Safe Haskell | Safe-Inferred |
---|---|
Language | Haskell2010 |
MS Identity user session based on OAuth tokens
The library supports the following authentication scenarios :
- Client Credentials (server/server or automation accounts)
- Authorization Code (with human users being prompted to delegate some access rights to the app)
and provides functions to keep tokens up to date in the background.
Synopsis
- type Token t = TVar (Maybe t)
- newNoToken :: MonadIO m => m (Token t)
- expireToken :: MonadIO m => Token t -> m ()
- readToken :: MonadIO m => Token t -> m (Maybe t)
- fetchUpdateToken :: MonadIO m => IdpApplication 'ClientCredentials AzureAD -> Token OAuth2Token -> Manager -> m ()
- loginEndpoint :: MonadIO m => IdpApplication 'AuthorizationCode AzureAD -> RoutePattern -> Scotty m ()
- replyEndpoint :: MonadIO m => IdpApplication 'AuthorizationCode AzureAD -> Tokens UserSub OAuth2Token -> Manager -> RoutePattern -> Scotty m ()
- type Tokens uid t = TVar (TokensData uid t)
- newTokens :: (MonadIO m, Ord uid) => m (Tokens uid t)
- data UserSub
- lookupUser :: (MonadIO m, Ord uid) => Tokens uid t -> uid -> m (Maybe t)
- expireUser :: (MonadIO m, Ord uid) => Tokens uid t -> uid -> m ()
- tokensToList :: MonadIO m => Tokens k a -> m [(k, a)]
- withAADUser :: MonadIO m => Tokens UserSub t -> Text -> (t -> Action m ()) -> Action m ()
- type Scotty = ScottyT Text
- type Action = ActionT Text
App-only flow
newNoToken :: MonadIO m => m (Token t) Source #
expireToken :: MonadIO m => Token t -> m () Source #
:: MonadIO m | |
=> IdpApplication 'ClientCredentials AzureAD | |
-> Token OAuth2Token | token TVar |
-> Manager | |
-> m () |
Fetch an OAuth token and keep it updated. Should be called as a first thing in the app
NB : forks a thread in the background
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
Auth code grant flow
OAuth endpoints
:: MonadIO m | |
=> IdpApplication 'AuthorizationCode AzureAD | |
-> RoutePattern | e.g. |
-> Scotty m () |
Login endpoint
see azureADApp
:: MonadIO m | |
=> IdpApplication 'AuthorizationCode AzureAD | |
-> Tokens UserSub OAuth2Token | token TVar |
-> Manager | |
-> RoutePattern | e.g. |
-> Scotty m () |
The identity provider redirects the client to the reply
endpoint as part of the OAuth flow : https://learn.microsoft.com/en-us/graph/auth-v2-user?view=graph-rest-1.0&tabs=http#authorization-response
NB : forks a thread per logged in user to keep their tokens up to date
In-memory user session
sub
field
Instances
FromJSON UserSub Source # | |
FromJSONKey UserSub Source # | |
Defined in Network.OAuth2.JWT | |
ToJSON UserSub Source # | |
Defined in Network.OAuth2.JWT | |
ToJSONKey UserSub Source # | |
Defined in Network.OAuth2.JWT | |
IsString UserSub Source # | |
Defined in Network.OAuth2.JWT fromString :: String -> UserSub # | |
Generic UserSub Source # | |
Show UserSub Source # | |
Eq UserSub Source # | |
Ord UserSub Source # | |
type Rep UserSub Source # | |
Defined in Network.OAuth2.JWT |
Look up a user identifier and return their current token, if any
Remove a user, i.e. they will have to authenticate once more
tokensToList :: MonadIO m => Tokens k a -> m [(k, a)] Source #
return a list representation of the Tokens
object
Scotty misc
Azure App Service
:: MonadIO m | |
=> Tokens UserSub t | |
-> Text | login URI |
-> (t -> Action m ()) | call MSGraph APIs with token |
-> Action m () |
Decode the App Service ID token header X-MS-TOKEN-AAD-ID-TOKEN
, look its user up in the local token store, supply token t
to continuation. If the user sub
cannot be found in the token store the browser is redirected to the login URI.
Special case of aadHeaderIdToken