vck-openid-ktor/at.asitplus.wallet.lib.ktor.openid/OAuth2KtorClient

OAuth2KtorClient

class OAuth2KtorClient(engine: HttpClientEngine, cookiesStorage: CookiesStorage? = null, httpClientConfig: HttpClientConfig<*>.() -> Unit? = null, loadClientAttestationJwt: suspend () -> String? = null, signClientAttestationPop: SignJwtFun<JsonWebToken>? = SignJwt(EphemeralKeyWithoutCert(), JwsHeaderNone()), signDpop: SignJwtFun<JsonWebToken> = SignJwt(EphemeralKeyWithoutCert(), JwsHeaderCertOrJwk()), dpopAlgorithm: JwsAlgorithm = JwsAlgorithm.Signature.ES256, val oAuth2Client: OAuth2Client, randomSource: RandomSource = RandomSource.Secure)(source)

Implements the client side of OAuth2

Supported features:

Token requests and responses
OAuth 2.0 Demonstrating Proof of Possession (DPoP)
OAuth 2.0 Attestation-Based Client Authentication
OAuth 2.0 Pushed Authorization Requests

Constructors

OAuth2KtorClient

constructor(engine: HttpClientEngine, cookiesStorage: CookiesStorage? = null, httpClientConfig: HttpClientConfig<*>.() -> Unit? = null, loadClientAttestationJwt: suspend () -> String? = null, signClientAttestationPop: SignJwtFun<JsonWebToken>? = SignJwt(EphemeralKeyWithoutCert(), JwsHeaderNone()), signDpop: SignJwtFun<JsonWebToken> = SignJwt(EphemeralKeyWithoutCert(), JwsHeaderCertOrJwk()), dpopAlgorithm: JwsAlgorithm = JwsAlgorithm.Signature.ES256, oAuth2Client: OAuth2Client, randomSource: RandomSource = RandomSource.Secure)

Types

OpenUrlForAuthnRequest

data class OpenUrlForAuthnRequest(val url: String, val state: String)

Open the url in a browser (so the user can authenticate at the AS), and store state to use in next call.

Properties

client

val client: HttpClient

oAuth2Client

val oAuth2Client: OAuth2Client

Implements OAuth2 protocol, redirectUrl needs to be registered by the OS for this application, so redirection back from browser works

Functions

applyAuthnForToken

suspend fun applyAuthnForToken(oauthMetadata: OAuth2AuthorizationServerMetadata, popAudience: String, resourceUrl: String, httpMethod: HttpMethod, useDpop: Boolean): HttpRequestBuilder.() -> Unit

Sets the appropriate headers when accessing a token endpoint, i.e., performs client authentication, also sign DPoP proof when useDpop is set.

applyToken

suspend fun applyToken(tokenResponse: TokenResponseParameters, resourceUrl: String, httpMethod: HttpMethod, dpopNonce: String? = null): HttpRequestBuilder.() -> Unit

Sets the appropriate headers when accessing resourceUrl, by reading data from tokenResponse, i.e. HttpHeaders.Authorization and probably HttpHeaders.DPoP.

callTokenIntrospection

suspend fun callTokenIntrospection(oauthMetadata: OAuth2AuthorizationServerMetadata, request: TokenIntrospectionRequest, token: String, popAudience: String, retryCount: Int = 0): TokenIntrospectionResponse

Calls the token introspection endpoint (OAuth2AuthorizationServerMetadata.introspectionEndpoint) to check whether the given token is active, returns TokenInfo on success, otherwise throws InvalidToken.

requestTokenWithAuthCode

suspend fun requestTokenWithAuthCode(oauthMetadata: OAuth2AuthorizationServerMetadata, url: String, authorizationServer: String, state: String, scope: String? = null, authorizationDetails: Set<OpenIdAuthorizationDetails>? = null): KmmResult<TokenResponseWithDpopNonce>

Uses the auth code to request an access token.

requestTokenWithPreAuthorizedCode

suspend fun requestTokenWithPreAuthorizedCode(oauthMetadata: OAuth2AuthorizationServerMetadata, authorizationServer: String, preAuthorizedCode: String, transactionCode: String?, scope: String?, authorizationDetails: Set<OpenIdAuthorizationDetails>): KmmResult<TokenResponseWithDpopNonce>

Uses a pre-authorized code from the authorization server to request an access token.

requestTokenWithRefreshToken

suspend fun requestTokenWithRefreshToken(oauthMetadata: OAuth2AuthorizationServerMetadata, credentialIssuer: String, refreshToken: String, scope: String?, authorizationDetails: Set<OpenIdAuthorizationDetails>): KmmResult<TokenResponseWithDpopNonce>

Uses the refresh token to request a new access token.

requestTokenWithTokenExchange

suspend fun requestTokenWithTokenExchange(oauthMetadata: OAuth2AuthorizationServerMetadata, authorizationServer: String, subjectToken: String, resource: String?): KmmResult<TokenResponseWithDpopNonce>

Uses an access token from another client to request a new access token, see RFC8693 OAuth 2.0 Token Exchange.

startAuthorization

suspend fun startAuthorization(oauthMetadata: OAuth2AuthorizationServerMetadata, authorizationServer: String, state: String = uuid4().toString(), issuerState: String? = null, authorizationDetails: Set<OpenIdAuthorizationDetails>? = null, scope: String? = null): KmmResult<OAuth2KtorClient.OpenUrlForAuthnRequest>

Builds the authorization request (AuthenticationRequestParameters) to start authentication at the authorization server.

updateDpopNonceAndRetry

suspend fun <T> OAuth2Error?.updateDpopNonceAndRetry(response: HttpResponse, url: String, retryCount: Int, action: suspend () -> T): T

Store the DPoP nonce if it is set, and retry the previous action