Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
OAuth2 Workflow for Friend (
tree: b04d9570c0

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.


friend-oauth2 is an oauth2 workflow for Chas Emerick's Friend library.

Working examples have been implemented for's OAuth2, Facebook's server-side authentication, and Github's OAuth2.


[friend-oauth2 "0.0.2"]

Obviously requires Friend.


For now, the best reference is the Friend-OAuth2 examples. Also please refer to the Friend README.

Check out the ring-app handlers in the examples for some examples of how authentication and authorization routes are set up per Friend's config.

Configuring your handler.

(See the one of the example handlers (appdotnet_handler.clj, facebook_handler.clj or github_handler.clj) for working examples.)

A brief description of the necessary configuration:

  1. client-config holds the basic information which changes from app-to-app regardless of the provider: client-id, client-secret, and the applications callback url.

  2. The authentication-uri map holds the provider-specific configuration for the initial redirect to the OAuth2 provider (the user-facing GET request).

  3. The access-token-uri map holds the provider-specific configuration for the access_token request, after the code is returned from the previous redirect (a server-to-server POST request).

  4. access-token-parsefn is a provider-specific function which parses the access_token response and returns just the access_token. If your OAuth2 provider does not follow the RFC ( then you can pass in a custom function to parse the access-token response. See the Facebook and Github examples for reference.

  5. config-auth ...TBD...

Changelog 0.0.1 -> 0.0.2

  • Added tests! Refactored!
  • A helper function has been added (format-config-uri) to configure the redirect url in the config.
  • :redirect-uri in the uri-config has been renamed to :authentication-uri, as it more closely matches the RFC (and it actually makes sense)
  • The access-token-parsefn functionality has been tweaked. If the access-token is returned as defined in the spec (, as "application/json"), then it will automatically handle that. Otherwise you can still pass in the access-token-parsefn to override, and it will use that. See the Facebook and Github examples for reference. Note that this function also now takes the entire response, rather than just the body.



Distributed under the MIT License (

Something went wrong with that request. Please try again.