From d15b79983460f6eaaa44dd48af47f586bd0d8c36 Mon Sep 17 00:00:00 2001 From: Vivien Kraus Date: Tue, 27 Apr 2021 14:07:10 +0200 Subject: Define the access token API --- doc/manual.html | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 139 insertions(+), 2 deletions(-) (limited to 'doc/manual.html') diff --git a/doc/manual.html b/doc/manual.html index 7afe80f..e3e9cbe 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -114,6 +114,70 @@ strings, but we hope that in the future SRFI-180 will be more closely respected.

+

The access token

+

+ The access token is obtained by the client through a token + request, and is presented to the server on each authenticated + request. It is signed by the identity provider, and it contains + enough information so that the server knows who the user is and + who the agent is, and most importantly the fingerprint of the + key that the client should use in a DPoP proof. +

+

+ The API is defined in + (webid-oidc access-token). +

+ +

+ Check that object is a decoded access token. +

+ +

+ There are field getters for the access token: +

+ + + + + + + +

+ Get the suitable field from the payload + of token. +

+ +

+ Access tokens can be signed and encoded as a string, or decoded. +

+ +

+ Decode token, as a string, into a decoded + token. As with the ID token, the signature verification will + need to fetch the oidc configuration of the claimed issuer, + and check the signature against the published keys. The + 

http-get
optional keyword argument can set a + different implementation of 
http-get
from + (web client), for instance to re-use the + what has been obtained by the ID token validation. Return + 
#f
if it failed, or the decoded token otherwise. +

+ + +

+ Encode token and sign it with the + issuer’s key. +

+ + +

+ Create an access token, and encode it with + issuer-key. You can either set the + 

#:cnf/jkt
keyword argument with the fingerprint of + the client key, or set 
#:client-key
directly, in + which case the fingerprint will be computed for you. +

+

Generic JWTs

You can parse generic JWTs signed with JWS with the following @@ -327,8 +391,81 @@

- The value is not appropriate an OIDC - configuration. + The value is not an OIDC configuration. +

+ + +

+ The value of the webid field in the JWT + is missing (if 

#f
), or not an acceptable value. +

+ + +

+ The value of the iss field is incorrect. +

+ + +

+ The value of the aud field is incorrect. +

+ + +

+ The value of the iat field is incorrect. +

+ + +

+ The value of the exp field is incorrect. +

+ + +

+ The value of the cnf/jkt field is incorrect. +

+ + +

+ The value of the client-id field is incorrect. +

+ + +

+ The value is not an access token. +

+ + +

+ The value is not an access token header. +

+ + +

+ The value is not an access token payload. +

+ + +

+ It is impossible to fetch the configuration of + issuer. +

+ + +

+ It is impossible to fetch the keys of + issuer at uri. +

+ + +

+ The value string is not an encoding of a + valid access token. +

+ + +

+ The access-token cannot be signed.

-- cgit v1.2.3