Copyright	This file is part of the package openid-connect. It is subject to the license terms in the LICENSE file found in the top-level directory of this distribution and at: https://code.devalot.com/open/openid-connect No part of this package including this file may be copied modified propagated or distributed except according to the terms contained in the LICENSE file.
License	BSD-2-Clause
Safe Haskell	Safe-Inferred
Language	Haskell2010

OpenID.Connect.Client.Provider

Contents

Provider discovery
Provider key sets
Provider convenience record
Error handling
Discovery document
Re-exports:

Description

Provider details needed by clients.

Synopsis

type ProviderDiscoveryURI = URI
discovery :: Applicative f => HTTPS f -> ProviderDiscoveryURI -> f (Either DiscoveryError (Discovery, Maybe UTCTime))
keysFromDiscovery :: Applicative f => HTTPS f -> Discovery -> f (Either DiscoveryError (JWKSet, Maybe UTCTime))
data Provider = Provider {
- providerDiscovery :: Discovery
- providerKeys :: JWKSet
}
discoveryAndKeys :: Monad m => HTTPS m -> ProviderDiscoveryURI -> m (Either DiscoveryError (Provider, Maybe UTCTime))
data DiscoveryError
- = DiscoveryFailedError ErrorResponse
- | InvalidUriError Text
data Discovery = Discovery {
- issuer :: URI
- authorizationEndpoint :: URI
- tokenEndpoint :: Maybe URI
- userinfoEndpoint :: Maybe URI
- jwksUri :: URI
- registrationEndpoint :: Maybe URI
- scopesSupported :: Maybe Scope
- responseTypesSupported :: NonEmpty Text
- responseModesSupported :: Maybe (NonEmpty Text)
- grantTypesSupported :: Maybe (NonEmpty Text)
- acrValuesSupported :: Maybe (NonEmpty Text)
- subjectTypesSupported :: NonEmpty Text
- idTokenSigningAlgValuesSupported :: NonEmpty Text
- idTokenEncryptionAlgValuesSupported :: Maybe (NonEmpty Text)
- idTokenEncryptionEncValuesSupported :: Maybe (NonEmpty Text)
- userinfoSigningAlgValuesSupported :: Maybe (NonEmpty Text)
- userinfoEncryptionAlgValuesSupported :: Maybe (NonEmpty Text)
- userinfoEncryptionEncValuesSupported :: Maybe (NonEmpty Text)
- requestObjectSigningAlgValuesSupported :: Maybe (NonEmpty Text)
- requestObjectEncryptionAlgValuesSupported :: Maybe (NonEmpty Text)
- requestObjectEncryptionEncValuesSupported :: Maybe (NonEmpty Text)
- tokenEndpointAuthMethodsSupported :: Maybe (NonEmpty ClientAuthentication)
- tokenEndpointAuthSigningAlgValuesSupported :: Maybe (NonEmpty Text)
- displayValuesSupported :: Maybe (NonEmpty Text)
- claimTypesSupported :: Maybe (NonEmpty Text)
- claimsSupported :: Maybe (NonEmpty Text)
- serviceDocumentation :: Maybe Text
- claimsLocalesSupported :: Maybe (NonEmpty Text)
- claimsParameterSupported :: Maybe Bool
- requestParameterSupported :: Maybe Bool
- requestUriParameterSupported :: Maybe Bool
- requireRequestUriRegistration :: Maybe Bool
- opPolicyUri :: Maybe URI
- opTosUri :: Maybe URI
- endSessionEndpoint :: Maybe URI
}
newtype URI = URI {
- getURI :: URI
}
uriToText :: URI -> Text

Provider discovery

type ProviderDiscoveryURI = URI Source #

URI pointing to an OpenID Connect provider's discovery document.

If necessary, the well-known discovery path will be added automatically.

A list of certified OpenID Connect providers can be found here: https://openid.net/certification/

Since: 0.1.0.0

discovery Source #

Arguments

:: Applicative f
=> HTTPS f	A function that can make HTTPS requests.
-> ProviderDiscoveryURI	The provider's discovery URI.
-> f (Either DiscoveryError (Discovery, Maybe UTCTime))

Fetch the provider's discovery document.

Included with the discovery document is a UTCTime value indicating the time at which the content will expire and should be expunged from your cache. Obviously Nothing indicates that the value cannot be cached.

If the given ProviderDiscoveryURI is missing its path component, or the path component is / it will be rewritten to the well-known discovery path.

Since: 0.1.0.0

Provider key sets

keysFromDiscovery Source #

Arguments

:: Applicative f
=> HTTPS f	A function that can make HTTPS requests.
-> Discovery	The provider's discovery document.
-> f (Either DiscoveryError (JWKSet, Maybe UTCTime))

Fetch the provider's key set.

Included with the key set is a UTCTime value indicating the time at which the content will expire and should be expunged from your cache.

Since: 0.1.0.0

Provider convenience record

data Provider Source #

A provider record is made up of their discovery document and keys.

Since: 0.1.0.0

Constructors

Provider
Fields providerDiscovery :: Discovery Details from the discovery URI. providerKeys :: JWKSet Keys from the `jwksUri`.

discoveryAndKeys Source #

Arguments

:: Monad m
=> HTTPS m	A function that can make HTTPS requests.
-> ProviderDiscoveryURI	The provider's discovery URI.
-> m (Either DiscoveryError (Provider, Maybe UTCTime))

Fetch a provider's discovery document and key set.

This is a convenience function that simply calls discovery and keysFromDiscovery, wrapping them in a Provider.

If you are caching the results of these functions you probably want to call them individually since they might have very different cache expiration times.

The expiration time returned from this function is the lesser of the two constituents.

Since: 0.1.0.0

Error handling

data DiscoveryError Source #

Errors that may occur during provider discovery.

Since: 0.1.0.0

Constructors

DiscoveryFailedError ErrorResponse	Failed to decode JSON from the provider.
InvalidUriError Text	A provider's URI is invalid. The URI is provided as `Text` for debugging purposes.

Instances

Instances details

Exception DiscoveryError Source #
Instance details Defined in OpenID.Connect.Client.Provider Methods toException :: DiscoveryError -> SomeException # fromException :: SomeException -> Maybe DiscoveryError # displayException :: DiscoveryError -> String #
Show DiscoveryError Source #
Instance details Defined in OpenID.Connect.Client.Provider Methods showsPrec :: Int -> DiscoveryError -> ShowS # show :: DiscoveryError -> String # showList :: [DiscoveryError] -> ShowS #

Discovery document

data Discovery Source #

The provider discovery document as specified in OpenID Connect Discovery 1.0 §3.

Since: 0.1.0.0

Constructors

Discovery

Fields

issuer :: URI
URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
authorizationEndpoint :: URI
URL of the OP's OAuth 2.0 Authorization Endpoint.
tokenEndpoint :: Maybe URI
URL of the OP's OAuth 2.0 Token Endpoint. Not provided when using the implicit flow.
userinfoEndpoint :: Maybe URI
URL of the OP's UserInfo Endpoint.
jwksUri :: URI
URL of the OP's JSON Web Key Set document.
registrationEndpoint :: Maybe URI
URL of the OP's Dynamic Client Registration Endpoint.
scopesSupported :: Maybe Scope
List of OAuth 2.0 scope values that this server supports.
responseTypesSupported :: NonEmpty Text
Array containing a list of the OAuth 2.0 response_type values that this OP supports.
responseModesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports.
grantTypesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.
acrValuesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the Authentication Context Class References that this OP supports.
subjectTypesSupported :: NonEmpty Text
JSON array containing a list of the Subject Identifier types that this OP supports.
idTokenSigningAlgValuesSupported :: NonEmpty Text
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT.
idTokenEncryptionAlgValuesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT.
idTokenEncryptionEncValuesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID Token to encode the Claims in a JWT.
userinfoSigningAlgValuesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the JWS signing algorithms (alg values).
userinfoEncryptionAlgValuesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the JWE encryption algorithms (alg values).
userinfoEncryptionEncValuesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the JWE encryption algorithms (enc values).
requestObjectSigningAlgValuesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, which are described in Section 6.1 of OpenID Connect Core 1.0.
requestObjectEncryptionAlgValuesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by reference.
requestObjectEncryptionEncValuesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by reference.
tokenEndpointAuthMethodsSupported :: Maybe (NonEmpty ClientAuthentication)
JSON array containing a list of Client Authentication methods supported by this Token Endpoint.
tokenEndpointAuthSigningAlgValuesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods.
displayValuesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the display parameter values that the OpenID Provider supports. These values are described in Section 3.1.2.1 of OpenID Connect Core 1.0.
claimTypesSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0.
claimsSupported :: Maybe (NonEmpty Text)
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.
serviceDocumentation :: Maybe Text
URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, then information on how to register Clients needs to be provided in this documentation.
claimsLocalesSupported :: Maybe (NonEmpty Text)
Languages and scripts supported for values in Claims being returned, represented as a JSON array of language tag values. Not all languages and scripts are necessarily supported for all Claim values.
claimsParameterSupported :: Maybe Bool
Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. If omitted, the default value is false.
requestParameterSupported :: Maybe Bool
Boolean value specifying whether the OP supports use of the request parameter, with true indicating support. If omitted, the default value is false.
requestUriParameterSupported :: Maybe Bool
Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support. If omitted, the default value is true.
requireRequestUriRegistration :: Maybe Bool
Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the default value is false.
opPolicyUri :: Maybe URI
URL that the OpenID Provider provides to the person registering the Client to read about the OP's requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD display this URL to the person registering the Client if it is given.
opTosUri :: Maybe URI
URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service. The registration process SHOULD display this URL to the person registering the Client if it is given.
endSessionEndpoint :: Maybe URI
URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.
Since: 0.2.0

Instances

Instances details

FromJSON Discovery Source #
Instance details Defined in OpenID.Connect.Discovery Methods parseJSON :: Value -> Parser Discovery # parseJSONList :: Value -> Parser [Discovery] #
ToJSON Discovery Source #
Instance details Defined in OpenID.Connect.Discovery Methods toJSON :: Discovery -> Value # toEncoding :: Discovery -> Encoding # toJSONList :: [Discovery] -> Value # toEncodingList :: [Discovery] -> Encoding #
Generic Discovery Source #
Instance details Defined in OpenID.Connect.Discovery Associated Types type Rep Discovery :: Type -> Type # Methods from :: Discovery -> Rep Discovery x # to :: Rep Discovery x -> Discovery #
Show Discovery Source #
Instance details Defined in OpenID.Connect.Discovery Methods showsPrec :: Int -> Discovery -> ShowS # show :: Discovery -> String # showList :: [Discovery] -> ShowS #
type Rep Discovery Source #
Instance details Defined in OpenID.Connect.Discovery type Rep Discovery = D1 ('MetaData "Discovery" "OpenID.Connect.Discovery" "openid-connect-0.2.0-9NUCQOfqK7L3ZMFQIg1Sgd" 'False) (C1 ('MetaCons "Discovery" 'PrefixI 'True) (((((S1 ('MetaSel ('Just "issuer") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 URI) :: S1 ('MetaSel ('Just "authorizationEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 URI)) :: (S1 ('MetaSel ('Just "tokenEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI)) :: S1 ('MetaSel ('Just "userinfoEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI)))) :: ((S1 ('MetaSel ('Just "jwksUri") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 URI) :: S1 ('MetaSel ('Just "registrationEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI))) :: (S1 ('MetaSel ('Just "scopesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Scope)) :: S1 ('MetaSel ('Just "responseTypesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (NonEmpty Text))))) :: (((S1 ('MetaSel ('Just "responseModesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text))) :: S1 ('MetaSel ('Just "grantTypesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text)))) :: (S1 ('MetaSel ('Just "acrValuesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text))) :: S1 ('MetaSel ('Just "subjectTypesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (NonEmpty Text)))) :: ((S1 ('MetaSel ('Just "idTokenSigningAlgValuesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (NonEmpty Text)) :: S1 ('MetaSel ('Just "idTokenEncryptionAlgValuesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text)))) :: (S1 ('MetaSel ('Just "idTokenEncryptionEncValuesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text))) :: (S1 ('MetaSel ('Just "userinfoSigningAlgValuesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text))) :: S1 ('MetaSel ('Just "userinfoEncryptionAlgValuesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text)))))))) :: ((((S1 ('MetaSel ('Just "userinfoEncryptionEncValuesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text))) :: S1 ('MetaSel ('Just "requestObjectSigningAlgValuesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text)))) :: (S1 ('MetaSel ('Just "requestObjectEncryptionAlgValuesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text))) :: S1 ('MetaSel ('Just "requestObjectEncryptionEncValuesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text))))) :: ((S1 ('MetaSel ('Just "tokenEndpointAuthMethodsSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty ClientAuthentication))) :: S1 ('MetaSel ('Just "tokenEndpointAuthSigningAlgValuesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text)))) :: (S1 ('MetaSel ('Just "displayValuesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text))) :: (S1 ('MetaSel ('Just "claimTypesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text))) :: S1 ('MetaSel ('Just "claimsSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text))))))) :: (((S1 ('MetaSel ('Just "serviceDocumentation") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :: S1 ('MetaSel ('Just "claimsLocalesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe (NonEmpty Text)))) :: (S1 ('MetaSel ('Just "claimsParameterSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Bool)) :: S1 ('MetaSel ('Just "requestParameterSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Bool)))) :: ((S1 ('MetaSel ('Just "requestUriParameterSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Bool)) :: S1 ('MetaSel ('Just "requireRequestUriRegistration") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Bool))) :: (S1 ('MetaSel ('Just "opPolicyUri") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI)) :: (S1 ('MetaSel ('Just "opTosUri") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI)) :: S1 ('MetaSel ('Just "endSessionEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe URI)))))))))

Re-exports:

newtype URI Source #

A wrapper around the Network.URI type that supports ToJSON and FromJSON.

Since: 0.1.0.0

Constructors

URI
Fields getURI :: URI

Instances

Instances details

FromJSON URI Source #
Instance details Defined in OpenID.Connect.JSON Methods parseJSON :: Value -> Parser URI # parseJSONList :: Value -> Parser [URI] #
ToJSON URI Source #
Instance details Defined in OpenID.Connect.JSON Methods toJSON :: URI -> Value # toEncoding :: URI -> Encoding # toJSONList :: [URI] -> Value # toEncodingList :: [URI] -> Encoding #
Show URI Source #
Instance details Defined in OpenID.Connect.JSON Methods showsPrec :: Int -> URI -> ShowS # show :: URI -> String # showList :: [URI] -> ShowS #
Eq URI Source #
Instance details Defined in OpenID.Connect.JSON Methods (==) :: URI -> URI -> Bool # (/=) :: URI -> URI -> Bool #

uriToText :: URI -> Text Source #

Helper for rendering a URI as Text.