{"id":26194285,"url":"https://github.com/active-group/active-openid","last_synced_at":"2026-01-30T23:39:23.226Z","repository":{"id":62432286,"uuid":"474897492","full_name":"active-group/active-openid","owner":"active-group","description":"Utilities and ring-/reitit middleware to talk to an Openid-connect idetity provider.","archived":false,"fork":false,"pushed_at":"2025-11-05T10:07:29.000Z","size":132,"stargazers_count":0,"open_issues_count":10,"forks_count":0,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-11-05T11:27:22.265Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Clojure","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"epl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/active-group.png","metadata":{"files":{"readme":"README.org","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.org","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-03-28T07:44:48.000Z","updated_at":"2025-11-05T09:59:33.000Z","dependencies_parsed_at":"2024-12-06T14:28:05.698Z","dependency_job_id":"0372707c-37b3-4808-b95a-607f4e33c0cb","html_url":"https://github.com/active-group/active-openid","commit_stats":{"total_commits":108,"total_committers":5,"mean_commits":21.6,"dds":"0.40740740740740744","last_synced_commit":"da6ca0db7238244de6fd17c0ae48ff30d24bfe7c"},"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/active-group/active-openid","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/active-group%2Factive-openid","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/active-group%2Factive-openid/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/active-group%2Factive-openid/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/active-group%2Factive-openid/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/active-group","download_url":"https://codeload.github.com/active-group/active-openid/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/active-group%2Factive-openid/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28923524,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-30T22:32:35.345Z","status":"ssl_error","status_checked_at":"2026-01-30T22:32:31.927Z","response_time":66,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-12T01:56:02.881Z","updated_at":"2026-01-30T23:39:23.221Z","avatar_url":"https://github.com/active-group.png","language":"Clojure","funding_links":[],"categories":[],"sub_categories":[],"readme":"#+TITLE: Active OpenID\n\n[[https://clojars.org/de.active-group/active-openid][https://img.shields.io/clojars/v/de.active-group/active-openid.svg]]\n\nThis library provides utilities to interact with an [[https://openid.net/][OpenID]] identity provider\n(IdP) via [[https://clojure.org/][Clojure]].\n\n* Description\n\n=active-openid= will try to discover OpenID endpoints at configured identity\nproviders. Multiple identity providers can be configured.\n\n* Configuration\n\n=active-openid= provides a configuration section for projects using\n=active.clojure.config= from [[https://github.com/active-group/active-clojure#configuration][active-clojure]]. Below is the configuration schema.\n[[./example/etc/config.edn][An example configuration file can be found here]].\n\nInclude the schema =openid-schema= via a =section= in your code like this\n\n#+begin_src clojure\n(ns your.ns\n  (:require [active.clojure.config :as active-config]\n            [active.clojure.openid.config :as openid-config]))\n\n(def openid-section\n  (config/section\n    :openid\n    openid-config/openid-schema))\n#+end_src\n\n* Usage\n\nAdd ~active.clojure.openid/wrap-openid-authentication~ to your middleware stack.\nThat guards your routes from unauthenticted users and offers authentication.\n\nUse ~active.clojure.openid/maybe-user-info-from-request~ to obtain information about\nthe logged-in user in your handlers from the current request. If the user is\nlogged in, it returns an ~active.clojure.openid/UserInfo~ record with ID,\ndisplay name, email, groups and additional information.\n\nThe data structure that represents a logged-in user also contains information on\nhow to logout the user, i.e. the URI and parameters needed to submit to the\nlogout endpoint. See ~active.clojure.openid/logout-link-hiccup~ and\n~active.clojure.openid/logout-form-hiccup~ how to use and render it.\n\nTo support logout, wrap your logout handler with\n~active.clojure.openid/wrap-openid-logout~ on the same route that\n~wrap-openid-authentication~ uses as its ~logout-endpoint~.\n\nSee [[./example]] for details.\n\n* Authorization Code Flow\n\nThis library implements OpenID's [[https://tools.ietf.org/html/rfc6749#section-4.1][Authorization Code Flow]]. This works for regular\nweb apps and server-side apps where the source code is not publicly exposed. The\nexchange must happen server-side because during this exchange the server must\nalso pass along your application's Client Secret, which must always be kept\nsecure.\n\nThis also works for single-page applications when we guard the route that serves\nthe application since the authentication then happens not in the application\nitself but beforehand on the server side.  So we are fine.\n\nWhen we serve a single-page application without such a guard, this library is\nnot sufficient. Then we need to implement [[https://tools.ietf.org/html/rfc7636][Authorization Code Flow with Proof Key\nfor Code Exchange (PKCE)]] _in the client_, so we need to implement it in\nClojureScript. For that we should abstract a lot of the code in this library\nthat takes care of building and parsing the various requests and replies into\n=cljc= namespaces that we can then use in both Clojure- and\nClojureScript-specific implementations. Of course, doing the actual requests\nwill differ. But this could probably also be abstracted with a monadic\nimplementation with different monad runners.\n\nHere are some useful links:\n\n- https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-access-tokens#custom-claims\n- https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow\n- https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce\n\n* Note on IdP configuration\n\nIf the IdP does not use wildcards in redirect uris, they should use the one that\nthe application uses as its =:base-uri= in the configuration.\n\n* Development\n\nFor your convenience, this project includes a minimal [[./shell.nix][shell.nix]] file.\nJust run\n\n#+begin_src shell\nnix-shell --pure\n#+end_src\n\nand you should be good to go.\n\n* Running tests\n\nTo run the tests, execute\n\n#+begin_src\nmake test\n#+end_src\n\n* Deploy a new release\n\nTo release a new version to [[https://clojars.org/][Clojars]], use the =deploy= target, which relies on\ntwo environment variables:\n  \n- =CLOJARS_USERNAME=:  Your clojars username\n- =CLOJARS_PASSWORD=:  Your clojars cli token\n\nTo publish a new release, run:\n\n#+begin_src shell\nCLOJARS_USERNAME=\u003cusername\u003e CLOJARS_PASSWORD=\u003ccli-token\u003e make deploy\n#+end_src\n\n* License\n\nCopyright © 2022-2025 Active Group GmbH\n\nDistributed under the Eclipse Public License either version 2.0 or (at your\noption) any later version. [[file:LICENSE.org][(see LICENSE)]]\n\n* TODO [0/3]\n\nSome of the todos for this project.\n\n- [ ] [[https://openid.net/specs/openid-connect-frontchannel-1_0.html][Frontchannel logout]]\n- [ ] [[https://openid.net/specs/openid-connect-backchannel-1_0.html][Backchannel logout]]\n- [ ] =check_session_iframe=.  Included in discovered endpoints and\n  therefore usable.  In the future, some direct support (maybe a\n  [[https://github.com/active-group/reacl-c][reacl-c]]-item would be nice?).\n  https://connect2id.com/products/server/docs/api/check-session\n  https://github.com/embesozzi/oidc-check-session-iframe\n  https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage\n  https://atomizedobjects.com/blog/react/add-event-listener-react-hooks/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Factive-group%2Factive-openid","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Factive-group%2Factive-openid","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Factive-group%2Factive-openid/lists"}