oidc.ring
Ring middleware for OIDC client authentication flows.
Provides middleware that handles OIDC authentication routes automatically, including login initiation, callback handling, and logout. Uses Ring sessions to store state and nonce during the OAuth flow.
callback-handler
(callback-handler client {:keys [success-fn error-fn verify-id-token?], :or {success-fn (fn [_req _tokens] (-> (response/redirect "/") (response/status 302))), error-fn (fn [_req error] (json-response {:error error} 401)), verify-id-token? true}})Handles the OAuth callback route.
Validates the state parameter against the session, exchanges the authorization code for tokens, and optionally verifies the ID token. On success, calls the success-fn with the request and token response, returning its response directly. The success-fn is responsible for handling the tokens (e.g., storing session info). On error, calls the error-fn with the request and error information.
login-handler
(login-handler client {:keys [prompt max-age ui-locales additional-params], :or {prompt nil, max-age nil, ui-locales nil, additional-params {}}})Handles the login initiation route.
Generates state and nonce parameters, stores them in the session, fetches the discovery document to get the authorization endpoint, and redirects the user to the OIDC provider’s authorization URL.
logout-handler
(logout-handler client {:keys [post-logout-redirect-uri end-session-redirect?], :or {post-logout-redirect-uri nil, end-session-redirect? false}})Handles the logout route.
Clears the session tokens. Optionally supports OIDC RP-Initiated Logout by redirecting to the provider’s end_session_endpoint if configured.
oidc-middleware
(oidc-middleware handler {:keys [client login-path callback-path logout-path login-opts callback-opts logout-opts], :or {login-path "/auth/login", callback-path "/auth/callback", logout-path "/auth/logout", login-opts {}, callback-opts {}, logout-opts {}}})Ring middleware that adds OIDC authentication routes.
Intercepts requests to the configured routes and handles OIDC authentication flows automatically. Uses Ring sessions to store state, nonce, and tokens.
Options: - :client - OIDC client configuration from oidc.core/create-client - :login-path - Path for login initiation (default: /auth/login) - :callback-path - Path for OAuth callback (default: /auth/callback) - :logout-path - Path for logout (default: /auth/logout) - :login-opts - Options passed to login-handler (prompt, max-age, etc.) - :callback-opts - Options passed to callback-handler (success-fn, error-fn, etc.) - :logout-opts - Options passed to logout-handler (post-logout-redirect-uri, etc.)
Example:
(def client
(oidc/create-client
{:issuer "https://accounts.google.com"
:client-id "your-client-id"
:client-secret "your-client-secret"
:redirect-uri "http://localhost:3000/auth/callback"
:scopes ["openid" "email" "profile"]}))
(def app
(-> handler
(oidc-middleware
{:client client
:callback-opts {:success-fn (fn [req tokens]
(response/redirect "/dashboard"))}})))
wrap-oidc-tokens
(wrap-oidc-tokens handler)Middleware that adds OIDC tokens from session to the request.
Adds :oidc/tokens key to the request containing the token response from the session if present. This only works if your success-fn stores tokens in the session under ::oidc.ring/tokens.
Example:
;; In your success-fn, store tokens:
(fn [request token-response]
(-> (response/redirect "/dashboard")
(assoc :session {:oidc.ring/tokens token-response})))
;; Then use wrap-oidc-tokens to access them:
(defn my-handler [request]
(if-let [access-token (get-in request [:oidc/tokens :access_token])]
{:status 200 :body (str "Authenticated with token: " access-token)}
{:status 401 :body "Not authenticated"}))