client.middleware()} | {:tesla_auth_middleware_opts, Keyword.t()}
Specs
opts() :: [opt()]
Specs
refresh_token() :: String.t()
Specs
scope() :: String.t()
Specs
OAuth2 AS / OpenID Connect OP server metadata as per RFC 8414
When set, its values take precedence over the discovery document published on the AS / OP.
Specs
subject() :: String.t()
Specs
Token metadata
Known fields from RFC7662 are:
"active"
"scope"
"client_id"
"username"
"token_type"
"exp"
"iat"
"nbf"
"sub"
"aud"
"iss"
"jti"
Specs
token_type() :: String.t()
The token type, for instance "Bearer"
Link to this section Functions
Specs
token_valid?( token_metadata() | {access_token(), token_type(), token_metadata(), non_neg_integer()} | {refresh_token(), token_metadata(), non_neg_integer()} ) :: boolean()
Determines if a token is valid from a token's metadata