oidc v0.1.0 OIDC.Auth View Source

Create and verify OpenID Connect challenges for a specific OP

Options

  • :acr_values: voluntary set of ACRs to be requested via the "acr_values" parameter
  • :claims: claims requested in the "claims" parameter
  • :client_config [Mandatory]: a module that implements the OIDC.Auth.ClientConfig behaviour
  • :client_id [Mandatory]: the client id of the application using this library and initiating the request
  • :dispay: the display OpenID Connect parameter (mostly unused)
  • :id_token_iat_max_time_gap: max time gap to accept an ID token, in seconds. Defaults to 0
  • :issuer [Mandatory]: the OpenID Provider (OP) issuer. Metadata and JWKs are automatically retrieved from it
  • :login_hint: the login hint OpenID Connect parameter
  • :max_age: the max age OpenID Connect parameter
  • :oauth2_metadata_updater_opts: options that will be passed to Oauth2MetadataUpdater
  • :prompt: the prompt OpenID Connect parameter
  • :redirect_uri [Mandatory]: the redirect URI the OP has to use for redirect
  • :response_mode: one of:

    • "query"
    • "fragment"
    • "form_post"
    • nil which means that the OP decides for the response mode
  • :response_type [Mandatory]: one of:

    • "code"
    • "id_token"
    • "id_token token"
    • "code token"
    • "code id_token"
    • "code id_token token"
  • :scope: a list of scopes ([String.t()]) to be requested. The "openid" scope is automatically requested
  • :server_metadata: server metadata that takes precedence over those automatically retrieve on the OP configuration (requested from the issuer). Usefull when the OP does not support OpenID Connect discovery, or the override one or more parameters
  • :token_endpoint_tesla_auth_middleware_opts: additional Keyword.t() options to be passed to the authentication Tesla middlewares on the token endpoint (see TeslaOAuth2ClientAuth)
  • ui_locales: the ui locales OpenID Connect parameter
  • :use_nonce: one of:

    • :when_mandatory [Default]: a nonce is included when using the implicit and hybrid flows
    • :always: always include a nonce (i.e. also in the code flow in which it is optional)

Link to this section Summary

Functions

Generates an OpenID Connect challenge or raise an exception if a parameter is missing

Generates an OpenID Connect request URI from a challenge and associated options

Verifies an OpenID Connect challenge against the OP's response

Link to this section Types

Link to this type

op_response()

View Source
op_response() :: %{optional(String.t()) => any()}
Link to this type

opt()

View Source
opt() ::
  {:acr_values, [OIDC.acr()]}
  | {:claims, OIDC.claims()}
  | {:client_config, module()}
  | {:client_id, OIDC.client_id()}
  | {:display, String.t()}
  | {:id_token_iat_max_time_gap, non_neg_integer()}
  | {:issuer, OIDC.issuer()}
  | {:login_hint, String.t()}
  | {:max_age, non_neg_integer()}
  | {:oauth2_metadata_updater_opts, Keyword.t()}
  | {:prompt, String.t()}
  | {:redirect_uri, String.t()}
  | {:response_mode, OIDC.response_mode()}
  | {:response_type, OIDC.response_type()}
  | {:scope, [OIDC.scope()]}
  | {:server_metadata, OIDC.server_metadata()}
  | {:token_endpoint_tesla_auth_middleware_opts, Keyword.t()}
  | {:ui_locales, [OIDC.ui_locale()]}
  | {:use_nonce, :when_mandatory | :always}

Link to this section Functions

Link to this function

gen_challenge(opts)

View Source
gen_challenge(opts()) :: OIDC.Auth.Challenge.t() | no_return()

Generates an OpenID Connect challenge or raise an exception if a parameter is missing

This challenge is to be passed back to verify_challenge/2 when redirected back from the OpenID Provider

Link to this function

request_uri(challenge, opts)

View Source
request_uri(OIDC.Auth.Challenge.t(), opts()) :: URI.t()

Generates an OpenID Connect request URI from a challenge and associated options

Link to this function

verify_response(op_response, challenge)

View Source
verify_response(op_response(), OIDC.Auth.Challenge.t()) ::
  {:ok, OIDC.Auth.OPResponseSuccess.t()} | {:error, Exception.t()}

Verifies an OpenID Connect challenge against the OP's response