(Optional). If this is False, there will be no 'authpageoidclogin' with its default form asking for an email. This can be used if you consolidate your various yesod auth plugins into one login page outside of this plugin. In that case, you would initialise OIDC login by POSTing to oidcForwardR with "email" and Yesod's defaultCsrfParamName from your own page. Defaut is True.

(Optional) A callback to your app in case oidcForwardR is called without the login_hint query parameter. Default implementation throws a BadLoginHint exception.

Looks up configuration. If none can be found, you should handle the fallback / error call yourself. Returns the ClientID for the given identity provider, and either the provider configuration itself, or otherwise just the Issuer URI. If the latter, this library will use OIDC discovery to retrieve the configuration.

The Issuer URI should only consist of the scheme (which must be "https:") and fully qualified host name (e.g. example.com), with no path etc.

The full configuration could be hard-coded or the cached result of a previous discovery. Cf onProviderConfigDiscovered.

Note that the Provider is both the configuration and the result of retrieving the keyset from jwks_uri.

(Optional). If the tenant is configured via a discovery URL, this function will be called with the discovered result and that result's retrieved keyset. This can be used to cache the configuration for the given duration. Since the oidc-client library combines discovery with key retrieval, the given time is the minimum of the two remaining cache lifetimes returned by both http requests.

(Optional). Do something if the oidcCallbackR was called with incorrect parameters or the Identity Provider returned an error. This could happen if the request is not legitimate or if the identity provider doesn't provide the required state or code query or post parameters.

Defaults to a simple page showing the error (sans the error_uri).

The printable-ASCII client_secret which you've set up with the provider ahead of time (this library does not support the dynamic registration spec).

(Optional). The scopes that you are requesting. The "openid" scope will always be included in the eventual request whether or not you specify it here. Defaults to ["email"].

(Optional). Configure the behaviour of when to request user information. The default behaviour is to only make this request if it's necessary satisfy the scopes in getScopes.

(Required). Should return a unique identifier for this user to use as the key in the yesod app's session backend. Sent after the user has successfully authenticated and right before telling Yesod that the user is authenticated. This function can still cancel authentication if it throws an error or short-circuits.

If you are using the underlying OAuth spec for non-OIDC reasons, you can do extra work here, such as storing the access and refresh tokens.

Defaults to clearing the credentials from the session and redirecting to the site's logoutDest (if not currently there already or out loginDest)

Should return your app's HttpManager or a mock for testing. Allows high-level mocking of the 3 functions that use the HttpManager (as opposed to a lower-level mock of the 3 HTTP responses themselves).