Authenticates an OAuth2 client from request parameters or Basic auth header.

Resolves the client identity from params (:client_id / :client_secret) or the authorization-header (HTTP Basic), looks the client up in client-store, and verifies credentials. Returns the client config map on success. Throws ex-info on missing, unknown, or mismatched credentials.

Default grant types when :grant-types-supported is not configured.

Exchanges an authorization code for tokens per RFC 6749 §4.1.3.

Validates the client is authorized for the authorization_code grant, verifies the code against code-store, checks redirect URI and PKCE, then issues access, refresh, and (when openid scope is present) ID tokens via token-store and claims-provider. Returns a token response map.

Issues an access token for the client itself per RFC 6749 §4.4.

Validates the client is authorized for the client_credentials grant and is confidential, resolves the requested scope against the client’s allowed scopes, and stores the token via token-store. When no resource parameter is present in the request and the client has a :default-resource configured, the default is used for audience binding. Returns a token response map.

Issues a new access token from a refresh token per RFC 6749 §6.

Validates the client is authorized for the refresh_token grant, verifies the token against token-store, enforces scope down-scoping and resource constraints, and optionally rotates the refresh token. Returns a token response map.

Handles token endpoint requests.

Takes the parsed params map (as produced by Ring’s wrap-params and wrap-keyword-params middleware), the authorization-header for client authentication, and the usual provider stores. Multi-value resource parameters (RFC 8707) should already be present in params as a string or vector — Ring’s wrap-params handles this automatically for repeated form fields. Validates the request, authenticates the client, and dispatches to the appropriate grant handler. Returns a token response map. Throws ex-info on validation or processing errors.

Parses an HTTP Basic Authorization header into client credentials.

Decodes the Base64-encoded client_id:client_secret pair from the header value. Returns a map with :client-id and :client-secret keys, or nil when the header is absent, not a Basic scheme, or malformed.

Malli schema for token request parameters.

Malli schema for token response.