Module watts

This module is the main entry point for any kind action to happen.

Description

This module is the main entry point for any kind action to happen. Including logggin in, requesting and revoking of credentials.

Data Types

cred_entry()

cred_entry() = #{name => binary(), type => binary(), value => any()}

cred_result()

cred_result() = {ok, temp_cred()} | {error, #{result => error, user_msg => binary()}}

credential()

credential() = #{cred_id => CredId::binary(), ctime => CTime::binary(), interface => Interface::binary(), service_id => ServiceId::binary(), cred_state => CredState::binary(), entries => Entries::[cred_entry()]}

oidc_info()

oidc_info() = #{id => Id::binary(), desc => Desc::binary(), priority => Priority::integer(), ready => Ready::boolean(), issuer => Issuer::binary()}

session_info()

session_info() = #{session_pid => Session::pid(), session_type => watts_session:type()}

temp_cred()

temp_cred() = #{result => ok, credential => credential()} | #{result => oidc_login, oidc_login => map()}

Function Index

create_information_result/4*create the resul for the user info call.
credential_error_message/1*convert the error to readable messages for log and user.
credential_error_message/2*convert the error to readable messages for log and user, with default.
do_additional_login/4*perform an additional login for a user.
do_login/4*perform a first login, fetching all the information needed.
do_login_if_issuer_enabled/3*start the login process but only if the issuer is enabled.
do_rsp_additional_login/4*perform an additional login via oidc for an RSP session adding additional login information to the session.
does_credential_exist/2check if the credential with the given Id exists for the user.
does_temp_cred_exist/2check if the temp credential with the given Id exists for the user.
empty_session/0*helper function initializing a session without user.
extract_userinfo/1*extract user information out of the response from the oidc provider.
get_access_token_for/1return the access token from a session.
get_credential_list_for/1get the list of credentials for the given session.
get_display_name_for/1return the display name of a session.
get_interface_description/1*convert interface type in human readable string.
get_iss_id_sub_for/1return the issuer, its id, and subject of a session.
get_iss_sub_for/1return the issuer and subject of a session.
get_openid_provider_info/1get the complete openid connect provider information.
get_openid_provider_list/0get the list of all configured openid connect provider.
get_service_list_for/1returns the list of services for the given Session.
get_temp_cred/2get a temp credential by its id and for the user this also deletes the stored credential.
get_user_msg/1*extract the user message from the map.
handle_credential_result/4*handle the result of a translation.
introspect_token_if_needed/4*perfom token introspection if needed.
is_provider_disabled/1*return if a provider is disabled, returns true if not found.
login_with_access_token/2login with an access token, which is use at the API.
login_with_oidcc/2perform a login with the openid flow through the ui (not access token).
logout/1close the given session.
new_login/3*start e new login, so setting up a session is needed.
no_provider_used/1*a helper function to get rid of the dialyzer error.
request_credential_for/3start a translation request at the given Service for the given Session.
retrieve_information/4*retrieve user information at the oidc provider.
return_credential_list/2*get the list of credentials for the given session unless it is RSP.
return_service_list/2*returns the list of services for the given Session unless it is RSP.
return_session_info/1*generate a session description map from the given session pid.
revoke_credential_for/2revoke the credential witht the given id for the user from the session.
rsp_session_if_service_allowed/2*return the rsp session, if the first parameter is true.
rsp_session_or_error/6*either setup the rsp session or return an error.
session_for_rsp/1setup a session for an rsp, get called when performing rsp logins.
session_with_error/1create a basic session that only contains the error message.
start_debug/1start debugging with defaults (one hour, 10000 messages).
start_debug/2start debugging, with options.
stop_debug/0stop debugging.
store_temp_cred/2store a credential temporary in a gen_server in RAM.
trigger_rsp_additional_login/6*check if the RSP is enabled and trigger the additional login.
update_session/4*update the session with issuer, subject and maybe more.
update_session/5*update the session with issuer, its id, subject and maybe more.
update_session_type/2*set the session type depending on the fact if the subject has been shown in the token, so if it has been an Id Token or an Access Token.

Function Details

create_information_result/4 *

create_information_result(X1::{ok, binary(), map()} | {error, atom()}, TokenResult::{ok, map()} | {error, atom()}, TokenMap::map() | binary(), IssuerId::binary()) -> {ok, binary(), binary(), map()} | {error, atom()}

create the resul for the user info call

credential_error_message/1 *

credential_error_message(Reason::atom() | tuple() | any()) -> {binary(), string()}

convert the error to readable messages for log and user

credential_error_message/2 *

credential_error_message(Reason::atom() | tuple(), DefaultMessage::string()) -> {binary(), string()}

convert the error to readable messages for log and user, with default

do_additional_login/4 *

do_additional_login(Issuer::binary(), Subject0::binary(), Token0::map(), SessPid::pid()) -> {ok, session_info()} | {error, Reason::atom()}

perform an additional login for a user. This is e.g. needed for rsps to verify the identity of a user or for plugins that need additional logins/access token

do_login/4 *

do_login(Issuer::binary(), Subject::binary() | undefined, Token::map() | binary(), Session::pid()) -> {ok, session_info()} | {error, Reason::atom()}

perform a first login, fetching all the information needed.

do_login_if_issuer_enabled/3 *

do_login_if_issuer_enabled(Issuer::binary(), Subject::binary() | undefined, Token::map() | binary()) -> {ok, session_info()} | {error, Reason::atom()}

start the login process but only if the issuer is enabled.

do_rsp_additional_login/4 *

do_rsp_additional_login(Issuer::binary(), Subject::binary(), TokenMap::map(), Session::pid()) -> {ok, session_info()} | {error, Reason::atom()}

perform an additional login via oidc for an RSP session adding additional login information to the session. Enforcing that the RSP is enabled.

does_credential_exist/2

does_credential_exist(Id::binary(), Session::pid()) -> boolean()

check if the credential with the given Id exists for the user

does_temp_cred_exist/2

does_temp_cred_exist(Id::binary(), Session::pid()) -> boolean()

check if the temp credential with the given Id exists for the user

empty_session/0 *

empty_session() -> {ok, Session::pid()}

helper function initializing a session without user.

extract_userinfo/1 *

extract_userinfo(Unknown::{ok, map()} | {error, any()}) -> {ok, binary(), map()} | {error, any()}

extract user information out of the response from the oidc provider

get_access_token_for/1

get_access_token_for(Session::pid()) -> {ok, binary()}

return the access token from a session

get_credential_list_for/1

get_credential_list_for(Session::pid()) -> {ok, [credential()]}

get the list of credentials for the given session

get_display_name_for/1

get_display_name_for(Session::pid()) -> {ok, binary()}

return the display name of a session

get_interface_description/1 *

get_interface_description(X1::{ok, atom() | tuple()}) -> binary()

convert interface type in human readable string.

get_iss_id_sub_for/1

get_iss_id_sub_for(Session::pid()) -> {ok, binary(), binary(), binary()}

return the issuer, its id, and subject of a session

get_iss_sub_for/1

get_iss_sub_for(Session::pid()) -> {ok, binary(), binary()}

return the issuer and subject of a session

get_openid_provider_info/1

get_openid_provider_info(ProviderId::binary()) -> {ok, map()}

get the complete openid connect provider information

get_openid_provider_list/0

get_openid_provider_list() -> {ok, [oidc_info()]}

get the list of all configured openid connect provider.

get_service_list_for/1

get_service_list_for(Session::pid()) -> {ok, [Service::map()]}

returns the list of services for the given Session

get_temp_cred/2

get_temp_cred(Id::binary(), Session::pid()) -> {ok, credential()} | {error, atom()}

get a temp credential by its id and for the user this also deletes the stored credential

get_user_msg/1 *

get_user_msg(X1::map()) -> binary()

extract the user message from the map

handle_credential_result/4 *

handle_credential_result(X1::watts_plugin:result(), ServiceId::binary(), Session::pid(), Params::map()) -> cred_result()

handle the result of a translation. this is the result part of the request_credential_for/3 call.

introspect_token_if_needed/4 *

introspect_token_if_needed(X1::boolean(), Token::map(), Config::map(), Session::pid()) -> {ok, map()} | {error, atom()}

perfom token introspection if needed

is_provider_disabled/1 *

is_provider_disabled(ProviderId::binary()) -> boolean()

return if a provider is disabled, returns true if not found.

login_with_access_token/2

login_with_access_token(AccessToken::binary() | atom(), Issuer::binary()) -> {ok, session_info()} | {error, Reason::atom()}

login with an access token, which is use at the API. this function in turn calls do_login_if_issuer_enabled/3.

login_with_oidcc/2

login_with_oidcc(TokenMap::map(), X2::{SessType::watts_session:type(), Session::pid() | undefined}) -> {ok, session_info()} | {error, Reason::atom()}

perform a login with the openid flow through the ui (not access token). there are some possible valid cases, if the Token contains the minimal needed information:

It fails for sure if the Token does not contain the minimal needed information, which is at least subject and issuer in the IdToken.

The login at the api level with access token is performed using {link login_with_access_token/2}.

See also: watts_session.

logout/1

logout(Session::pid()) -> ok

close the given session

new_login/3 *

new_login(Issuer::binary(), Subject::binary() | undefined, Token::map() | binary()) -> {error, Reason::atom()} | {ok, session_info()}

start e new login, so setting up a session is needed. it is not needed for e.g. additional logins.

no_provider_used/1 *

no_provider_used(X1::undefined | binary()) -> boolean()

a helper function to get rid of the dialyzer error

request_credential_for/3

request_credential_for(ServiceId::binary(), Session::pid(), Params::map()) -> cred_result()

start a translation request at the given Service for the given Session. This is using the params passed. A plugin will be triggered to run with all the needed parameter. After running the plugin the result will get parsed and send to the user.

See also: watts_plugin, watts_plugin_runner, watts_plugin:request/4.

retrieve_information/4 *

retrieve_information(Issuer::binary(), Subject::binary(), Token::map(), Session::pid()) -> {ok, binary(), binary(), map()} | {error, atom()}

retrieve user information at the oidc provider

return_credential_list/2 *

return_credential_list(Session::pid(), Type::atom() | tuple()) -> {ok, [credential()]}

get the list of credentials for the given session unless it is RSP

return_service_list/2 *

return_service_list(Session::pid(), Type::atom() | {rsp, term(), term()}) -> {ok, [Service::map()]}

returns the list of services for the given Session unless it is RSP

return_session_info/1 *

return_session_info(Session::pid()) -> {ok, session_info()}

generate a session description map from the given session pid.

revoke_credential_for/2

revoke_credential_for(CredId::binary(), Session::pid()) -> ok | {error, Reason::binary()}

revoke the credential witht the given id for the user from the session.

rsp_session_if_service_allowed/2 *

rsp_session_if_service_allowed(ServiceAllowed::boolean(), Session::pid()) -> {ok, Session::pid()} | {error, Reason::atom()}

return the rsp session, if the first parameter is true. The first parameter is the boolean value if the service is allowed.

rsp_session_or_error/6 *

rsp_session_or_error(ValidProvider::boolean(), ServiceId::binary() | undefined, Params::map() | undefined, Provider::binary() | undefined, Rsp::watts_rsp:rsp(), SessType::watts_session:type()) -> {ok, Session::pid()} | {error, Reason::atom()}

either setup the rsp session or return an error.

session_for_rsp/1

session_for_rsp(Rsp::watts_rsp:rsp()) -> {ok, Session::pid()} | {error, Reason::atom()}

setup a session for an rsp, get called when performing rsp logins. RSP sessions always have a primary login that is coming from the RSP. If a user needs to authenticate against some OpenID Connect provider this always is an additional login for an RSP session.

See also: watts_http_rsp:handle/2, watts_rsp:validate_jwt_get_rsp/2.

session_with_error/1

session_with_error(Msg::binary()) -> {ok, Session::pid()}

create a basic session that only contains the error message.

start_debug/1

start_debug(ListOfModules::[string()]) -> {ok, any()}

start debugging with defaults (one hour, 10000 messages)

start_debug/2

start_debug(ListOfModules::[string()], Options::[any()]) -> {ok, any()}

start debugging, with options

stop_debug/0

stop_debug() -> stopped | not_started

stop debugging

store_temp_cred/2

store_temp_cred(Credential::temp_cred(), Session::pid()) -> {ok, binary()}

store a credential temporary in a gen_server in RAM

trigger_rsp_additional_login/6 *

trigger_rsp_additional_login(X1, Provider, X3, Subject, TokenMap, Pid) -> any()

check if the RSP is enabled and trigger the additional login.

update_session/4 *

update_session(Issuer::binary(), Subject::binary(), Token::binary() | map(), SessionPid::pid()) -> {ok, session_info()}

update the session with issuer, subject and maybe more

update_session/5 *

update_session(Issuer::binary(), IssId::binary(), Subject::binary(), Token::binary() | map(), SessionPid::pid()) -> {ok, session_info()}

update the session with issuer, its id, subject and maybe more

update_session_type/2 *

update_session_type(X1::undefined | binary(), SessPid::pid()) -> ok

set the session type depending on the fact if the subject has been shown in the token, so if it has been an Id Token or an Access Token


Generated by EDoc