Previous: , Up: The Json Web Token   [Contents][Index]


8.8 Authorization codes

(webid-oidc authorization-code) defines an authorization code type.

Class: <authorization-code> (<single-use-token>) webid client-id

While it is not necessary that an authorization code is a JWT, it is easier to implement that way. It is an authorization for client-id, an URI identifying a client, to access the data of the user identified by webid, an URI too. It should only be valid for a limited amount of time, and used once only.

The DPoP proof is a token that is issued by the client, and presented to the resource server along with an access token. It is only valid for one request, and for one use. So, it should have a very short validity frame, for instance 30 seconds, and should only be valid for a specific request method htm and a specific request URI htu, down to the path, but ignoring the query and fragment.

The DPoP proof is the proof of possession of jwk, a public key. It should always have a typ field set to "dpop+jwt".

To construct an authorization code, you would either need #:jwt-header and #:jwt-payload, as for any token, or a combination of parameters:

The authorization code is signed and verified by the same entity. So, the key lookup function is tuned to always return the issuer key. You need to set it as the #:issuer-key keyword argument of the decode function.

Generic: webid token

Return the user identifier in token, as an URI.

Generic: client-id token

Return the client identifier in token, as an URI.

Exception type: &invalid-authorization-code

This exception is raised when the authorization ccode is invalid.

function: make-invalid-authorization-code

Construct an exception of type &invalid-authorization-code.

function: invalid-authorization-code? exception

Check whether exception was raised because of an invalid authorization code.


Previous: , Up: The Json Web Token   [Contents][Index]