oidc-provider.protocol
Core protocols for OIDC provider extensibility.
For authentication protocols (authn.protocol/CredentialValidator and authn.protocol/ClaimsProvider), see the authn package.
AuthorizationCodeStore
protocol
Protocol for storing and retrieving authorization codes.
members
delete-authorization-code
(delete-authorization-code this code)Deletes an authorization code.
Takes an authorization code string and removes it from storage. Authorization codes are single-use, so they should be deleted after being exchanged for tokens. Returns true if deleted successfully.
get-authorization-code
(get-authorization-code this code)Retrieves authorization code metadata.
Takes an authorization code string and looks up its associated metadata. Returns a map with keys [:user-id :client-id :redirect-uri :scope :nonce :expiry] if found, or nil if the code doesn’t exist or has been deleted.
save-authorization-code
(save-authorization-code this code user-id client-id redirect-uri scope nonce expiry)Saves an authorization code with associated metadata.
Takes an authorization code string, user identifier, OAuth2 client identifier, the redirect URI from the authorization request, a vector of scope strings, an optional nonce for replay protection, and an expiration timestamp (milliseconds since epoch). Stores the code and metadata. Returns true if saved successfully.
Claims
Re-exported from authn.protocol/Claims.
ClientConfig
Malli schema for OAuth2/OIDC client configuration.
ClientStore
protocol
Protocol for managing OAuth2/OIDC client registrations.
members
get-client
(get-client this client-id)Retrieves client configuration by client-id.
Takes an OAuth2 client identifier and looks up the client configuration. Returns the client configuration map matching the ClientConfig schema if found, or nil if the client doesn’t exist.
register-client
(register-client this client-config)Registers a new client.
Takes a client configuration map matching the ClientConfig schema. Stores the client and generates a client-id if one isn’t provided. Returns the registered client configuration including the client-id.
CredentialHash
Re-exported from authn.protocol/CredentialHash.
get-claims
Re-exported from authn.protocol/get-claims.
TokenStore
protocol
Protocol for managing access and refresh tokens.
members
get-access-token
(get-access-token this token)Retrieves access token metadata.
Takes an access token string and looks up its associated metadata. Returns a map with keys [:user-id :client-id :scope :expiry] if found, or nil if the token doesn’t exist or has been revoked.
get-refresh-token
(get-refresh-token this token)Retrieves refresh token metadata.
Takes a refresh token string and looks up its associated metadata. Returns a map with keys [:user-id :client-id :scope] if found, or nil if the token doesn’t exist or has been revoked.
revoke-token
(revoke-token this token)Revokes a token.
Takes a token string (either access or refresh token) and revokes it, preventing it from being used in future requests. Returns true if revoked successfully.
save-access-token
(save-access-token this token user-id client-id scope expiry)Saves an access token.
Takes an access token string, user identifier, OAuth2 client identifier, a vector of scope strings, and an expiration timestamp (milliseconds since epoch). Stores the token and its metadata. Returns true if saved successfully.
save-refresh-token
(save-refresh-token this token user-id client-id scope)Saves a refresh token.
Takes a refresh token string, user identifier, OAuth2 client identifier, and a vector of scope strings. Stores the token and its metadata. Refresh tokens don’t expire automatically. Returns true if saved successfully.