jwt-verify 0.1.0

JWT verification library for AWS Cognito tokens and any OIDC-compatible IDP
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216

use std::collections::HashMap;
use std::fmt;
use std::sync::{Arc, RwLock};
use std::time::Duration;

use crate::cognito::config::VerifierConfig;
use crate::common::error::JwtError;
use crate::jwk::provider::JwkProvider;
use jsonwebtoken::Validation;

/// Error types for JWK Provider Registry operations
#[derive(Debug, thiserror::Error)]
pub enum RegistryError {
    /// Provider with the specified ID already exists
    #[error("Provider with ID '{0}' already exists")]
    ProviderAlreadyExists(String),

    /// Provider with the specified ID was not found
    #[error("Provider with ID '{0}' not found")]
    ProviderNotFound(String),

    /// No provider found for the specified issuer
    #[error("No provider found for issuer '{0}'")]
    IssuerNotFound(String),

    /// JWT error occurred
    #[error("JWT error: {0}")]
    JwtError(#[from] JwtError),
}

/// Registry for managing multiple JWK providers
#[derive(Debug)]
pub struct JwkProviderRegistry {
    /// Map of provider IDs to JWK providers
    providers: RwLock<HashMap<String, Arc<JwkProvider>>>,
    /// Map of issuer URLs to provider IDs
    issuer_to_id: RwLock<HashMap<String, String>>,
}

impl JwkProviderRegistry {
    /// Create a new JWK provider registry
    pub fn new() -> Self {
        Self {
            providers: RwLock::new(HashMap::new()),
            issuer_to_id: RwLock::new(HashMap::new()),
        }
    }

    /// Register a new JWK provider
    pub fn register(&self, id: &str, provider: JwkProvider) -> Result<(), RegistryError> {
        let issuer = provider.get_issuer().to_string();

        // Update providers map
        let mut providers = self.providers.write().unwrap();
        if providers.contains_key(id) {
            return Err(RegistryError::ProviderAlreadyExists(id.to_string()));
        }

        // Update issuer to ID map
        let mut issuer_map = self.issuer_to_id.write().unwrap();
        issuer_map.insert(issuer, id.to_string());

        // Add provider to registry
        providers.insert(id.to_string(), Arc::new(provider));

        Ok(())
    }

    /// Create and register a new JWK provider
    pub fn register_new(
        &self,
        id: &str,
        region: &str,
        user_pool_id: &str,
        cache_duration: Duration,
    ) -> Result<(), RegistryError> {
        let provider = JwkProvider::new(region, user_pool_id, cache_duration)?;
        self.register(id, provider)
    }

    /// Get a JWK provider by ID
    pub fn get(&self, id: &str) -> Result<Arc<JwkProvider>, RegistryError> {
        let providers = self.providers.read().unwrap();
        providers
            .get(id)
            .cloned()
            .ok_or_else(|| RegistryError::ProviderNotFound(id.to_string()))
    }

    /// Get a JWK provider by issuer URL
    pub fn get_by_issuer(&self, issuer: &str) -> Result<Arc<JwkProvider>, RegistryError> {
        // Look up the provider ID for this issuer
        let id = self.find_provider_id_by_issuer(issuer)?;

        // Get the provider by ID
        self.get(&id)
    }

    /// Find a provider ID by issuer URL
    pub fn find_provider_id_by_issuer(&self, issuer: &str) -> Result<String, RegistryError> {
        // First, try to get the provider ID directly from the issuer map
        {
            let issuer_map = self.issuer_to_id.read().unwrap();
            if let Some(id) = issuer_map.get(issuer) {
                return Ok(id.clone());
            }
        }

        // If not found in the map, check all providers
        let providers = self.providers.read().unwrap();
        for (id, provider) in providers.iter() {
            if provider.get_issuer() == issuer {
                // Update the issuer map for future lookups
                let mut issuer_map = self.issuer_to_id.write().unwrap();
                issuer_map.insert(issuer.to_string(), id.clone());

                return Ok(id.clone());
            }
        }

        // If still not found, return an error
        Err(RegistryError::IssuerNotFound(issuer.to_string()))
    }

    // Removed default provider methods as we're using issuer-based provider selection only

    /// Remove a JWK provider
    pub fn remove(&self, id: &str) -> Result<(), RegistryError> {
        let mut providers = self.providers.write().unwrap();
        if !providers.contains_key(id) {
            return Err(RegistryError::ProviderNotFound(id.to_string()));
        }

        // Get the issuer for this provider to remove from the issuer map
        let issuer = providers.get(id).map(|p| p.get_issuer().to_string());

        // Remove from providers map
        providers.remove(id);

        // Remove from issuer map if found
        if let Some(issuer) = issuer {
            let mut issuer_map = self.issuer_to_id.write().unwrap();
            issuer_map.remove(&issuer);
        }

        Ok(())
    }

    /// Prefetch keys for all providers
    pub async fn hydrate(&self) -> Vec<(String, Result<(), JwtError>)> {
        let providers = self.providers.read().unwrap();
        let mut results = Vec::new();

        for (id, provider) in providers.iter() {
            let result = provider.prefetch_keys().await;
            results.push((id.clone(), result));
        }

        results
    }

    /// Prefetch keys for a specific provider
    pub async fn prefetch(&self, id: &str) -> Result<(), RegistryError> {
        let provider = self.get(id)?;
        provider.prefetch_keys().await?;
        Ok(())
    }

    /// Get the number of registered providers
    pub fn count(&self) -> usize {
        let providers = self.providers.read().unwrap();
        providers.len()
    }

    /// Check if a provider with the given ID exists
    pub fn contains(&self, id: &str) -> bool {
        let providers = self.providers.read().unwrap();
        providers.contains_key(id)
    }

    /// Get a list of all provider IDs
    pub fn list_ids(&self) -> Vec<String> {
        let providers = self.providers.read().unwrap();
        providers.keys().cloned().collect()
    }

    /// Create a validation object for a specific issuer
    pub fn create_validation_for_issuer(
        &self,
        issuer: &str,
        clock_skew: Duration,
        client_ids: &Vec<String>,
    ) -> Result<Validation, RegistryError> {
        // Find provider for issuer
        let provider = self.get_by_issuer(issuer)?;

        // Create validation
        let mut validation = Validation::new(jsonwebtoken::Algorithm::RS256);

        validation.set_issuer(&[provider.get_issuer().to_string()]);
        validation.set_audience(client_ids);
        validation.set_required_spec_claims(&["exp", "iat", "iss", "sub"]);
        validation.validate_exp = true;
        validation.validate_nbf = true;
        validation.validate_aud = true;
        validation.leeway = clock_skew.as_secs() as u64;

        Ok(validation)
    }
}

impl Default for JwkProviderRegistry {
    fn default() -> Self {
        Self::new()
    }
}