pas-external 0.10.0

Ppoppo Accounts System (PAS) external SDK — OAuth2 PKCE, JWT verification port, Axum middleware, session liveness
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

//! γ port-and-adapter SDK boundary for OpenID Connect Relying Party
//! (RP) integration.
//!
//! Phase 10.11 — sibling of [`crate::token`]. Where `token::*` exposes
//! the [`BearerVerifier`](crate::token::BearerVerifier) port for RFC 9068
//! access-token verification (the resource-server side of OAuth), this
//! module exposes [`IdTokenVerifier`] for OIDC id_token verification
//! (the user-authentication side). The two are intentionally disjoint:
//! id_tokens authenticate the user *to the RP*, access_tokens authorize
//! the RP *to the resource server* (OIDC Core §1.2 / RFC 9068 §1).
//!
//! Phase 11.A — adds [`RelyingParty<S>`] composition root + the
//! [`StateStore`] port + `discovery` primitive. The verify-half
//! ([`IdTokenVerifier`] + [`PasIdTokenVerifier`]) stays as the
//! resource-side surface; [`RelyingParty<S>`] composes both halves
//! (start_authorization → callback completion) for the user-flow side.
//!
//! ── Module layout — mirrors [`crate::token`] for parallel structure ─────
//!
//! - [`port`] — [`IdTokenVerifier`], [`IdAssertion`], [`IdVerifyError`]
//!   (always compiled when `token` feature is on; depends on engine
//!   `ScopeSet` / `Nonce` types).
//! - [`verifier`] — [`PasIdTokenVerifier<S>`] production adapter (gated
//!   `well-known-fetch`; depends on the engine's id_token verify entry
//!   and a TTL-cached JWKS).
//! - [`memory`] — [`MemoryIdTokenVerifier<S>`] +
//!   [`InMemoryStateStore`] test-support adapters (gated
//!   `cfg(any(test, feature = "test-support"))`).
//! - [`state_store`] — [`StateStore`] port + value types ([`Config`],
//!   [`State`], [`RelativePath`], [`PendingAuthRequest`],
//!   [`AuthorizationRedirect`], [`CallbackParams`], [`Completion<S>`])
//!   (gated `feature = "oauth"` + `feature = "token"`; Phase 11.A).
//! - [`discovery`] — `fetch_discovery` primitive for OIDC
//!   well-known-openid-configuration documents (gated
//!   `feature = "well-known-fetch"`; Phase 11.A).
//! - [`relying_party`] — [`RelyingParty<S>`] composition root (gated
//!   `feature = "well-known-fetch"`; Phase 11.A skeleton, Phase 11.B
//!   impl).
//!
//! ── Phase 9 inheritance — [`AuditSink`] reuse ───────────────────────────
//!
//! Verify-failure emission travels through the same
//! [`AuditSink`](crate::AuditSink) port that [`PasJwtVerifier`](crate::PasJwtVerifier)
//! uses. One audit pipeline serves both verifiers; consumers pass the
//! same `Arc<dyn AuditSink>` to both `with_audit` builders. The
//! [`VerifyErrorKind`](crate::VerifyErrorKind) enum gains an
//! `IdToken(_)` nested variant in 10.11.B so dashboard pivots can
//! filter "all id_token failures" with a single match arm.
//!
//! ── Scope re-exports ────────────────────────────────────────────────────
//!
//! The engine's [`scopes`](ppoppo_token::id_token::scopes) markers are
//! re-exported here so consumers reach them via the SDK boundary:
//!
//! ```ignore
//! use pas_external::oidc::{IdTokenVerifier, Openid, Email, EmailProfile};
//! ```
//!
//! rather than depending on `ppoppo-token` directly. This preserves the
//! γ invariant: the engine type never crosses the SDK boundary except
//! through SDK-shaped re-exports.

#[cfg(feature = "token")]
pub mod port;

#[cfg(feature = "well-known-fetch")]
pub(crate) mod verifier;

#[cfg(all(feature = "token", feature = "oauth"))]
pub mod state_store;

#[cfg(feature = "well-known-fetch")]
pub mod discovery;

#[cfg(feature = "well-known-fetch")]
pub mod relying_party;

#[cfg(feature = "well-known-fetch")]
pub mod refresh_outcome;

#[cfg(all(feature = "token", any(test, feature = "test-support")))]
pub mod memory;

// Phase 11.X.C — perimeter `BearerAuthLayer` lifted from chat-auth +
// RCW + CTW (N=3 evidence). Lives in its own submodule so the namespace
// signals "axum-framework adapter for the OIDC perimeter" vs the
// generic `oidc::*` (id_token verify-half, RP composition root). No
// crate-level or `oidc::*`-level re-export — consumers import via the
// explicit `pas_external::oidc::axum::*` path so the framework
// dependency is visible at the import site. See
// `RFC_2026-05-07_oidc-rp-phase-11x-rcw-ctw-migration.md` §11.
#[cfg(feature = "axum")]
pub mod axum;

#[cfg(feature = "token")]
pub use port::{Address, IdAssertion, IdTokenVerifier, IdVerifyError, ScopePiiReader};

#[cfg(all(feature = "token", feature = "oauth"))]
pub use state_store::{
    AuthorizationRedirect, CallbackParams, Completion, Config, PendingAuthRequest, RelativePath,
    RelativePathError, State, StateStore, StateStoreError,
};

#[cfg(feature = "well-known-fetch")]
pub use discovery::{fetch_discovery, Discovery, DiscoveryError};

#[cfg(feature = "well-known-fetch")]
pub use relying_party::{
    CallbackError, RefreshError, RelyingParty, RelyingPartyInitError, RequestedScope, StartError,
};

#[cfg(feature = "well-known-fetch")]
pub use refresh_outcome::RefreshOutcome;

#[cfg(all(feature = "token", any(test, feature = "test-support")))]
pub use memory::MemoryIdTokenVerifier;

#[cfg(all(
    feature = "token",
    feature = "oauth",
    any(test, feature = "test-support")
))]
pub use memory::InMemoryStateStore;

// Engine re-exports — consumers reach scope markers + Nonce via the SDK
// boundary rather than depending on `ppoppo-token` directly.
#[cfg(feature = "token")]
pub use ppoppo_token::id_token::{
    Nonce,
    scopes::{
        Email, EmailProfile, EmailProfilePhone, EmailProfilePhoneAddress, HasAddress, HasEmail,
        HasPhone, HasProfile, Openid, Profile, ScopeSet,
    },
};