Skip to content

tanmaykm/OpenIDConnect.jl

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
test
test
 
 
tools
tools
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
Project.toml
Project.toml
 
 
README.md
README.md
 
 

Repository files navigation

OpenIDConnect

Build Status codecov.io

OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

This is an implementation of OpenID Connect in Julia, with methods implementing the authorization code flow.

OpenID Connect Context (OIDCCtx)

The OpenID Connect context holds all states for a single OpenID Connect client configuration.

function OIDCCtx(
    issuer::String,
    redirect_uri::String,
    client_id::String,
    client_secret::String,
    scopes::Vector{String}=DEFAULT_SCOPES;
    verify::Union{Nothing,Bool}=nothing,
    cacrt::Union{Nothing,String,MbedTLS.CRT}=nothing,
    state_timeout_secs::Int=DEFAULT_STATE_TIMEOUT_SECS,
    allowed_skew_secs::Int=DEFAULT_SKEW_SECS,
    key_refresh_secs::Int=DEFAULT_KEY_REFRESH_SECS),
    random_device::RandomDevice=RandomDevice()
)

Parameters:

  • issuer: Issuer URL, pointing to the OpenID server
  • redirect_uri: The app URI to which OpenID server must redirect after authorization
  • client_id, and client_secret: Client ID and secret that this context represents
  • scopes: The scopes to request during authorization (default: openid, profile, email)

Keyword Parameters:

  • verify: whether to validate the server certificate
  • cacrt: the CA certificate to use to check the server certificate
  • state_timeout_secs: seconds for which to keep the state associated with an authorization request (default: 60 seconds), server responses beyond this are rejected as stale
  • allowed_skew_secs: while validating tokens, seconds to allow to account for time skew between machines (default: 120 seconds)
  • key_refresh_secs: time interval in which to refresh the JWT signing keys (default: 1hr)

Error Structures

  • OpenIDConnect.APIError: Error detected at the client side. Members:
    • error: error code or message (String)
  • OpenIDConnect.AuthServerError: Error returned from the OpenID server (see section 3.1.2.6 of https://openid.net/specs/openid-connect-core-1_0.html)
    • error: error code (String)
    • error_description: optional error description (String)
    • error_uri: optional error URI (String)

Authorization Code Flow

Authentication request.

flow_request_authorization_code

Returns a String with the redirect URL. Caller must perform the redirection. Acceptable optional args as listed in section 3.1.2.1 of specifications (https://openid.net/specs/openid-connect-core-1_0.html)

function flow_request_authorization_code(
    ctx::OIDCCtx;
    nonce=nothing,
    display=nothing,
    prompt=nothing,
    max_age=nothing,
    ui_locales=nothing,
    id_token_hint=nothing,
    login_hint=nothing,
    acr_values=nothing
)

flow_get_authorization_code

Given the params from the redirected response from the authentication request, extract the authorization code. See sections 3.1.2.5 and 3.1.2.6 of https://openid.net/specs/openid-connect-core-1_0.html.

Returns the authorization code on success. Returns one of APIError or AuthServerError on failure.

function flow_get_authorization_code(
    ctx::OIDCCtx,
    query           # name-value pair Dict with query parameters are received from the OpenID server redirect
)

Token Requests

flow_get_token

Token Request. Given the authorization code obtained, invoke the token end point and obtain an id_token, access_token, refresh_token. See section 3.1.3.1 of https://openid.net/specs/openid-connect-core-1_0.html.

Returns a JSON object containing tokens on success. Returns a AuthServerError or APIError object on failure.

function flow_get_token(
    ctx::OIDCCtx,
    code
)

flow_refresh_token

Token Refresh. Given the refresh code obtained, invoke the token end point and obtain new tokens. See section 12 of https://openid.net/specs/openid-connect-core-1_0.html.

Returns a JSON object containing tokens on success. Returns a AuthServerError or APIError object on failure.

function flow_refresh_token(
    ctx::OIDCCtx,
    refresh_token
)

Token Validation

flow_validate_id_token

Validate an OIDC token. Validates both the structure and signature. See section 3.1.3.7 of https://openid.net/specs/openid-connect-core-1_0.html

function flow_validate_id_token(
    ctx::OIDCCtx,
    id_token::Union{JWTs.JWT, String}
)

Examples

An example application built using OpenIDClient with Mux and HTTP is available as a tool. Populate a configuration file following this template and start the standalone application. Point your browser to it to experience the complete flow.

About

OpenID Connect for Julia

Topics

identity julia openidconnect openid openidc openid-connect

Resources

Readme

License

View license
Activity

Stars

14 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases 7

v0.1.6 Latest
Jul 3, 2023
+ 6 releases

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages