oidc-client

OpenID Connect 1.0 library for RP

https://github.com/krdlab/haskell-oidc-client

LTS Haskell 21.25:0.7.0.1
Stackage Nightly 2026-01-18:0.8.0.0@rev:1
Latest on Hackage:0.8.0.0@rev:1

See all snapshots oidc-client appears in

MIT licensed by Sho Kuroda
Maintained by Sho Kuroda
This version can be pinned in stack with:oidc-client-0.8.0.0@sha256:ad04bcb9680c81ca364ed097929265fe79a036b5a2dd556f6ff344146da34afd,3523

Module documentation for 0.8.0.0

  • Web
    • Web.OIDC
      • Web.OIDC.Client
        • Web.OIDC.Client.CodeFlow
        • Web.OIDC.Client.Discovery
          • Web.OIDC.Client.Discovery.Issuers
          • Web.OIDC.Client.Discovery.Provider
        • Web.OIDC.Client.IdTokenFlow
        • Web.OIDC.Client.Settings
        • Web.OIDC.Client.Tokens
        • Web.OIDC.Client.Types
Used by 1 package in nightly-2026-01-18(full list with versions):
kubernetes-api-client

OpenID Connect 1.0 library for Relying Party

Testing

This package supports implementing of an OpenID Connect 1.0 Relying Party. It’s written in Haskell.

This package uses jose-jwt package for decoding a received tokens.

Usage

$ cabal update
$ cabal install oidc-client

The documentation is available in Hackage.

Run example

examples/scotty is a runnable code. If you try to run it, execute commands as follows:

$ stack build --flag oidc-client:build-examples

and then

$ export OPENID_CLIENT_BASE_URL="http://localhost:3000"
$ export OPENID_CLIENT_ID="Your client ID"
$ export OPENID_CLIENT_SECRET="Your client secret"
$ stack exec scotty-example

You can access to http://localhost:3000/login.

Changes

ChangeLog

[0.8.0.0]

  • Switch to crypton (#60)

[0.7.0.1]

  • bump the text bound #59 (#59)

[0.7.0.0]

  • Lookup by state with sessionStoreGet (#57)

[0.6.1.0]

  • Remove max version cap on bytestring and min >= 0.11 (#54)

[0.6.0.0]

Added

  • Preserve the raw JWT in the tokens record returned by validate (#43)

Fixed

  • s/JwtExceptoin/JwtException/ (#45)
  • import data.monoid (#46)
  • s/Incosistent/Inconsistent/ (#49)
  • Use lenient decoding (#50)

[0.5.1.0]

Fixed

  • fix: generate correct discovery url (#39)
  • Fix discovery URL generation (#40)
    • Corrected more cases

[0.5.0.0]

Added

  • Add implicit id_token flow. See #34.

Changed

  • discover: Append well-known part to parsed request. See #33.

Fixed

  • Fix unsupported algorithm error. See #36.

[0.4.0.1]

Fixed

  • Allow for multiple algorithms in the JWK Set. See #28.
  • Support GHC < 8.4. See #30.

[0.4.0.0]

Added

  • Added a validation of ‘nonce’ parameter. See #24.
  • Made optional claims available. See #24.
  • The lifecycles of ‘nonce’ and ‘state’ can also be managed by SessionStore. See #24.

Changed

  • Made TokenResponse parsing strict. See #23.
  • A signing algorithm is now obtained from OpenID Provider Metadata. See #24.
  • ‘profile’ scope added to ‘examples/scotty’, and name / email / picture shown. See #25.

[0.3.0.1]

Changed

  • ‘expires_in’ can now parsed both String and Decimal number. See #15.

Fixed

  • Improved error messages. See #15.

[0.3.0.0]

Changed

  • Changed Configuration fileds. See #11.

Fixed

  • Fixed Hackage tarball. See #13.

[0.2.0.0]

Changed

  • Refactored modules, exports, types, and functions.

[0.1.0.1]

Changed

  • Adjusted dependency version.

[0.1.0.0]

First public release.