pub struct KeyStore { /* private fields */ }
Expand description
JWK key store.
This is basically a thin wrapper around JSON web key sets that adds loading/updating functionality.
Implementations§
source§impl KeyStore
impl KeyStore
sourcepub async fn new_from_url(surl: &str) -> BBResult<Self>
pub async fn new_from_url(surl: &str) -> BBResult<Self>
sourcepub async fn keyset(&self) -> Vec<BBKey>
pub async fn keyset(&self) -> Vec<BBKey>
Return the keys in the keystore.
This function is cloning all keys, since otherwise the read lock would have to be held after this function returns. Thus, use this sparingly :-)
§Returns
The cloned keyset.
sourcepub async fn add_rsa_pem_key(
&self,
pem: &str,
kid: Option<&str>,
alg: KeyAlgorithm
) -> BBResult<()>
pub async fn add_rsa_pem_key( &self, pem: &str, kid: Option<&str>, alg: KeyAlgorithm ) -> BBResult<()>
Add a public RSA key from a PEM string.
§Arguments
pem
- PEM encoded public RSA keykid
- optional key idalg
- algorithm, e.g.KeyAlgorithm::RS256
sourcepub async fn add_ec_pem_key(
&self,
pem: &str,
kid: Option<&str>,
curve: EcCurve,
alg: KeyAlgorithm
) -> BBResult<()>
pub async fn add_ec_pem_key( &self, pem: &str, kid: Option<&str>, curve: EcCurve, alg: KeyAlgorithm ) -> BBResult<()>
Add a public elliptic curve key from a PEM string.
Supports both EdDSA and EC keys.
§Arguments
pem
- public key in PEM encodingkid
- optional key idcurve
- the Ed curve (Ed448 or Ed25519) or EC curve (P256, P384, P521)alg
- the algorithm, e.g. ES384
sourcepub async fn key_by_id(&self, kid: Option<&str>) -> BBResult<BBKey>
pub async fn key_by_id(&self, kid: Option<&str>) -> BBResult<BBKey>
Retrieve a key by id.
The kid
claim is optional, so the keyset may contain keys without id.
This is why the kid
argument to this function is optional, too. If it is
None, we use the first key, assuming that there is only one. This
complies to the rules set by the OpenID Connect spec, defined
here.
§Arguments
kid
- the ID of the key. If None, the first key is returned.
sourcepub fn set_reload_factor(&mut self, interval: f64)
pub fn set_reload_factor(&mut self, interval: f64)
Specify the interval factor to determine when the key store should reload its keys.
The default is 0.75, meaning that keys should be reloaded when we are 3/4 through
the expiration time (similar to DHCP). For example if the server tells us that the
keys expire in 10 minutes, setting the reload interval to 0.75 will consider the keys
to be expired after 7.5 minutes and the KeyStore::should_reload
function returns true.
This method does not update the reload time. Call KeyStore::load_keys
to force an
update.
sourcepub fn reload_factor(&self) -> f64
pub fn reload_factor(&self) -> f64
Get the current fraction time to check for token reload time.
sourcepub fn load_time(&self) -> Option<SystemTime>
pub fn load_time(&self) -> Option<SystemTime>
Get the time at which the keys were initially loaded.
§Returns
Time of initial load or None if the keys were never loaded.
sourcepub fn reload_time(&self) -> Option<SystemTime>
pub fn reload_time(&self) -> Option<SystemTime>
Get the time at which the keys should be reloaded.
See KeyStore::set_reload_factor
for more info.
sourcepub fn should_reload_time(&self, time: SystemTime) -> Option<bool>
pub fn should_reload_time(&self, time: SystemTime) -> Option<bool>
Check if keys are expired based on the given time
.
§Returns
- Some(true) if keys should be reloaded.
- Some(false) if keys need not to be reloaded
- None if the key store does not have a reload time available. For example, the
KeyStore::load_keys
function was not called or the HTTP server did not provide a cache-control HTTP header.
sourcepub fn should_reload(&self) -> Option<bool>
pub fn should_reload(&self) -> Option<bool>
Check if keys are expired based on the current system time.
§Returns
- Some(true) if keys should be reloaded.
- Some(false) if keys need not to be reloaded
- None if the key store does not have a reload time available. For example, the
KeyStore::load_keys
function was not called or the HTTP server did not provide a cache-control HTTP header.
sourcepub async fn load_keys(&mut self) -> BBResult<()>
pub async fn load_keys(&mut self) -> BBResult<()>
Load/update keys from the keystore URL.
Clients should call this function when KeyStore::should_reload
returns true.
sourcepub async fn idp_certs_url(idp_discovery_url: &str) -> BBResult<String>
pub async fn idp_certs_url(idp_discovery_url: &str) -> BBResult<String>
Determine the URL where public keys can be loaded.
OpenID Connect IdPs provide an info endpoint called OpenID Connect Discovery that returns, among other info, the URL where the IdP’s public keys (JWKS) are downloadable. These public keys are used to validate ID Tokens (i.e. JWTs) issued by this IdP.
This function returns the public keys URL read from the discovery endpoint.
OpenID Connect providers might use different schemas for this URL; for Keycloak, the URL is built like this:
https://host.tld/realms/<realm_name>/.well-known/openid-configuration
§Arguments
idp_discovery_url
- the URL to load the discovery info from.
sourcepub fn keycloak_discovery_url(host: &str, realm: &str) -> BBResult<String>
pub fn keycloak_discovery_url(host: &str, realm: &str) -> BBResult<String>
Construct Keycloak specific discovery URL from a host and realm name.
Provided for convenience :-)
§Arguments
host
- protocol and host name of the Keycloak server, e.g. https://idp.domain.tldrealm
- the realm name
§Returns
URL of discovery endpoint.