Project

Namespaces

Public Vars

oidc.authorization

OIDC Authorization Code Flow implementation.

authorization-url

(authorization-url authorization-endpoint client-id redirect-uri {:keys [scope state nonce response-type response-mode prompt max-age ui-locales additional-params], :or {scope "openid", response-type "code"}})

Constructs the authorization URL for initiating the OIDC flow.

Takes an authorization endpoint URL (from discovery), a client ID, a redirect URI, and an options map. The options support :scope (defaults to “openid”), :state (for CSRF protection), :nonce (for replay protection), :response-type (defaults to “code”), :response-mode (e.g., “query” or “fragment”), :prompt (e.g., “none”, “login”, “consent”), :max-age (maximum authentication age in seconds), :ui-locales (preferred locales for UI), and :additional-params (map of additional query parameters).

Constructs the full authorization URL with all parameters properly URL-encoded. Returns the authorization URL string.

exchange-code

(exchange-code token-endpoint code client-id client-secret redirect-uri {:keys [code-verifier]})

Exchanges an authorization code for tokens.

Takes a token endpoint URL (from discovery), the authorization code received from the callback, a client ID, an optional client secret (for confidential clients), the same redirect URI used in the authorization request, and an options map that can include :code-verifier for PKCE flows.

Makes an HTTP POST request to the token endpoint with grant_type=authorization_code. Validates the response against the TokenResponse schema. In Clojure, returns the token response map containing access_token, id_token, etc. In ClojureScript, returns a promise. Throws ExceptionInfo on HTTP or validation errors.

generate-nonce

(generate-nonce)

Generates a random nonce parameter for replay protection.

Returns a cryptographically random string suitable for use as an OIDC nonce parameter to prevent token replay attacks.

generate-state

(generate-state)

Generates a random state parameter for CSRF protection.

Returns a cryptographically random string suitable for use as an OAuth2 state parameter to prevent cross-site request forgery attacks.

refresh-token

(refresh-token token-endpoint refresh-token-val client-id client-secret {:keys [scope]})

Refreshes an access token using a refresh token.

Takes a token endpoint URL (from discovery), the refresh token, a client ID, an optional client secret (for confidential clients), and an options map that can include :scope to request specific scopes.

Makes an HTTP POST request to the token endpoint with grant_type=refresh_token. Validates the response against the TokenResponse schema. In Clojure, returns the token response map with the new access_token. In ClojureScript, returns a promise. Throws ExceptionInfo on HTTP or validation errors.

TokenResponse

Malli schema for OAuth2 token response.