Returns a Ring response for an authorization endpoint error.

Dispatches on the :type key in ex-data via oidc-provider.error/request-error?. Non-redirectable errors (:redirect false — invalid redirect_uri or unknown client_id) return a 400 response with the error in the body. Redirectable errors build a 302 error redirect using the :redirect_uri and :state from ex-data.

Handles authorization approval after user authentication.

Takes a Provider instance, a parsed authorization request, and the user ID of the user who approved the request. Generates an authorization code, stores it, and builds the redirect URL to send the user back to the client. Returns the redirect URL string.

Creates an OIDC provider instance.

Takes a configuration map containing required keys :issuer (provider issuer URL), :authorization-endpoint, and :token-endpoint. Optional keys include :jwks-uri (required for OIDC; omit for plain OAuth2), :signing-key (RSAKey for signing tokens, generated if :jwks-uri is provided), :access-token-ttl-seconds (defaults to 3600), :id-token-ttl-seconds (defaults to 3600), :authorization-code-ttl-seconds (defaults to 600 per the RFC 6749 §4.1.2 maximum recommendation; shorter values are recommended for production), :client-store, :code-store, :token-store (all three store implementations created in-memory if not provided), and :claims-provider (required for ID token claims).

The issuer URL is validated per RFC 8414 §2: it must use HTTPS with no query or fragment component. Set :allow-http-issuer to true to permit HTTP issuers during local development.

Without RFC 8707 resource indicators or a client-level :default-resource setting, access tokens have no audience binding. Configure :default-resource on client registrations to scope tokens to specific resource servers by default.

Validates the configuration and returns a Provider instance with all stores and settings initialized.

Handles authorization denial.

Takes a Provider instance, a parsed authorization request, an OAuth2 error code, and an error description. Builds an error response and constructs the redirect URL to send the user back to the client with the error information. Returns the redirect URL string.

Returns OpenID Connect Discovery metadata for the provider.

Takes a Provider instance and extracts the relevant configuration keys to build the OpenID Connect Discovery metadata document. Returns the discovery metadata map containing issuer, endpoints, supported features, and other OIDC configuration.

Deregisters a dynamically registered client per RFC 7592 §2.3.

Takes a Provider instance, a client-id, and the bearer access-token. Returns nil on success. Throws ex-info with "invalid_token" on auth failure.

Reads a dynamically registered client’s configuration per RFC 7592.

Takes a Provider instance, a client-id, and the bearer access-token presented by the caller. Returns the client configuration map if the token is valid. Throws ex-info with "invalid_token" when the client is unknown or the token does not match.

Dynamically registers a new OAuth2/OIDC client per RFC 7591.

Takes a Provider instance and a registration request map in snake_case wire format. Validates the request, generates credentials, stores the client, and returns the registration response in snake_case wire format. Throws ex-info with "invalid_client_metadata" on validation errors.

Updates a dynamically registered client’s metadata per RFC 7592 §2.2.

Takes a Provider instance, a client-id, the bearer access-token, and the updated metadata body map. Returns the updated client configuration. Throws ex-info with "invalid_token" on auth failure or "invalid_client_metadata" on validation errors.

Retrieves a client configuration.

Takes a Provider instance and a client identifier. Looks up the client configuration in the client store. Returns the client configuration map if found, or nil if the client doesn’t exist.

Returns JWKS for the provider.

Takes a Provider instance and generates the JSON Web Key Set containing the provider’s public signing keys. Returns the JWKS map suitable for serving at the JWKS endpoint.

Validates an authorization request.

Takes a Provider instance and a params map with keyword keys (as produced by Ring’s wrap-params and wrap-keyword-params middleware). Validates the request parameters against the registered client configuration. Returns the validated authorization request map. Throws ex-info on validation errors.

Malli schema for provider setup configuration.

Registers a new OAuth2/OIDC client.

Takes a Provider instance and a client configuration map that must conform to the oidc-provider.protocol/ClientRegistration schema. Throws AssertionError if the config is invalid. Stores the client in the client store and returns the registered client configuration including the generated client-id.

Returns a Ring response for dynamic client registration (RFC 7591) and client configuration management (RFC 7592).

Dispatches on HTTP method: POST for registration, GET for client read, PUT for client metadata update, and DELETE for deregistration. Takes a Provider instance and a Ring request whose :body has already been parsed to a keyword map (e.g. via wrap-json-body or wrap-keyword-params). To gate registration access, use application-level middleware.

Returns a Ring response for RFC 7009 token revocation.

Only accepts POST requests with application/x-www-form-urlencoded content type. Returns 200 on success, 400 for missing token, or 401 on auth failure.

Malli schema for an incoming Ring request map.

Malli schema for an outgoing Ring response map.

Handles token endpoint request.

Takes a Provider instance, token request parameters from the form body (as produced by Ring’s wrap-params / wrap-keyword-params middleware), and an optional Authorization header value for client authentication. Multi-value resource parameters (RFC 8707) should already be present in params — Ring’s wrap-params automatically yields a vector for repeated form fields. Validates the request, exchanges the authorization code for tokens, and generates access tokens and ID tokens. Returns the token response map containing tokens and metadata. Throws ex-info on validation or processing errors.

Returns a Ring response for the OAuth2 token endpoint (RFC 6749 §3.2).

Only accepts POST requests with application/x-www-form-urlencoded content type. Success responses include Cache-Control: no-store and Pragma: no-cache headers per RFC 6749 §5.1.

Returns a Ring response for the OIDC UserInfo endpoint (OIDC Core §5.3).

Accepts GET and POST requests with a Bearer token in the Authorization header. Looks up the access token, validates expiry, retrieves user claims filtered by the token’s scope, and returns them as a Clojure map.