Skip to main content

OAuthProviderConfig

axess_core

Struct OAuthProviderConfig 

Source 
pub struct OAuthProviderConfig {
    pub name: Arc<str>,
    pub scopes: Vec<String>,
    pub ceremony_timeout: Duration,
    /* private fields */
}
Available on crate feature oauth only.
Expand description

Configuration for an OAuth 2.0 / OIDC identity provider.

Fields§

§name: Arc<str>

Short identifier for this provider (e.g. "google", "github").

§scopes: Vec<String>

Scopes to request. Default: ["openid", "email", "profile"].

§ceremony_timeout: Duration

How long the OAuth ceremony (redirect → callback) is valid. Default: 10 minutes. Set higher for IdPs with slow MFA prompts.

Implementations§

Source§

impl OAuthProviderConfig

Source

pub fn with_scopes(self, scopes: Vec<String>) -> OAuthProviderConfig

Override the default scopes.

Source

pub fn with_ceremony_timeout(self, timeout: Duration) -> OAuthProviderConfig

Override the ceremony timeout (default: 10 minutes).

Source

pub fn with_fapi( self, config: FapiConfig, ) -> Result<OAuthProviderConfig, OAuthError>

Enable FAPI 2.0 Baseline Profile for this provider.

Enforces: mandatory PAR, sender-constrained tokens (DPoP or MTLS), and stricter ID token lifetime validation. Requires the IdP to advertise a pushed_authorization_request_endpoint in discovery.

Source

pub fn with_par_endpoint(self, url: impl Into<String>) -> OAuthProviderConfig

Manually set the PAR endpoint (RFC 9126).

Only needed if the IdP doesn’t advertise it in OIDC discovery metadata.

Source

pub fn with_revocation_endpoint( self, url: impl Into<String>, ) -> OAuthProviderConfig

Manually set the OAuth 2.0 token revocation endpoint (RFC 7009).

Only needed when the IdP exposes a revocation endpoint but does not advertise it in the standard OIDC discovery metadata under the revocation_endpoint field; discover() then leaves revoke_token returning Config("...does not include a revocation_endpoint"). Use this setter to override.

Source

pub fn with_end_session_endpoint( self, url: impl Into<String>, ) -> OAuthProviderConfig

Manually set the OIDC RP-Initiated Logout endpoint (end_session_endpoint).

Same rationale as with_revocation_endpoint: many IdPs expose the endpoint without advertising it in discovery, so build_end_session_url returns None until the URL is supplied.

Source

pub fn with_allowed_post_logout_redirect_uris( self, uris: impl IntoIterator<Item = impl Into<String>>, ) -> OAuthProviderConfig

Configure the set of post_logout_redirect_uri values accepted by build_end_session_url. Each entry must match exactly (no glob / substring matching); values not in the list are silently dropped before being passed to the IdP, defeating phishing chains where an attacker tricks a user-controlled redirect parameter through the logout flow.

Source

pub fn with_device_authorization_endpoint( self, url: impl Into<String>, ) -> OAuthProviderConfig

Set the device authorization endpoint URL (RFC 8628).

Required for the device code flow. Not part of standard OIDC discovery; check your IdP’s documentation for the URL.

Source

pub fn with_clock(self, clock: Arc<dyn Clock>) -> OAuthProviderConfig

Swap the clock used for FAPI nbf / clock-skew checks. Defaults to SystemClock. Pass a MockClock under DST so the time-bound validation is deterministic.

Source§

impl OAuthProviderConfig

Source

pub async fn discover( name: &str, issuer_url: &str, client_id: &str, client_secret: &str, redirect_url: &str, ) -> Result<OAuthProviderConfig, OAuthError>

Create a provider using OIDC discovery.

Fetches {issuer_url}/.well-known/openid-configuration to configure authorization, token, and userinfo endpoints automatically.

Source§

impl OAuthProviderConfig

Source

pub async fn refresh_jwks(&self) -> Result<(), OAuthError>

Re-fetch the IdP’s JWKS via JwksCache::refresh.

Called automatically by the back-channel logout handler when a kid is not found in the cached JWKS (IdP key rotation). Can also be called proactively on a schedule.

Trait Implementations§

Source§

impl OAuthProvider for OAuthProviderConfig

Source§

fn name(&self) -> &Arc<str>

Provider name (e.g. "google", "github").
Source§

fn issuer(&self) -> Option<&str>

OIDC issuer URL for this provider (e.g. "https://accounts.google.com").
Source§

fn client_id(&self) -> Option<&str>

OAuth client ID registered with this provider.
Source§

fn scopes(&self) -> &[String]

Scopes to request in the authorization URL.
Source§

fn ceremony_timeout(&self) -> Duration

Ceremony timeout for the OAuth redirect flow.
Source§

fn refresh_jwks<'a>( &'a self, ) -> Pin<Box<dyn Future<Output = Result<(), OAuthError>> + Send + 'a>>

Re-fetch the JWKS from the IdP’s jwks_uri.
Source§

fn verify_logout_jwt(&self, token: &str) -> Result<Value, OAuthError>

Verify the signature of a back-channel logout JWT using this provider’s JWKS keys. Read more
Source§

fn fetch_userinfo<'a>( &'a self, access_token: &'a str, ) -> Pin<Box<dyn Future<Output = Result<UserInfoClaims, OAuthError>> + Send + 'a>>

Fetch additional user claims from the OIDC UserInfo endpoint.
Source§

fn refresh_token<'a>( &'a self, refresh_token: &'a str, ) -> Pin<Box<dyn Future<Output = Result<OAuthClaims, OAuthError>> + Send + 'a>>

Exchange a refresh token for new claims.
Source§

fn exchange_code<'a>( &'a self, code: &'a str, pkce_verifier: String, nonce: String, ) -> Pin<Box<dyn Future<Output = Result<OAuthClaims, OAuthError>> + Send + 'a>>

Exchange an authorization code for claims.
Source§

fn build_auth_url( &self, options: &OAuthLoginOptions, ) -> Result<(Url, String, String, String), OAuthError>

Build an authorization URL for the OAuth flow. Read more
Source§

fn build_auth_url_par<'a>( &'a self, options: &'a OAuthLoginOptions, ) -> Pin<Box<dyn Future<Output = Result<(Url, String, String, String), OAuthError>> + Send + 'a>>

Build an authorization URL using Pushed Authorization Requests (RFC 9126). Read more
Source§

fn fapi_config(&self) -> Option<&FapiConfig>

Return the FAPI configuration, if this provider has FAPI enabled.
Source§

fn push_authorization_request<'a>( &'a self, params: &'a [(&'a str, &'a str)], ) -> Pin<Box<dyn Future<Output = Result<ParResponse, OAuthError>> + Send + 'a>>

Push authorization parameters to the IdP’s PAR endpoint (RFC 9126). Read more
Source§

fn generate_dpop_proof( &self, http_method: &str, http_url: &str, access_token: Option<&str>, key_seed: [u8; 32], ) -> Result<DpopProof, OAuthError>

Generate a DPoP proof JWT (RFC 9449) for the given HTTP method and URL. Read more
Source§

fn build_end_session_url( &self, id_token_hint: Option<&str>, post_logout_redirect_uri: Option<&str>, state: Option<&str>, ) -> Option<Url>

Build the RP-Initiated Logout URL (OIDC RP-Initiated Logout 1.0). Read more
Source§

fn revoke_token<'a>( &'a self, token: &'a str, token_type_hint: Option<&'a str>, ) -> Pin<Box<dyn Future<Output = Result<(), OAuthError>> + Send + 'a>>

Revoke an access or refresh token at the IdP (RFC 7009). Read more
Source§

fn client_credentials<'a>( &'a self, scopes: &'a [&'a str], ) -> Pin<Box<dyn Future<Output = Result<ClientCredentialsToken, OAuthError>> + Send + 'a>>

Exchange client credentials for an access token (OAuth 2.0 Client Credentials grant, RFC 6749 section 4.4).
Source§

fn request_device_code<'a>( &'a self, scopes: &'a [&'a str], ) -> Pin<Box<dyn Future<Output = Result<DeviceAuthResponse, OAuthError>> + Send + 'a>>

Request a device code from the IdP’s device authorization endpoint.
Source§

fn poll_device_token<'a>( &'a self, device_code: &'a str, current_interval: u64, nonce: Option<&'a str>, ) -> Pin<Box<dyn Future<Output = Result<DeviceTokenOutcome, OAuthError>> + Send + 'a>>

Poll the token endpoint for a device code authorization result. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> ArchivePointee for T

Source§

type ArchivedMetadata = ()

The archived version of the pointer metadata for this type.
Source§

fn pointer_metadata( _: &<T as ArchivePointee>::ArchivedMetadata, ) -> <T as Pointee>::Metadata

Converts some archived metadata to the pointer metadata for itself.
Source§

impl<'a, T, E> AsTaggedExplicit<'a, E> for T
where T: 'a,

Source§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

Source§

impl<'a, T, E> AsTaggedExplicit<'a, E> for T
where T: 'a,

Source§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

Source§

impl<'a, T, E> AsTaggedImplicit<'a, E> for T
where T: 'a,

Source§

fn implicit( self, class: Class, constructed: bool, tag: u32, ) -> TaggedParser<'a, Implicit, Self, E>

Source§

impl<'a, T, E> AsTaggedImplicit<'a, E> for T
where T: 'a,

Source§

fn implicit( self, class: Class, constructed: bool, tag: u32, ) -> TaggedParser<'a, Implicit, Self, E>

Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> LayoutRaw for T

Source§

fn layout_raw(_: <T as Pointee>::Metadata) -> Result<Layout, LayoutError>

Returns the layout of the type.
Source§

impl<T, N1, N2> Niching<NichedOption<T, N1>> for N2
where T: SharedNiching<N1, N2>, N1: Niching<T>, N2: Niching<T>,

Source§

unsafe fn is_niched(niched: *const NichedOption<T, N1>) -> bool

Returns whether the given value has been niched. Read more
Source§

fn resolve_niched(out: Place<NichedOption<T, N1>>)

Writes data to out indicating that a T is niched.
Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> Pointee for T

Source§

type Metadata = ()

The metadata type for pointers and references to this type.
Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more