Skip to content

Latest commit

 

History

History
133 lines (105 loc) · 5.11 KB

README.md

File metadata and controls

133 lines (105 loc) · 5.11 KB

OpenIDConnect

Build Status codecov.io

OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

This is an implementation of OpenID Connect in Julia, with methods implementing the authorization code flow.

OpenID Connect Context (OIDCCtx)

The OpenID Connect context holds all states for a single OpenID Connect client configuration.

function OIDCCtx(
    issuer::String,
    redirect_uri::String,
    client_id::String,
    client_secret::String,
    scopes::Vector{String}=DEFAULT_SCOPES;
    verify::Union{Nothing,Bool}=nothing,
    cacrt::Union{Nothing,String,MbedTLS.CRT}=nothing,
    state_timeout_secs::Int=DEFAULT_STATE_TIMEOUT_SECS,
    allowed_skew_secs::Int=DEFAULT_SKEW_SECS,
    key_refresh_secs::Int=DEFAULT_KEY_REFRESH_SECS),
    random_device::RandomDevice=RandomDevice()
)

Parameters:

  • issuer: Issuer URL, pointing to the OpenID server
  • redirect_uri: The app URI to which OpenID server must redirect after authorization
  • client_id, and client_secret: Client ID and secret that this context represents
  • scopes: The scopes to request during authorization (default: openid, profile, email)

Keyword Parameters:

  • verify: whether to validate the server certificate
  • cacrt: the CA certificate to use to check the server certificate
  • state_timeout_secs: seconds for which to keep the state associated with an authorization request (default: 60 seconds), server responses beyond this are rejected as stale
  • allowed_skew_secs: while validating tokens, seconds to allow to account for time skew between machines (default: 120 seconds)
  • key_refresh_secs: time interval in which to refresh the JWT signing keys (default: 1hr)

Error Structures

  • OpenIDConnect.APIError: Error detected at the client side. Members:
    • error: error code or message (String)
  • OpenIDConnect.AuthServerError: Error returned from the OpenID server (see section 3.1.2.6 of https://openid.net/specs/openid-connect-core-1_0.html)
    • error: error code (String)
    • error_description: optional error description (String)
    • error_uri: optional error URI (String)

Authorization Code Flow

Authentication request.

flow_request_authorization_code

Returns a String with the redirect URL. Caller must perform the redirection. Acceptable optional args as listed in section 3.1.2.1 of specifications (https://openid.net/specs/openid-connect-core-1_0.html)

function flow_request_authorization_code(
    ctx::OIDCCtx;
    nonce=nothing,
    display=nothing,
    prompt=nothing,
    max_age=nothing,
    ui_locales=nothing,
    id_token_hint=nothing,
    login_hint=nothing,
    acr_values=nothing
)

flow_get_authorization_code

Given the params from the redirected response from the authentication request, extract the authorization code. See sections 3.1.2.5 and 3.1.2.6 of https://openid.net/specs/openid-connect-core-1_0.html.

Returns the authorization code on success. Returns one of APIError or AuthServerError on failure.

function flow_get_authorization_code(
    ctx::OIDCCtx,
    query           # name-value pair Dict with query parameters are received from the OpenID server redirect
)

Token Requests

flow_get_token

Token Request. Given the authorization code obtained, invoke the token end point and obtain an id_token, access_token, refresh_token. See section 3.1.3.1 of https://openid.net/specs/openid-connect-core-1_0.html.

Returns a JSON object containing tokens on success. Returns a AuthServerError or APIError object on failure.

function flow_get_token(
    ctx::OIDCCtx,
    code
)

flow_refresh_token

Token Refresh. Given the refresh code obtained, invoke the token end point and obtain new tokens. See section 12 of https://openid.net/specs/openid-connect-core-1_0.html.

Returns a JSON object containing tokens on success. Returns a AuthServerError or APIError object on failure.

function flow_refresh_token(
    ctx::OIDCCtx,
    refresh_token
)

Token Validation

flow_validate_id_token

Validate an OIDC token. Validates both the structure and signature. See section 3.1.3.7 of https://openid.net/specs/openid-connect-core-1_0.html

function flow_validate_id_token(
    ctx::OIDCCtx,
    id_token::Union{JWTs.JWT, String}
)

Examples

An example application built using OpenIDClient with Mux and HTTP is available as a tool. Populate a configuration file following this template and start the standalone application. Point your browser to it to experience the complete flow.