openid-connect-0.1.1: src/OpenID/Connect/Authentication.hs
{-|
Copyright:
This file is part of the package openid-connect. It is subject to
the license terms in the LICENSE file found in the top-level
directory of this distribution and at:
https://code.devalot.com/open/openid-connect
No part of this package, including this file, may be copied,
modified, propagated, or distributed except according to the terms
contained in the LICENSE file.
License: BSD-2-Clause
-}
module OpenID.Connect.Authentication
( ClientAuthentication(..)
, ClientSecret(..)
, Credentials(..)
, ClientID
, ClientRedirectURI
, AuthenticationRequest(..)
) where
--------------------------------------------------------------------------------
-- Imports:
import Crypto.JOSE.JWK (JWK)
import Data.ByteString (ByteString)
import Data.Text (Text)
import GHC.Generics (Generic)
import Network.HTTP.Types (QueryItem)
import qualified Network.URI as Network
import OpenID.Connect.JSON
import OpenID.Connect.Scope
--------------------------------------------------------------------------------
-- | Private values needed by the client in order to authenticate with
-- the provider.
--
-- The method of authentication is established when the client
-- registers with the provider.
--
-- @since 0.1.0.0
data ClientSecret
= AssignedSecretText Text
-- ^ A @client_secret@ created by the provider and given to the
-- client to use during authentication.
--
-- This is the most common way to authenticate with a provider.
| AssignedAssertionText Text
-- ^ A @client_secret@ created by the provider and given to the
-- client. The client must create a JWT and use the
-- @client_secret@ to calculate a message authentication code for
-- the JWT.
| AssertionPrivateKey JWK
-- ^ A private key that is solely in the client's possession. The
-- provider holds the public key portion of the given key.
--
-- The client creates and signs a JWT in order to authenticate.
--------------------------------------------------------------------------------
-- | A @client_id@ assigned by the provider.
--
-- @since 0.1.0.0
type ClientID = Text
--------------------------------------------------------------------------------
-- | The client (relying party) redirection URL previously registered
-- with the OpenID Provider (i.e. a URL to an endpoint on your web
-- site that receives authentication details from the provider via the
-- end-user's browser).
--
-- After the provider has authenticated the end-user, they will be
-- redirected to this URL to continue the flow.
--
-- NOTE: This URL must match exactly with the one registered with the
-- provider. If they don't match the provider will not redirect the
-- end-user back to your site.
--
-- @since 0.1.0.0
type ClientRedirectURI = Network.URI
--------------------------------------------------------------------------------
-- | A complete set of credentials used by the client to authenticate
-- with the provider.
--
-- @since 0.1.0.0
data Credentials = Credentials
{ assignedClientId :: ClientID
-- ^ The provider-assigned @client_id@.
, clientSecret :: ClientSecret
-- ^ The @client_secret@ or other means of authenticating.
, clientRedirectUri :: ClientRedirectURI
-- ^ The @redirect_uri@ shared between the client and provider.
-- This URI must be registered with the provider.
}
--------------------------------------------------------------------------------
-- | §3.1.2.1. Authentication Request.
--
-- The fields of this record are send to the provider by way of a URI
-- given to the end-user.
--
-- Clients can use the
-- 'OpenID.Connect.Client.Flow.AuthorizationCode.defaultAuthenticationRequest'
-- function to easily create a value of this type.
--
-- @since 0.1.0.0
data AuthenticationRequest = AuthenticationRequest
{ authRequestRedirectURI :: ClientRedirectURI
-- ^ Where to redirect the end-user to after authentication.
, authRequestClientId :: Text
-- ^ The @client_id@ assigned by the provider.
, authRequestScope :: Scope
-- ^ The @scope@ to request. The @openid@ scope is always part of
-- this list.
, authRequestResponseType :: ByteString
-- ^ The @response_type@ parameter.
, authRequestDisplay :: Maybe ByteString
-- ^ The @display@ parameter.
, authRequestPrompt :: Maybe ByteString
-- ^ The @prompt@ parameter.
, authRequestMaxAge :: Maybe Int
-- ^ The @max_age@ parameter.
, authRequestUiLocales :: Maybe Words
-- ^ The @ui_locales@ parameter.
, authRequestIdTokenHint :: Maybe ByteString
-- ^ The @id_token_hint@ parameter.
, authRequestLoginHint :: Maybe Text
-- ^ The @login_hint@ parameter.
, authRequestAcrValues :: Maybe Words
-- ^ The @acr_values@ parameter.
, authRequestOtherParams :: [QueryItem]
-- ^ Any additional query parameters you wish to send to the
-- provider.
}
--------------------------------------------------------------------------------
-- | Methods that a client can use to authenticate with a provider.
--
-- Defined in OpenID Connect Core 1.0 §9.
--
-- @since 0.1.0.0
data ClientAuthentication
= ClientSecretBasic
-- ^ Send credentials using HTTP Basic Authentication.
| ClientSecretPost
-- ^ Send the credentials in the body of an HTTP POST.
| ClientSecretJwt
-- ^ Create a JWT and calculate a message authentication code
-- using a shared secret. The JWT confirms that the client is in
-- possession of the shared secret.
| PrivateKeyJwt
-- ^ Create and sign a JWT using a private key. The provider must
-- already have access to the public key corresponding to the
-- private key.
| None
-- ^ The Client does not authenticate itself at the Token
-- Endpoint, either because it uses only the Implicit Flow (and so
-- does not use the Token Endpoint) or because it is a Public
-- Client with no Client Secret or other authentication mechanism.
deriving stock (Generic, Eq, Show)
deriving (ToJSON, FromJSON) via GenericJSON ClientAuthentication