Skip to main content

authx_core/models/
oidc.rs

1use chrono::{DateTime, Utc};
2use serde::{Deserialize, Serialize};
3use uuid::Uuid;
4
5// ── OAuth2 / OIDC Client ───────────────────────────────────────────────────────
6
7#[derive(Debug, Clone, Serialize, Deserialize)]
8pub struct OidcClient {
9    pub id: Uuid,
10    pub client_id: String,
11    /// SHA-256 hash of the client secret (like a password — never stored raw).
12    pub secret_hash: String,
13    pub name: String,
14    pub redirect_uris: Vec<String>,
15    /// Allowed OAuth2 grant types (e.g. "authorization_code", "refresh_token").
16    pub grant_types: Vec<String>,
17    /// Allowed response types (e.g. "code").
18    pub response_types: Vec<String>,
19    /// Space-separated allowed scopes (e.g. "openid profile email").
20    pub allowed_scopes: String,
21    pub created_at: DateTime<Utc>,
22}
23
24#[derive(Debug, Clone)]
25pub struct CreateOidcClient {
26    pub name: String,
27    pub redirect_uris: Vec<String>,
28    pub grant_types: Vec<String>,
29    pub response_types: Vec<String>,
30    pub allowed_scopes: String,
31}
32
33// ── Authorization Code ────────────────────────────────────────────────────────
34
35#[derive(Debug, Clone, Serialize, Deserialize)]
36pub struct AuthorizationCode {
37    pub id: Uuid,
38    pub code_hash: String,
39    pub client_id: String,
40    pub user_id: Uuid,
41    pub redirect_uri: String,
42    pub scope: String,
43    pub nonce: Option<String>,
44    /// PKCE S256 code challenge (optional but recommended).
45    pub code_challenge: Option<String>,
46    pub expires_at: DateTime<Utc>,
47    pub used: bool,
48}
49
50#[derive(Debug, Clone)]
51pub struct CreateAuthorizationCode {
52    pub code_hash: String,
53    pub client_id: String,
54    pub user_id: Uuid,
55    pub redirect_uri: String,
56    pub scope: String,
57    pub nonce: Option<String>,
58    pub code_challenge: Option<String>,
59    pub expires_at: DateTime<Utc>,
60}
61
62// ── Access / Refresh Tokens ───────────────────────────────────────────────────
63
64#[derive(Debug, Clone, Serialize, Deserialize)]
65pub struct OidcToken {
66    pub id: Uuid,
67    pub token_hash: String,
68    pub client_id: String,
69    pub user_id: Uuid,
70    pub scope: String,
71    pub token_type: OidcTokenType,
72    pub expires_at: Option<DateTime<Utc>>,
73    pub revoked: bool,
74    pub created_at: DateTime<Utc>,
75}
76
77#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
78#[serde(rename_all = "snake_case")]
79pub enum OidcTokenType {
80    Access,
81    Refresh,
82    DeviceAccess,
83}
84
85#[derive(Debug, Clone)]
86pub struct CreateOidcToken {
87    pub token_hash: String,
88    pub client_id: String,
89    pub user_id: Uuid,
90    pub scope: String,
91    pub token_type: OidcTokenType,
92    pub expires_at: Option<DateTime<Utc>>,
93}
94
95// ── Device Authorization ──────────────────────────────────────────────────────
96
97#[derive(Debug, Clone, Serialize, Deserialize)]
98pub struct DeviceCode {
99    pub id: Uuid,
100    /// SHA-256 of the device_code sent to the device.
101    pub device_code_hash: String,
102    /// SHA-256 of the user_code shown on the device.
103    pub user_code_hash: String,
104    /// The raw user_code (short, human-typeable — e.g. "BDWD-HQPK").
105    pub user_code: String,
106    pub client_id: String,
107    pub scope: String,
108    pub expires_at: DateTime<Utc>,
109    pub interval_secs: u32,
110    pub authorized: bool,
111    pub user_id: Option<Uuid>,
112}
113
114#[derive(Debug, Clone)]
115pub struct CreateDeviceCode {
116    pub device_code_hash: String,
117    pub user_code_hash: String,
118    pub user_code: String,
119    pub client_id: String,
120    pub scope: String,
121    pub expires_at: DateTime<Utc>,
122    pub interval_secs: u32,
123}
124
125// ── SSO / OIDC Federation ─────────────────────────────────────────────────────
126
127/// An external OIDC IdP configuration (e.g. corporate Okta, Azure AD).
128#[derive(Debug, Clone, Serialize, Deserialize)]
129pub struct OidcFederationProvider {
130    pub id: Uuid,
131    pub name: String,
132    /// The OIDC issuer URL (used to discover .well-known/openid-configuration).
133    pub issuer: String,
134    pub client_id: String,
135    /// AES-GCM encrypted client secret.
136    pub secret_enc: String,
137    pub scopes: String,
138    pub enabled: bool,
139    pub created_at: DateTime<Utc>,
140}
141
142#[derive(Debug, Clone)]
143pub struct CreateOidcFederationProvider {
144    pub name: String,
145    pub issuer: String,
146    pub client_id: String,
147    pub secret_enc: String,
148    pub scopes: String,
149}