OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
This is an implementation of OpenID Connect in Julia, with methods implementing the authorization code flow.
The OpenID Connect context holds all states for a single OpenID Connect client configuration.
function OIDCCtx(
issuer::String,
redirect_uri::String,
client_id::String,
client_secret::String,
scopes::Vector{String}=DEFAULT_SCOPES;
verify::Union{Nothing,Bool}=nothing,
cacrt::Union{Nothing,String,MbedTLS.CRT}=nothing,
state_timeout_secs::Int=DEFAULT_STATE_TIMEOUT_SECS,
allowed_skew_secs::Int=DEFAULT_SKEW_SECS,
key_refresh_secs::Int=DEFAULT_KEY_REFRESH_SECS),
random_device::RandomDevice=RandomDevice()
)
Parameters:
issuer
: Issuer URL, pointing to the OpenID serverredirect_uri
: The app URI to which OpenID server must redirect after authorizationclient_id
, andclient_secret
: Client ID and secret that this context representsscopes
: The scopes to request during authorization (default: openid, profile, email)
Keyword Parameters:
verify
: whether to validate the server certificatecacrt
: the CA certificate to use to check the server certificatestate_timeout_secs
: seconds for which to keep the state associated with an authorization request (default: 60 seconds), server responses beyond this are rejected as staleallowed_skew_secs
: while validating tokens, seconds to allow to account for time skew between machines (default: 120 seconds)key_refresh_secs
: time interval in which to refresh the JWT signing keys (default: 1hr)
OpenIDConnect.APIError
: Error detected at the client side. Members:error
: error code or message (String)
OpenIDConnect.AuthServerError
: Error returned from the OpenID server (see section 3.1.2.6 of https://openid.net/specs/openid-connect-core-1_0.html)error
: error code (String)error_description
: optional error description (String)error_uri
: optional error URI (String)
Returns a String with the redirect URL. Caller must perform the redirection. Acceptable optional args as listed in section 3.1.2.1 of specifications (https://openid.net/specs/openid-connect-core-1_0.html)
function flow_request_authorization_code(
ctx::OIDCCtx;
nonce=nothing,
display=nothing,
prompt=nothing,
max_age=nothing,
ui_locales=nothing,
id_token_hint=nothing,
login_hint=nothing,
acr_values=nothing
)
Given the params from the redirected response from the authentication request, extract the authorization code. See sections 3.1.2.5 and 3.1.2.6 of https://openid.net/specs/openid-connect-core-1_0.html.
Returns the authorization code on success. Returns one of APIError or AuthServerError on failure.
function flow_get_authorization_code(
ctx::OIDCCtx,
query # name-value pair Dict with query parameters are received from the OpenID server redirect
)
Token Request. Given the authorization code obtained, invoke the token end point and obtain an id_token, access_token, refresh_token. See section 3.1.3.1 of https://openid.net/specs/openid-connect-core-1_0.html.
Returns a JSON object containing tokens on success. Returns a AuthServerError or APIError object on failure.
function flow_get_token(
ctx::OIDCCtx,
code
)
Token Refresh. Given the refresh code obtained, invoke the token end point and obtain new tokens. See section 12 of https://openid.net/specs/openid-connect-core-1_0.html.
Returns a JSON object containing tokens on success. Returns a AuthServerError or APIError object on failure.
function flow_refresh_token(
ctx::OIDCCtx,
refresh_token
)
Validate an OIDC token. Validates both the structure and signature. See section 3.1.3.7 of https://openid.net/specs/openid-connect-core-1_0.html
function flow_validate_id_token(
ctx::OIDCCtx,
id_token::Union{JWTs.JWT, String}
)
An example application built using OpenIDClient with Mux and HTTP is available as a tool. Populate a configuration file following this template and start the standalone application. Point your browser to it to experience the complete flow.