Malli schema for authorization request parameters.

Malli schema for authorization response.

Builds the redirect URL with query parameters.

Takes an authorization response map (from handle-authorization-approval or handle-authorization-denial) containing a redirect URI and parameters. URL-encodes the parameters and appends them to the redirect URI as query parameters, properly handling whether the URI already contains a query string. Returns the complete redirect URL string.

Handles user approval of authorization request.

Takes a parsed authorization request (from parse-authorization-request), the user ID of the approving user, provider configuration, an AuthorizationCodeStore, and an optional auth-time (epoch seconds) indicating when the user last authenticated. When :max-age was present in the authorization request, the host application should supply auth-time so that the auth_time claim appears in the resulting ID token per OIDC Core §3.1.2.1. Returns an authorization response map containing the redirect URI and response parameters (including the code and optional state). Currently supports response_type “code”; throws ex-info for unsupported response types.

Handles user denial of authorization request.

Takes a parsed authorization request, an OAuth2 error code (defaults to “access_denied” if not provided), a human-readable error description, and provider configuration. Includes the iss response parameter per RFC 9207. Returns the response map with the error, optional error description, and optional state parameter.

Validates a pre-parsed authorization request.

Takes a params map with keyword keys (as produced by Ring’s wrap-params and wrap-keyword-params middleware) and a client-store implementing oidc-provider.protocol/ClientStore. Validates against AuthorizationRequest, looks up the client, and validates the redirect URI, response type, scopes, PKCE, and resource indicator parameters. Returns the validated request map.

The :resource parameter may be a string (single value) or a vector (multiple values); it is normalized to a vector. When the request has no :resource parameter and the client has a :default-resource configured, the default is applied automatically. When prompt is present, its value is parsed and validated per OIDC Core §3.1.2.1 and the result is included as :prompt-values — a set of keywords (e.g., #{:login :consent}). Throws ex-info on validation errors or if the client is unknown.

Checks whether the user’s authentication is still fresh per OIDC Core §3.1.2.1.

Takes max-age-seconds from the authorization request, auth-time-seconds (epoch seconds when the user last authenticated), and a java.time.Clock. Returns true if the elapsed time since authentication is within max-age, false if re-authentication is required.

Checks whether prompt=none was requested and the user is not authenticated.

Host applications should call this after resolving the user’s authentication state. If :prompt-values contains :none and authenticated? is false, returns an error redirect response map with a login_required error code per OIDC Core §3.1.2.6. Returns nil when no error applies — the host app should proceed normally.