View Source Oidcc (Oidcc v3.0.0-alpha.4)
OpenID Connect High Level Interface
setup
Setup
{:ok, _pid} =
Oidcc.ProviderConfiguration.Worker.start_link(%{
issuer: "https://accounts.google.com/",
name: MyApp.GoogleConfigProvider
})
or via a supervisor
Supervisor.init([
{Oidcc.ProviderConfiguration.Worker, %{issuer: "https://accounts.google.com/"}}
], strategy: :one_for_one)
global-configuration
Global Configuration
max_clock_skew
(default0
) - Maximum allowed clock skew for JWTexp
/nbf
validation
Link to this section Summary
Functions
Retrieve Client Credential Token
Create Auth Redirect URL
Introspect the given access token
Retrieve JSON Web Token (JWT) Profile Token
Refresh Token
retrieve the token using the authcode received before and directly validate the result.
Load userinfo for the given token
Link to this section Functions
client_credentials_token(provider_configuration_name, client_id, client_secret, opts)
View Source@spec client_credentials_token( provider_configuration_name :: GenServer.name(), client_id :: String.t(), client_secret :: String.t(), opts :: :oidcc_token.client_credentials_opts() ) :: {:ok, Oidcc.Token.t()} | {:error, :oidcc_client_context.error() | :oidcc_token.error()}
Retrieve Client Credential Token
See https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.4
examples
Examples
iex> {:ok, pid} =
...> Oidcc.ProviderConfiguration.Worker.start_link(%{
...> issuer: "https://erlef-test-w4a8z2.zitadel.cloud"
...> })
...>
...> {:ok, %Oidcc.Token{}} =
...> Oidcc.client_credentials_token(
...> pid,
...> System.fetch_env!("CLIENT_CREDENTIALS_CLIENT_ID"),
...> System.fetch_env!("CLIENT_CREDENTIALS_CLIENT_SECRET"),
...> %{scope: ["scope"]}
...> )
create_redirect_url(provider_configuration_name, client_id, client_secret, opts)
View Source@spec create_redirect_url( provider_configuration_name :: GenServer.name(), client_id :: String.t(), client_secret :: String.t(), opts :: :oidcc_authorization.opts() ) :: {:ok, :uri_string.uri_string()} | {:error, :oidcc_client_context.error() | :oidcc_client_context.error()}
Create Auth Redirect URL
examples
Examples
iex> {:ok, pid} =
...> Oidcc.ProviderConfiguration.Worker.start_link(%{
...> issuer: "https://accounts.google.com/"
...> })
...>
...> {:ok, _redirect_uri} =
...> Oidcc.create_redirect_url(
...> pid,
...> "client_id",
...> "client_secret",
...> %{redirect_uri: "https://my.server/return"}
...> )
introspect_token(token, provider_configuration_name, client_id, client_secret, opts \\ %{})
View Source@spec introspect_token( access_token :: String.t() | Oidcc.Token.t(), provider_configuration_name :: GenServer.name(), client_id :: String.t(), client_secret :: String.t(), opts :: :oidcc_token_introspection.opts() ) :: {:ok, Oidcc.TokenIntrospection.t()} | {:error, :oidcc_client_context.error() | :oidcc_token_introspection.error()}
Introspect the given access token
examples
Examples
iex> {:ok, pid} =
...> Oidcc.ProviderConfiguration.Worker.start_link(%{
...> issuer: "https://login.yahoo.com"
...> })
...>
...> Oidcc.introspect_token(
...> "access_token",
...> pid,
...> "client_id",
...> "client_secret"
...> )
...> # => {:ok, %Oidcc.TokenIntrospection{}}
jwt_profile_token(subject, provider_configuration_name, client_id, client_secret, jwk, opts)
View Source@spec jwt_profile_token( subject :: String.t(), provider_configuration_name :: GenServer.name(), client_id :: String.t(), client_secret :: String.t(), jwk :: JOSE.JWK.t(), opts :: :oidcc_token.jwt_profile_opts() ) :: {:ok, Oidcc.Token.t()} | {:error, :oidcc_client_context.error() | :oidcc_token.error()}
Retrieve JSON Web Token (JWT) Profile Token
https://datatracker.ietf.org/doc/html/rfc7523#section-4
examples
Examples
iex> {:ok, pid} =
...> Oidcc.ProviderConfiguration.Worker.start_link(%{
...> issuer: "https://erlef-test-w4a8z2.zitadel.cloud"
...> })
...>
...> %{"key" => key, "keyId" => kid, "userId" => subject} = "JWT_PROFILE"
...> |> System.fetch_env!()
...> |> JOSE.decode()
...>
...> jwk = JOSE.JWK.from_pem(key)
...>
...> {:ok, %Oidcc.Token{}} =
...> Oidcc.jwt_profile_token(
...> subject,
...> pid,
...> "client_id",
...> "client_secret",
...> jwk,
...> %{scope: ["urn:zitadel:iam:org:project:id:zitadel:aud"], kid: kid}
...> )
refresh_token(token, provider_configuration_name, client_id, client_secret, opts \\ %{})
View Source@spec refresh_token( refresh_token :: String.t(), provider_configuration_name :: GenServer.name(), client_id :: String.t(), client_secret :: String.t(), opts :: :oidcc_token.refresh_opts() ) :: {:ok, Oidcc.Token.t()} | {:error, :oidcc_token.error()}
@spec refresh_token( token :: Oidcc.Token.t(), provider_configuration_name :: GenServer.name(), client_id :: String.t(), client_secret :: String.t(), opts :: :oidcc_token.refresh_opts_no_sub() ) :: {:ok, Oidcc.Token.t()} | {:error, :oidcc_client_context.error() | :oidcc_token.error()}
Refresh Token
examples
Examples
iex> {:ok, pid} =
...> Oidcc.ProviderConfiguration.Worker.start_link(%{
...> issuer: "https://login.yahoo.com"
...> })
...>
...> # Get refresh_token fromm redirect
...> refresh_token = "refresh_token"
...>
...> Oidcc.refresh_token(
...> refresh_token,
...> pid,
...> "client_id",
...> "client_secret",
...> %{expected_subject: "sub_from_initial_id_token"}
...> )
...> # => {:ok, %Oidcc.Token{}}
retrieve_token(auth_code, provider_configuration_name, client_id, client_secret, opts)
View Source@spec retrieve_token( auth_code :: String.t(), provider_configuration_name :: GenServer.name(), client_id :: String.t(), client_secret :: String.t(), opts :: :oidcc_token.retrieve_opts() ) :: {:ok, Oidcc.Token.t()} | {:error, :oidcc_client_context.error() | :oidcc_token.error()}
retrieve the token using the authcode received before and directly validate the result.
the authcode was sent to the local endpoint by the OpenId Connect provider, using redirects
examples
Examples
iex> {:ok, pid} =
...> Oidcc.ProviderConfiguration.Worker.start_link(%{
...> issuer: "https://login.yahoo.com"
...> })
...>
...> # Get auth_code fromm redirect
...> auth_code = "auth_code"
...>
...> Oidcc.retrieve_token(
...> auth_code,
...> pid,
...> "client_id",
...> "client_secret",
...> %{redirect_uri: "https://my.server/return"}
...> )
...> # => {:ok, %Oidcc.Token{}}
retrieve_userinfo(token, provider_configuration_name, client_id, client_secret, opts \\ %{})
View Source@spec retrieve_userinfo( token :: Oidcc.Token.t(), provider_configuration_name :: GenServer.name(), client_id :: String.t(), client_secret :: String.t(), opts :: :oidcc_userinfo.retrieve_opts_no_sub() ) :: {:ok, :oidcc_jwt_util.claims()} | {:error, :oidcc_userinfo.error()}
@spec retrieve_userinfo( access_token :: String.t(), provider_configuration_name :: GenServer.name(), client_id :: String.t(), client_secret :: String.t(), opts :: :oidcc_userinfo.retrieve_opts() ) :: {:ok, :oidcc_jwt_util.claims()} | {:error, :oidcc_client_context.error() | :oidcc_userinfo.error()}
Load userinfo for the given token
examples
Examples
iex> {:ok, pid} =
...> Oidcc.ProviderConfiguration.Worker.start_link(%{
...> issuer: "https://login.yahoo.com"
...> })
...>
...> # Get access_token from Oidcc.Token.retrieve/3
...> access_token = "access_token"
...>
...> Oidcc.retrieve_userinfo(
...> access_token,
...> pid,
...> "client_id",
...> "client_secret",
...> %{expected_subject: "sub"}
...> )
...> # => {:ok, %{"sub" => "sub"}}