1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
//! OIDC Discovery and JWKS Support
//!
//! This module provides `OpenID` Connect discovery and JSON Web Key Set (JWKS)
//! support for validating JWT tokens from any OIDC-compliant provider.
//!
//! Supported providers include:
//! - Auth0
//! - Keycloak
//! - Okta
//! - AWS Cognito
//! - Microsoft Entra ID (Azure AD)
//! - Google Identity
//! - Any OIDC-compliant provider
//!
//! # Architecture
//!
//! ```text
//! JWT Token from Client
//! ↓
//! OidcValidator::validate_token()
//! ├─ Extract kid (key ID) from JWT header
//! ├─ Fetch/cache JWKS from provider
//! ├─ Find matching key by kid
//! ├─ Verify JWT signature
//! └─ Validate claims (iss, aud, exp)
//! ↓
//! AuthenticatedUser (if valid)
//! ```
//!
//! # Example
//!
//! ```no_run
//! // Requires: live OIDC/OAuth2 identity provider.
//! use fraiseql_core::security::oidc::{OidcConfig, OidcValidator};
//!
//! # async fn example() -> Result<(), Box<dyn std::error::Error>> {
//! let config = OidcConfig {
//! issuer: "https://your-tenant.auth0.com/".to_string(),
//! audience: Some("your-api-identifier".to_string()),
//! ..Default::default()
//! };
//!
//! let validator = OidcValidator::new(config).await?;
//! let user = validator.validate_token("eyJhbG...").await?;
//! # Ok(())
//! # }
//! ```
pub
pub
pub
pub
// Public re-exports — external callers see no change in paths.
pub use ;
pub use ;
pub use ;
pub use ;
pub use OidcValidator;