From d15b79983460f6eaaa44dd48af47f586bd0d8c36 Mon Sep 17 00:00:00 2001
From: Vivien Kraus
Date: Tue, 27 Apr 2021 14:07:10 +0200
Subject: Define the access token API
---
doc/manual.html | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 139 insertions(+), 2 deletions(-)
(limited to 'doc/manual.html')
diff --git a/doc/manual.html b/doc/manual.html
index 7afe80f..e3e9cbe 100644
--- a/doc/manual.html
+++ b/doc/manual.html
@@ -114,6 +114,70 @@
strings, but we hope that in the future SRFI-180
will be more closely respected.
+ The access token
+
+ The access token is obtained by the client through a token
+ request, and is presented to the server on each authenticated
+ request. It is signed by the identity provider, and it contains
+ enough information so that the server knows who the user is and
+ who the agent is, and most importantly the fingerprint of the
+ key that the client should use in a DPoP proof.
+
+
+ The API is defined in
+ (webid-oidc access-token).
+
+
+
+ Check that object is a decoded access token.
+
+
+
+ There are field getters for the access token:
+
+
+
+
+
+
+
+
+
+ Get the suitable field from the payload
+ of token.
+
+
+
+ Access tokens can be signed and encoded as a string, or decoded.
+
+
+
+ Decode token, as a string, into a decoded
+ token. As with the ID token, the signature verification will
+ need to fetch the oidc configuration of the claimed issuer,
+ and check the signature against the published keys. The
+
http-get
optional keyword argument can set a
+ different implementation of http-get
from
+ (web client), for instance to re-use the
+ what has been obtained by the ID token validation. Return
+ #f
if it failed, or the decoded token otherwise.
+
+
+
+
+ Encode token and sign it with the
+ issuer’s key.
+
+
+
+
+ Create an access token, and encode it with
+ issuer-key. You can either set the
+
#:cnf/jkt
keyword argument with the fingerprint of
+ the client key, or set #:client-key
directly, in
+ which case the fingerprint will be computed for you.
+
+
Generic JWTs
You can parse generic JWTs signed with JWS with the following
@@ -327,8 +391,81 @@
- The value is not appropriate an OIDC
- configuration.
+ The value is not an OIDC configuration.
+
+
+
+
+ The value of the webid field in the JWT
+ is missing (if
#f
), or not an acceptable value.
+
+
+
+
+ The value of the iss field is incorrect.
+
+
+
+
+ The value of the aud field is incorrect.
+
+
+
+
+ The value of the iat field is incorrect.
+
+
+
+
+ The value of the exp field is incorrect.
+
+
+
+
+ The value of the cnf/jkt field is incorrect.
+
+
+
+
+ The value of the client-id field is incorrect.
+
+
+
+
+ The value is not an access token.
+
+
+
+
+ The value is not an access token header.
+
+
+
+
+ The value is not an access token payload.
+
+
+
+
+ It is impossible to fetch the configuration of
+ issuer.
+
+
+
+
+ It is impossible to fetch the keys of
+ issuer at uri.
+
+
+
+
+ The value string is not an encoding of a
+ valid access token.
+
+
+
+
+ The access-token cannot be signed.
--
cgit v1.2.3