openid-connect-0.2.0: An OpenID Connect library that does all the heavy lifting for you
CopyrightThis file is part of the package openid-connect. It is subject to
the license terms in the LICENSE file found in the top-level
directory of this distribution and at:

https://code.devalot.com/open/openid-connect

No part of this package including this file may be copied
modified propagated or distributed except according to the terms
contained in the LICENSE file.
LicenseBSD-2-Clause
Safe HaskellSafe-Inferred
LanguageHaskell2010

OpenID.Connect.Client.DynamicRegistration

Description

OpenID Connect Dynamic Client Registration 1.0.

Synopsis

Registration

registerClient :: (Monad m, ToJSON a, FromJSON a) => HTTPS m -> Discovery -> ClientMetadata a -> m (Either RegistrationError (ClientMetadataResponse a)) Source #

Register a client with the provider described by the Discovery document.

Example:

let reg = defaultRegistration yourClientRedirURI
    metadata = clientMetadata reg BasicRegistration
in registerClient http discoveryDoc metadata

Errors that can occur

Re-exports

type HTTPS m = Request -> m (Response ByteString) Source #

A function that can make HTTPS requests.

Make sure you are using a Manager value from the http-client-tls package. It's imperative that the requests flowing through this function are encrypted.

All requests are set to throw an exception if the response status code is not in the 2xx range. Therefore, functions that take this HTTPS type should be called in an exception-safe way and any exception should be treated as an authentication failure.

Since: 0.1.0.0

data ErrorResponse Source #

A provider response that indicates an error as described in OAuth 2.0 Bearer Token Usage (RFC 6750).

Since: 0.1.0.0

data Registration Source #

Client registration metadata.

OpenID Connect Dynamic Client Registration 1.0 §2.

Use the defaultRegistration function to easily create a value of this type.

Constructors

Registration 

Fields

  • redirectUris :: NonEmpty URI

    Array of Redirection URI values used by the Client.

  • responseTypes :: Maybe (NonEmpty Text)

    JSON array containing a list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using.

  • grantTypes :: Maybe (NonEmpty Text)

    JSON array containing a list of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using.

  • applicationType :: Maybe Text

    Kind of the application. The default, if omitted, is web. The defined values are native or web.

  • contacts :: Maybe (NonEmpty Text)

    Array of e-mail addresses of people responsible for this Client.

  • clientName :: Maybe Text

    Name of the Client to be presented to the End-User.

  • logoUri :: Maybe URI

    URL that references a logo for the Client application.

  • clientUri :: Maybe URI

    URL of the home page of the Client.

  • policyUri :: Maybe URI

    URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used.

  • tosUri :: Maybe URI

    URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service.

  • jwksUri :: Maybe URI

    URL for the Client's JSON Web Key Set document.

  • jwks :: Maybe JWKSet

    Client's JSON Web Key Set [JWK] document, passed by value.

  • sectorIdentifierUri :: Maybe URI

    URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP.

  • subjectType :: Maybe Text

    subject_type requested for responses to this Client.

  • idTokenSignedResponseAlg :: Maybe Alg

    JWS alg algorithm required for signing the ID Token issued to this Client.

  • idTokenEncryptedResponseAlg :: Maybe Alg

    JWE alg algorithm required for encrypting the ID Token issued to this Client.

  • idTokenEncryptedResponseEnc :: Maybe Alg

    JWE enc algorithm required for encrypting the ID Token issued to this Client.

  • userinfoSignedResponseAlg :: Maybe Alg

    JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses.

  • userinfoEncryptedResponseAlg :: Maybe Alg

    JWE alg algorithm required for encrypting UserInfo Responses.

  • userinfoEncryptedResponseEnc :: Maybe Alg

    JWE enc algorithm required for encrypting UserInfo Responses.

  • requestObjectSigningAlg :: Maybe Alg

    JWS alg algorithm that must be used for signing Request Objects sent to the OP.

  • requestObjectEncryptionAlg :: Maybe Alg

    JWE alg algorithm the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in JWT. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.

  • requestObjectEncryptionEnc :: Maybe Alg

    JWE enc algorithm the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.

  • tokenEndpointAuthMethod :: ClientAuthentication

    Requested Client Authentication method for the Token Endpoint.

  • tokenEndpointAuthSigningAlg :: Maybe Alg

    JWS alg algorithm that must be used for signing the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods.

  • defaultMaxAge :: Maybe Int

    Default Maximum Authentication Age. Specifies that the End-User MUST be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds.

  • requireAuthTime :: Maybe Bool

    Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED. It is REQUIRED when the value is true. (If this is false, the auth_time Claim can still be dynamically requested as an individual Claim for the ID Token using the claims request parameter described in Section 5.5.1 of OpenID Connect Core 1.0.) If omitted, the default value is false.

  • defaultAcrValues :: Maybe (NonEmpty Text)

    Default requested Authentication Context Class Reference values. Array of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference.

  • initiateLoginUri :: Maybe URI

    URI using the https scheme that a third party can use to initiate a login by the RP, as specified in Section 4 of OpenID Connect Core 1.0. The URI MUST accept requests via both GET and POST. The Client MUST understand the login_hint and iss parameters and SHOULD support the target_link_uri parameter.

  • requestUris :: Maybe (NonEmpty URI)

    Array of request_uri values that are pre-registered by the RP for use at the OP. Servers MAY cache the contents of the files referenced by these URIs and not retrieve them at the time they are used in a request. OPs can require that request_uri values used be pre-registered with the require_request_uri_registration discovery parameter.

Instances

Instances details
FromJSON Registration Source # 
Instance details

Defined in OpenID.Connect.Registration

ToJSON Registration Source # 
Instance details

Defined in OpenID.Connect.Registration

Generic Registration Source # 
Instance details

Defined in OpenID.Connect.Registration

Associated Types

type Rep Registration :: Type -> Type #

Show Registration Source # 
Instance details

Defined in OpenID.Connect.Registration

type Rep Registration Source # 
Instance details

Defined in OpenID.Connect.Registration

type Rep Registration = D1 ('MetaData "Registration" "OpenID.Connect.Registration" "openid-connect-0.2.0-9NUCQOfqK7L3ZMFQIg1Sgd" 'False) (C1 ('MetaCons "Registration" 'PrefixI 'True) ((((S1 ('MetaSel ('Just "redirectUris") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (NonEmpty URI)) :*: (S1 ('MetaSel ('Just "responseTypes") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text))) :*: S1 ('MetaSel ('Just "grantTypes") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text))))) :*: ((S1 ('MetaSel ('Just "applicationType") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :*: S1 ('MetaSel ('Just "contacts") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text)))) :*: (S1 ('MetaSel ('Just "clientName") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :*: S1 ('MetaSel ('Just "logoUri") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI))))) :*: (((S1 ('MetaSel ('Just "clientUri") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI)) :*: S1 ('MetaSel ('Just "policyUri") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI))) :*: (S1 ('MetaSel ('Just "tosUri") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI)) :*: S1 ('MetaSel ('Just "jwksUri") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI)))) :*: ((S1 ('MetaSel ('Just "jwks") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe JWKSet)) :*: S1 ('MetaSel ('Just "sectorIdentifierUri") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI))) :*: (S1 ('MetaSel ('Just "subjectType") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :*: S1 ('MetaSel ('Just "idTokenSignedResponseAlg") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Alg)))))) :*: (((S1 ('MetaSel ('Just "idTokenEncryptedResponseAlg") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Alg)) :*: (S1 ('MetaSel ('Just "idTokenEncryptedResponseEnc") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Alg)) :*: S1 ('MetaSel ('Just "userinfoSignedResponseAlg") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Alg)))) :*: ((S1 ('MetaSel ('Just "userinfoEncryptedResponseAlg") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Alg)) :*: S1 ('MetaSel ('Just "userinfoEncryptedResponseEnc") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Alg))) :*: (S1 ('MetaSel ('Just "requestObjectSigningAlg") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Alg)) :*: S1 ('MetaSel ('Just "requestObjectEncryptionAlg") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Alg))))) :*: (((S1 ('MetaSel ('Just "requestObjectEncryptionEnc") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Alg)) :*: S1 ('MetaSel ('Just "tokenEndpointAuthMethod") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 ClientAuthentication)) :*: (S1 ('MetaSel ('Just "tokenEndpointAuthSigningAlg") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Alg)) :*: S1 ('MetaSel ('Just "defaultMaxAge") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Int)))) :*: ((S1 ('MetaSel ('Just "requireAuthTime") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Bool)) :*: S1 ('MetaSel ('Just "defaultAcrValues") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text)))) :*: (S1 ('MetaSel ('Just "initiateLoginUri") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI)) :*: S1 ('MetaSel ('Just "requestUris") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty URI)))))))))

type ClientMetadata a = Registration :*: a Source #

Registration fields with any additional fields that are necessary. If no additional fields are needed, use BasicRegistration to fill the type variable.

clientMetadata :: Registration -> a -> ClientMetadata a Source #

Create a complete ClientMetadata record from an existing Registration value and any additional client metadata parameters that are needed.

If you don't need to specify additional client metadata parameters you can use BasicRegistration as the a type. In that case, the type signature would be:

clientMetadata
  :: Registration
  -> BasicRegistration
  -> ClientMetadata BasicRegistration

data RegistrationResponse Source #

Client Registration Response.

OpenID Connect Dynamic Client Registration 1.0 §3.2.

Constructors

RegistrationResponse 

Fields

  • clientId :: Text

    Unique Client Identifier.

  • clientSecret :: Maybe Text

    Client Secret. This value is used by Confidential Clients to authenticate to the Token Endpoint, as described in Section 2.3.1 of OAuth 2.0, and for the derivation of symmetric encryption key values.

  • registrationAccessToken :: Maybe Text

    Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent operations upon the Client registration.

  • registrationClientUri :: Maybe URI

    Location of the Client Configuration Endpoint where the Registration Access Token can be used to perform subsequent operations upon the resulting Client registration. Implementations MUST either return both a Client Configuration Endpoint and a Registration Access Token or neither of them.

  • clientIdIssuedAt :: Maybe NumericDate

    Time at which the Client Identifier was issued.

  • clientSecretExpiresAt :: Maybe NumericDate

    If client_secret is issued. Time at which the client_secret will expire or 0 if it will not expire.

Instances

Instances details
FromJSON RegistrationResponse Source # 
Instance details

Defined in OpenID.Connect.Registration

ToJSON RegistrationResponse Source # 
Instance details

Defined in OpenID.Connect.Registration

Generic RegistrationResponse Source # 
Instance details

Defined in OpenID.Connect.Registration

Associated Types

type Rep RegistrationResponse :: Type -> Type #

Show RegistrationResponse Source # 
Instance details

Defined in OpenID.Connect.Registration

type Rep RegistrationResponse Source # 
Instance details

Defined in OpenID.Connect.Registration

type Rep RegistrationResponse = D1 ('MetaData "RegistrationResponse" "OpenID.Connect.Registration" "openid-connect-0.2.0-9NUCQOfqK7L3ZMFQIg1Sgd" 'False) (C1 ('MetaCons "RegistrationResponse" 'PrefixI 'True) ((S1 ('MetaSel ('Just "clientId") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text) :*: (S1 ('MetaSel ('Just "clientSecret") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :*: S1 ('MetaSel ('Just "registrationAccessToken") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)))) :*: (S1 ('MetaSel ('Just "registrationClientUri") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI)) :*: (S1 ('MetaSel ('Just "clientIdIssuedAt") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe NumericDate)) :*: S1 ('MetaSel ('Just "clientSecretExpiresAt") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe NumericDate))))))

type ClientMetadataResponse a = (Registration :*: RegistrationResponse) :*: a Source #

Like ClientMetadata but includes the registration response.

clientSecretsFromResponse :: ClientMetadataResponse a -> RegistrationResponse Source #

Extract the client details from a registration response.

additionalMetadataFromResponse :: ClientMetadataResponse a -> a Source #

Extract the additional metadata fields from a full registration response.

registrationFromResponse :: ClientMetadataResponse a -> Registration Source #

Extract the registration value from a full registration response.

data a :*: b Source #

Join two types together so they work with the same JSON document.

Instances

Instances details
(FromJSON a, FromJSON b) => FromJSON (a :*: b) Source # 
Instance details

Defined in OpenID.Connect.JSON

Methods

parseJSON :: Value -> Parser (a :*: b) #

parseJSONList :: Value -> Parser [a :*: b] #

(ToJSON a, ToJSON b) => ToJSON (a :*: b) Source # 
Instance details

Defined in OpenID.Connect.JSON

Methods

toJSON :: (a :*: b) -> Value #

toEncoding :: (a :*: b) -> Encoding #

toJSONList :: [a :*: b] -> Value #

toEncodingList :: [a :*: b] -> Encoding #

newtype URI Source #

A wrapper around the Network.URI type that supports ToJSON and FromJSON.

Since: 0.1.0.0

Constructors

URI 

Fields

Instances

Instances details
FromJSON URI Source # 
Instance details

Defined in OpenID.Connect.JSON

ToJSON URI Source # 
Instance details

Defined in OpenID.Connect.JSON

Show URI Source # 
Instance details

Defined in OpenID.Connect.JSON

Methods

showsPrec :: Int -> URI -> ShowS #

show :: URI -> String #

showList :: [URI] -> ShowS #

Eq URI Source # 
Instance details

Defined in OpenID.Connect.JSON

Methods

(==) :: URI -> URI -> Bool #

(/=) :: URI -> URI -> Bool #