1use http::StatusCode;
5use jsonwebtoken::jwk::KeyAlgorithm;
6
7#[cfg(not(target_family = "windows"))]
8use spiffe::{
9 JwtSourceError, JwtSvidError, SpiffeIdError, TrustDomain, WorkloadApiError, X509SourceError,
10};
11
12use thiserror::Error;
13
14#[derive(Error, Debug)]
15pub enum AuthError {
16 #[error("unsupported key algorithm: {0}")]
18 JwtUnsupportedKeyAlgorithm(KeyAlgorithm),
19 #[error("JWK does not contain the key algorithm (alg) field")]
20 JwtMissingKeyAlgorithm,
21 #[error("no private key available for signing")]
22 JwtMissingPrivateKey,
23 #[error("missing decoding key or autoresolve is disabled")]
24 JwtMissingDecodingKeyOrKeyResolver,
25 #[error("missing 'iss' in JWT claims")]
26 JwtMissingIssuer,
27 #[error("no key resolver available")]
28 JwtNoKeyResolver,
29 #[error("no static JWT token configured")]
30 JwtNoStaticTokenConfigured,
31 #[error("JWK format not supported for encoding (signing) keys")]
32 JwtJwkFormatNotSupportedForEncoding,
33 #[error("failed to fetch JWKS for issuer - status_code: {0}")]
34 JwtFetchJwksFailed(StatusCode),
35 #[error("StaticTokenProvider does not support custom claims")]
36 JwtStaticUnsupportedCustomClaims,
37
38 #[error("token_endpoint not found in discovery document")]
40 OidcDiscoveryMissingTokenEndpoint,
41 #[error("key not found: {0}")]
42 OidcKeyNotFound(String),
43 #[error("kid is missing and multiple keys are available")]
44 OidcMissingKidWithMultipleKeys,
45 #[error("OIDC Token Provider does not support custom claims")]
46 OidcUnsupportedCustomClaims,
47 #[error("OAuth2 request error: {0}")]
48 OAuth2Request(Box<dyn std::error::Error + Send + Sync>),
49 #[error("Token endpoint error: status {status}, body: {body}")]
50 TokenEndpointError { status: u16, body: String },
51 #[error("Invalid client credentials")]
52 InvalidClientCredentials,
53
54 #[error("hmac key is too short")]
56 HmacKeyTooShort,
57 #[error("hmac key is missing")]
58 HmacKeyMissing,
59
60 #[error("time error")]
62 TimeError(#[from] std::time::SystemTimeError),
63
64 #[error("URL parse error")]
66 UrlParseError(#[from] url::ParseError),
67
68 #[error("invalid header name")]
70 HeaderNameError(#[from] http::header::InvalidHeaderName),
71 #[error("invalid header value")]
72 HeaderValueError(#[from] http::header::InvalidHeaderValue),
73
74 #[error("file watcher error")]
76 FileWatcherError(#[from] crate::file_watcher::FileWatcherError),
77
78 #[error("no token available")]
80 GetTokenError,
81 #[error("token invalid")]
82 TokenInvalid,
83 #[error("token malformed")]
84 TokenMalformed,
85 #[error("token invalid: missing subject claim")]
86 TokenInvalidMissingSub,
87 #[error("token invalid: replay")]
88 TokenInvalidReplay,
89 #[error("token invalid")]
90 JwtTokenInvalid(#[from] jsonwebtoken::errors::Error),
91 #[error("token invalid - missing or invalid exp claim")]
92 TokenInvalidMissingExp,
93
94 #[error("HTTP request error")]
96 HttpError(#[from] reqwest::Error),
97
98 #[error("failed to parse JWKS: {source}")]
100 JwksParse { source: serde_json::Error },
101 #[error("no suitable key found in JWKS for token header")]
102 JwksNoSuitableKey,
103 #[error("no cached JWKS for issuer: {issuer}")]
104 JwksCacheMiss { issuer: String },
105 #[error("openid discovery document missing jwks_uri field")]
106 OidcDiscoveryMissingJwksUri,
107 #[error("cached JWKS expired for issuer: {issuer}")]
108 JwksCacheExpired { issuer: String },
109
110 #[error("spire integration is not supported on Windows")]
112 SpireUnsupportedOnWindows,
113 #[cfg(not(target_family = "windows"))]
114 #[error("serde error while encoding audience: {source}")]
115 SpiffeCustomClaimsSerialize { source: serde_json::Error },
116 #[cfg(not(target_family = "windows"))]
117 #[error("spiffe error")]
118 SpiffeError(#[from] SpiffeIdError),
119 #[cfg(not(target_family = "windows"))]
120 #[error("spiffe grpc error")]
121 SpiffeGrpcError(#[from] WorkloadApiError),
122 #[cfg(not(target_family = "windows"))]
123 #[error("spiffe workload api unavailable")]
124 SpiffeWorkloadApiUnavailable,
125 #[cfg(not(target_family = "windows"))]
126 #[error("spiffe x509 source error")]
127 SpiffeX509SourceError(#[from] X509SourceError),
128 #[cfg(not(target_family = "windows"))]
129 #[error("spiffe jwt source error")]
130 SpiffeJwtSourceError(#[from] JwtSourceError),
131 #[cfg(not(target_family = "windows"))]
132 #[error("jwt source not initialized")]
133 SpiffeJwtSourceNotInitialized,
134 #[cfg(not(target_family = "windows"))]
135 #[error("missing jwt svid")]
136 SpiffeJwtSvidMissing,
137 #[cfg(not(target_family = "windows"))]
138 #[error("missing jwt bundle")]
139 SpiffeJwtBundleMissing,
140 #[cfg(not(target_family = "windows"))]
141 #[error("invalid JWT svid")]
142 SpiffeInvalidJwtSvid(#[from] JwtSvidError),
143 #[cfg(not(target_family = "windows"))]
144 #[error("failed to fetch x509 SVID")]
145 SpiffeX509SvidMissing,
146 #[cfg(not(target_family = "windows"))]
147 #[error("x509 source not initialized")]
148 SpiffeX509SourceNotInitialized,
149 #[cfg(not(target_family = "windows"))]
150 #[error("x509 trust bundle not available: {0}")]
151 SpiffeX509BundleMissing(TrustDomain),
152 #[cfg(not(target_family = "windows"))]
153 #[error("spire x509 empty certificate chain")]
154 SpiffeX509EmptyCertChain,
155 #[error("JSON serialization error")]
157 JsonError(#[from] serde_json::Error),
158 #[error("base64 decode error")]
159 Base64DecodeError(#[from] base64::DecodeError),
160
161 #[error("operation would block on async I/O; call async variant")]
163 WouldBlockOn,
164
165 #[error("MLS is not supported by this provider")]
167 MlsNotSupported,
168 #[error("MLS signature key generation failed")]
169 MlsKeyGenerationFailed,
170 #[error("public key not found in identity claims")]
171 PublicKeyNotFound,
172 #[error("subject not found in identity claims")]
173 SubjectNotFound,
174}