vck-openid-ktor/at.asitplus.wallet.lib.ktor.openid/OAuth2KtorClient

OAuth2KtorClient

class OAuth2KtorClient(engine: HttpClientEngine, cookiesStorage: CookiesStorage? = null, httpClientConfig: HttpClientConfig<*>.() -> Unit? = null, val keyMaterial: KeyMaterial = EphemeralKeyWithoutCert(), signDpop: SignJwtFun<JsonWebToken> = SignJwt(keyMaterial = keyMaterial, JwsHeaderCertOrJwk()), val oAuth2Client: OAuth2Client, randomSource: RandomSource = RandomSource.Secure, verifyTokenIntrospectionJwt: suspend (JwsCompactTyped<TokenIntrospectionResponse>) -> Boolean = { true }, val loadInstanceAttestation: suspend (OAuth2KtorClient.LoadInstanceAttestationInput) -> KmmResult<JwsCompactTyped<JsonWebToken>>? = null)(source)

Implements the client side of OAuth2

Supported features:

Token requests and responses
OAuth 2.0 Demonstrating Proof of Possession (DPoP)
OAuth 2.0 Attestation-Based Client Authentication
OAuth 2.0 Pushed Authorization Requests

Constructors

OAuth2KtorClient

constructor(engine: HttpClientEngine, cookiesStorage: CookiesStorage? = null, httpClientConfig: HttpClientConfig<*>.() -> Unit? = null, keyMaterial: KeyMaterial = EphemeralKeyWithoutCert(), signDpop: SignJwtFun<JsonWebToken> = SignJwt(keyMaterial = keyMaterial, JwsHeaderCertOrJwk()), oAuth2Client: OAuth2Client, randomSource: RandomSource = RandomSource.Secure, verifyTokenIntrospectionJwt: suspend (JwsCompactTyped<TokenIntrospectionResponse>) -> Boolean = { true }, loadInstanceAttestation: suspend (OAuth2KtorClient.LoadInstanceAttestationInput) -> KmmResult<JwsCompactTyped<JsonWebToken>>? = null)

Types

LoadInstanceAttestationInput

data class LoadInstanceAttestationInput(val authorizationServer: String, val preferredClientStatusPeriod: Duration?)

OpenUrlForAuthnRequest

data class OpenUrlForAuthnRequest(val url: String, val state: String)

Open the url in a browser (so the user can authenticate at the AS), and store state to use in next call.

Properties

client

val client: HttpClient

keyMaterial

val keyMaterial: KeyMaterial

Used to prove possession of the key material for the instance attestation. Also used for the DPoP signing function. (ts3-wallet-unit-attestation 1.5.1)

loadInstanceAttestation

val loadInstanceAttestation: suspend (OAuth2KtorClient.LoadInstanceAttestationInput) -> KmmResult<JwsCompactTyped<JsonWebToken>>?

Returns a new instance attestation to validate the app against an authorization server.

oAuth2Client

val oAuth2Client: OAuth2Client

Implements OAuth2 protocol, redirectUrl needs to be registered by the OS for this application, so redirection back from browser works

Functions

applyAuthnForToken

suspend fun applyAuthnForToken(resourceUrl: String, httpMethod: HttpMethod, useDpop: Boolean, authorizationServer: String, preferredClientStatusPeriod: Duration?): HttpRequestBuilder.() -> Unit

Sets the appropriate headers when accessing a token endpoint:

applyToken

suspend fun applyToken(tokenResponse: TokenResponseParameters, resourceUrl: String, httpMethod: HttpMethod, dpopNonce: String? = null): HttpRequestBuilder.() -> Unit

Sets the appropriate headers when accessing resourceUrl, by reading data from tokenResponse, i.e. HttpHeaders.Authorization and probably HttpHeaders.DPoP.

callTokenIntrospection

suspend fun callTokenIntrospection(oauthMetadata: OAuth2AuthorizationServerMetadata, request: TokenIntrospectionRequest, token: String, popAudience: String, retryCount: Int = 0): TokenIntrospectionResponse

Calls the token introspection endpoint (OAuth2AuthorizationServerMetadata.introspectionEndpoint) to check whether the given token is active, returns TokenInfo on success, otherwise throws InvalidToken.

requestTokenWithAuthCode

suspend fun requestTokenWithAuthCode(oauthMetadata: OAuth2AuthorizationServerMetadata, url: String, authorizationServer: String, state: String, scope: String? = null, authorizationDetails: Set<OpenIdAuthorizationDetails>? = null): KmmResult<TokenResponseWithDpopNonce>

Uses the auth code to request an access token.

requestTokenWithPreAuthorizedCode

suspend fun requestTokenWithPreAuthorizedCode(oauthMetadata: OAuth2AuthorizationServerMetadata, authorizationServer: String, preAuthorizedCode: String, transactionCode: String?, scope: String?, authorizationDetails: Set<OpenIdAuthorizationDetails>): KmmResult<TokenResponseWithDpopNonce>

Uses a pre-authorized code from the authorization server to request an access token.

requestTokenWithRefreshToken

suspend fun requestTokenWithRefreshToken(oauthMetadata: OAuth2AuthorizationServerMetadata, credentialIssuer: String, refreshToken: String, scope: String?, authorizationDetails: Set<OpenIdAuthorizationDetails>): KmmResult<TokenResponseWithDpopNonce>

Uses the refresh token to request a new access token.

requestTokenWithTokenExchange

suspend fun requestTokenWithTokenExchange(oauthMetadata: OAuth2AuthorizationServerMetadata, authorizationServer: String, subjectToken: String, resource: String?): KmmResult<TokenResponseWithDpopNonce>

Uses an access token from another client to request a new access token, see RFC8693 OAuth 2.0 Token Exchange.

startAuthorization

suspend fun startAuthorization(oauthMetadata: OAuth2AuthorizationServerMetadata, authorizationServer: String, state: String = uuid4().toString(), issuerState: String? = null, authorizationDetails: Set<OpenIdAuthorizationDetails>? = null, scope: String? = null): KmmResult<OAuth2KtorClient.OpenUrlForAuthnRequest>

Builds the authorization request (AuthenticationRequestParameters) to start authentication at the authorization server.

updateDpopNonceAndRetry

suspend fun <T> OAuth2Error?.updateDpopNonceAndRetry(response: HttpResponse, url: String, retryCount: Int, action: suspend () -> T): T

Store the DPoP nonce if it is set, and retry the previous action