Handles authorization approval after user authentication.

Takes a Provider instance, a parsed authorization request, and the user ID of the user who approved the request. Generates an authorization code, stores it, and builds the redirect URL to send the user back to the client. Returns the redirect URL string.

Creates an OIDC provider instance.

Takes a configuration map containing required keys :issuer (provider issuer URL), :authorization-endpoint, :token-endpoint, and :jwks-uri. Optional keys include :signing-key (RSAKey for signing tokens, generated if not provided), :access-token-ttl-seconds (defaults to 3600), :id-token-ttl-seconds (defaults to 3600), :authorization-code-ttl-seconds (defaults to 600), :client-store, :code-store, :token-store (all three store implementations created in-memory if not provided), :credential-validator (required for authentication), and :claims-provider (required for ID token claims).

Validates the configuration and returns a Provider instance with all stores and settings initialized.

Handles authorization denial.

Takes a Provider instance, a parsed authorization request, an OAuth2 error code, and an error description. Builds an error response and constructs the redirect URL to send the user back to the client with the error information. Returns the redirect URL string.

Returns OpenID Connect Discovery metadata for the provider.

Takes a Provider instance and extracts the relevant configuration keys to build the OpenID Connect Discovery metadata document. Returns the discovery metadata map containing issuer, endpoints, supported features, and other OIDC configuration.

Retrieves a client configuration.

Takes a Provider instance and a client identifier. Looks up the client configuration in the client store. Returns the client configuration map if found, or nil if the client doesn’t exist.

Returns JWKS for the provider.

Takes a Provider instance and generates the JSON Web Key Set containing the provider’s public signing keys. Returns the JWKS map suitable for serving at the JWKS endpoint.

Parses and validates an authorization request.

Takes a Provider instance and the query string from the authorization endpoint request. Validates the request parameters against the registered client configuration. Returns the validated authorization request map. Throws ex-info on validation errors.

Malli schema for provider setup configuration.

Registers a new OAuth2/OIDC client.

Takes a Provider instance and a client configuration map. Stores the client configuration in the client store and returns the registered client configuration including the generated client-id.

Handles token endpoint request.

Takes a Provider instance, token request parameters from the form body, and an optional Authorization header value for client authentication. Validates the request, exchanges the authorization code for tokens, and generates access tokens and ID tokens. Returns the token response map containing tokens and metadata. Throws ex-info on validation or processing errors.