1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
//! Phase 5a: stored delegation.
//!
//! User-authorized OBO with a refresh token persisted at rest.
//! Authorization flow: user → IdP (via browser redirect) → axess
//! callback receives the authorization code → axess exchanges it at
//! the IdP's token endpoint → axess stores
//! `(access_token, refresh_token, expires_at, scopes)` keyed by
//! `(tenant, user, provider)`. Runtime: `StoredDelegationSession`
//! loads the credential, refreshes the access token if needed, and
//! returns a fresh bearer string to the caller.
//!
//! See [`super`] module docs for the broader OBO concept and the
//! distinction vs [`super::exchange`](crate::delegated::exchange).
//!
//! # Module layout
//!
//! - `provider`: `DelegatedProvider` config (one per 3rd-party
//! integration: Gmail, Outlook, Zoho, …).
//! - `credential`: `StoredDelegation` data shape, the
//! `DelegatedCredentialStore` trait, and `MemoryDelegatedCredentialStore`
//! for dev / test.
//! - `grant`: `begin_grant` (mints authorization URL + state +
//! PKCE verifier) and `complete_grant` (validates state, exchanges
//! code for tokens).
//! - `session`: `StoredDelegationSession::get_access_token()`
//! with silent refresh.
//! - [`encrypted`](crate::delegated::stored::encrypted) (feature `delegated-stored-encrypted`):
//! transparent encryption-at-rest wrapper over any inner
//! `DelegatedCredentialStore`. AES-256-GCM with per-row random
//! nonce and AAD bound to `(provider, tenant, user, field)`.
pub use ;
pub use ;
pub use ;
pub use DelegatedProvider;
pub use StoredDelegationSession;