oidc-provider.token
Token generation and validation using Nimbus OAuth SDK.
generate-access-token
(generate-access-token)Generates a bearer access token and returns its string value.
generate-authorization-code
(generate-authorization-code)Generates a cryptographically random authorization code using the Nimbus SDK AuthorizationCode class, which produces a 256-bit SecureRandom base64url value.
generate-id-token
(generate-id-token {:keys [issuer key-set active-signing-key-id id-token-ttl-seconds clock], :as config} user-id client-id claims {:keys [nonce auth-time azp access-token additional-audiences]})Generates a signed OIDC ID token as a JWT string. Takes a provider-config map (matching the ProviderConfig schema), a user-id (set as the sub claim), a client-id (set as the aud claim), a claims map of additional claims to include, and an opts map supporting :nonce for replay protection, :auth-time for the authentication timestamp, :azp to include the authorized party claim per OIDC Core §2, :access-token to compute the at_hash claim per OIDC Core §3.1.3.6, and :additional-audiences for multi-audience tokens. When :additional-audiences is provided, the aud claim contains the client-id plus the additional audiences (deduplicated), and azp is set automatically.
generate-refresh-token
(generate-refresh-token)Generates a cryptographically random refresh token using the Nimbus SDK RefreshToken class, which produces a 256-bit SecureRandom base64url value.
generate-rsa-key
(generate-rsa-key)(generate-rsa-key key-size)Generates an RSA key pair for signing tokens. The key-size parameter specifies the key size in bits and defaults to 2048 when called with no arguments. Returns an RSAKey instance configured for signature use.
jwks
(jwks {:keys [key-set], :as config})Returns the JWKS (JSON Web Key Set) for the given provider-config as a map with a :keys vector containing the public keys in JWK format, suitable for exposing at the jwks_uri discovery endpoint.
normalize-to-jwk-set
(normalize-to-jwk-set key-or-set)Normalizes a key input to a JWKSet. If the input is already a JWKSet, it passes through unchanged. If it is a single RSAKey, it wraps it in a one-element JWKSet.
validate-id-token
(validate-id-token {:keys [issuer key-set clock], :as config} token expected-client-id)Validates an ID token’s signature and claims against the given provider-config. Verifies that the token string was signed with a key from the provider’s key set, that the issuer matches, that expected-client-id appears in the audience list (supporting both single and multi-audience tokens), and that the token has not expired. Returns the validated claims as a keyword map, or throws ex-info on failure.