oxidite-auth 2.3.0

Authentication and authorization for Oxidite (RBAC, JWT, OAuth2, 2FA, API keys)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

use serde::{Deserialize, Serialize};
use url::Url;
use reqwest::Client;
use base64::{Engine as _, engine::general_purpose};
use crate::{AuthError, Result};

/// OAuth2 client configuration
#[derive(Clone, Debug)]
pub struct OAuth2Config {
    pub client_id: String,
    pub client_secret: String,
    pub redirect_uri: String,
    pub authorization_endpoint: String,
    pub token_endpoint: String,
    pub userinfo_endpoint: Option<String>,
    pub scopes: Vec<String>,
}

/// OAuth2 client
pub struct OAuth2Client {
    config: OAuth2Config,
    http_client: Client,
}

impl OAuth2Client {
    pub fn new(config: OAuth2Config) -> Self {
        Self {
            config,
            http_client: Client::new(),
        }
    }

    /// Generate authorization URL with PKCE
    pub fn authorization_url(&self, state: &str, code_challenge: Option<&str>) -> Result<String> {
        let mut url = Url::parse(&self.config.authorization_endpoint)
            .map_err(|e| AuthError::HashError(e.to_string()))?;

        url.query_pairs_mut()
            .append_pair("client_id", &self.config.client_id)
            .append_pair("redirect_uri", &self.config.redirect_uri)
            .append_pair("response_type", "code")
            .append_pair("state", state)
            .append_pair("scope", &self.config.scopes.join(" "));

        if let Some(challenge) = code_challenge {
            url.query_pairs_mut()
                .append_pair("code_challenge", challenge)
                .append_pair("code_challenge_method", "S256");
        }

        Ok(url.to_string())
    }

    /// Exchange authorization code for access token
    pub async fn exchange_code(&self, code: &str, code_verifier: Option<&str>) -> Result<TokenResponse> {
        let mut params = vec![
            ("grant_type", "authorization_code"),
            ("code", code),
            ("redirect_uri", &self.config.redirect_uri),
            ("client_id", &self.config.client_id),
            ("client_secret", &self.config.client_secret),
        ];

        if let Some(verifier) = code_verifier {
            params.push(("code_verifier", verifier));
        }

        let response = self.http_client
            .post(&self.config.token_endpoint)
            .form(&params)
            .send()
            .await
            .map_err(|e| AuthError::TokenError(e.to_string()))?;

        let token_response: TokenResponse = response
            .json()
            .await
            .map_err(|e| AuthError::TokenError(e.to_string()))?;

        Ok(token_response)
    }

    /// Get user info from the provider's userinfo endpoint
    pub async fn get_userinfo(&self, access_token: &str) -> Result<serde_json::Value> {
        let endpoint = self.config.userinfo_endpoint.as_ref()
            .ok_or_else(|| AuthError::TokenError("Userinfo endpoint not configured".to_string()))?;

        let response = self.http_client
            .get(endpoint)
            .bearer_auth(access_token)
            .send()
            .await
            .map_err(|e| AuthError::TokenError(e.to_string()))?;

        let userinfo = response
            .json::<serde_json::Value>()
            .await
            .map_err(|e| AuthError::TokenError(e.to_string()))?;

        Ok(userinfo)
    }

    /// Refresh access token
    pub async fn refresh_token(&self, refresh_token: &str) -> Result<TokenResponse> {
        let params = vec![
            ("grant_type", "refresh_token"),
            ("refresh_token", refresh_token),
            ("client_id", &self.config.client_id),
            ("client_secret", &self.config.client_secret),
        ];

        let response = self.http_client
            .post(&self.config.token_endpoint)
            .form(&params)
            .send()
            .await
            .map_err(|e| AuthError::TokenError(e.to_string()))?;

        let token_response: TokenResponse = response
            .json()
            .await
            .map_err(|e| AuthError::TokenError(e.to_string()))?;

        Ok(token_response)
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TokenResponse {
    pub access_token: String,
    pub token_type: String,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expires_in: Option<u64>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub refresh_token: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scope: Option<String>,
}

/// Generate PKCE code verifier and challenge
pub fn generate_pkce() -> (String, String) {
    use rand::{Rng, distr::{Alphanumeric}};
    
    let verifier: String = rand::rng()
        .sample_iter(Alphanumeric)
        .take(128)
        .map(char::from)
        .collect();

    let challenge = general_purpose::URL_SAFE_NO_PAD.encode(
        ring::digest::digest(&ring::digest::SHA256, verifier.as_bytes()).as_ref()
    );

    (verifier, challenge)
}