Skip to main content

pas_external/oidc/
mod.rs

1//! γ port-and-adapter SDK boundary for OpenID Connect Relying Party
2//! (RP) integration.
3//!
4//! Phase 10.11 — sibling of [`crate::token`]. Where `token::*` exposes
5//! the [`BearerVerifier`](crate::BearerVerifier) port for RFC 9068
6//! access-token verification (the resource-server side of OAuth), this
7//! module exposes [`IdTokenVerifier`] for OIDC id_token verification
8//! (the user-authentication side). The two are intentionally disjoint:
9//! id_tokens authenticate the user *to the RP*, access_tokens authorize
10//! the RP *to the resource server* (OIDC Core §1.2 / RFC 9068 §1).
11//!
12//! Phase 11.A — adds [`RelyingParty<S>`] composition root + the
13//! [`StateStore`] port + `discovery` primitive. The verify-half
14//! ([`IdTokenVerifier`] + [`PasIdTokenVerifier`]) stays as the
15//! resource-side surface; [`RelyingParty<S>`] composes both halves
16//! (start_authorization → callback completion) for the user-flow side.
17//!
18//! ── Module layout — mirrors [`crate::token`] for parallel structure ─────
19//!
20//! - [`port`] — [`IdTokenVerifier`], [`IdAssertion`], [`IdVerifyError`]
21//!   (always compiled when `token` feature is on; depends on engine
22//!   `ScopeSet` / `Nonce` types).
23//! - [`verifier`] — [`PasIdTokenVerifier<S>`] production adapter (gated
24//!   `well-known-fetch`; depends on the engine's id_token verify entry
25//!   and a TTL-cached JWKS).
26//! - [`memory`] — [`MemoryIdTokenVerifier<S>`] +
27//!   [`InMemoryStateStore`] test-support adapters (gated
28//!   `cfg(any(test, feature = "test-support"))`).
29//! - [`state_store`] — [`StateStore`] port + value types ([`Config`],
30//!   [`State`], [`RelativePath`], [`PendingAuthRequest`],
31//!   [`AuthorizationRedirect`], [`CallbackParams`], [`Completion<S>`])
32//!   (gated `feature = "oauth"` + `feature = "token"`; Phase 11.A).
33//! - [`discovery`] — `fetch_discovery` primitive for OIDC
34//!   well-known-openid-configuration documents (gated
35//!   `feature = "well-known-fetch"`; Phase 11.A).
36//! - [`relying_party`] — [`RelyingParty<S>`] composition root (gated
37//!   `feature = "well-known-fetch"`; Phase 11.A skeleton, Phase 11.B
38//!   impl).
39//!
40//! ── AuditSink — access-token verifier only ──────────────────────────────
41//!
42//! Verify-failure audit emission lives on the public access-token
43//! [`PasJwtVerifier`](crate::JwtVerifier) surface (its `with_audit`
44//! builder). The `pub(crate)` id_token `PasIdTokenVerifier` does not
45//! emit audit events: it is reachable only through [`RelyingParty<S>`],
46//! which wires no sink, so the emission path was removed rather than
47//! left unreachable. The shared [`AuditSink`](crate::AuditSink) port and
48//! the [`VerifyErrorKind`](crate::VerifyErrorKind) vocabulary (including
49//! its `IdToken(_)` variant) remain available for the access-token
50//! surface.
51//!
52//! ── Scope re-exports ────────────────────────────────────────────────────
53//!
54//! The engine's [`scopes`](ppoppo_token::id_token::scopes) markers are
55//! re-exported here so consumers reach them via the SDK boundary:
56//!
57//! ```ignore
58//! use pas_external::oidc::{IdTokenVerifier, Openid, Email, EmailProfile};
59//! ```
60//!
61//! rather than depending on `ppoppo-token` directly. This preserves the
62//! γ invariant: the engine type never crosses the SDK boundary except
63//! through SDK-shaped re-exports.
64
65#[cfg(feature = "token")]
66pub mod port;
67
68#[cfg(feature = "well-known-fetch")]
69pub(crate) mod verifier;
70
71#[cfg(all(feature = "token", feature = "oauth"))]
72pub mod state_store;
73
74/// Thin re-export of `ppoppo_sdk_core::discovery::*` — Phase A Slice 2
75/// moved the primitive to sdk-core so any RP composition root (today
76/// pas-external; tomorrow pas-plims / pcs-external) consumes the same
77/// `fetch_discovery` + `Discovery` + `DiscoveryError` shapes.
78#[cfg(feature = "well-known-fetch")]
79pub mod discovery {
80    pub use ::ppoppo_sdk_core::discovery::*;
81}
82
83#[cfg(feature = "well-known-fetch")]
84pub mod relying_party;
85
86#[cfg(feature = "well-known-fetch")]
87pub mod refresh_outcome;
88
89#[cfg(all(feature = "token", any(test, feature = "test-support")))]
90pub mod memory;
91
92// Phase A Slice 4 — perimeter `BearerAuthLayer` Layer kit moved to
93// `ppoppo_sdk_core::bearer::*` so 1st-party services (chat-auth) can
94// import direct (audit decision B). pas-external re-exports the kit at
95// the crate root as `pas_external::bearer::*` for 3rd-party RCW/CTW
96// consumers (audit decision D — 1-level role-named module, no nesting).
97// No `oidc::axum::*` namespace remains — see crate root `bearer` module
98// in this crate's `lib.rs`.
99
100#[cfg(feature = "token")]
101pub use port::{Address, IdAssertion, IdTokenVerifier, IdVerifyError, ScopePiiReader};
102
103#[cfg(all(feature = "token", feature = "oauth"))]
104pub use state_store::{
105    AuthorizationRedirect, CallbackParams, Completion, Config, PendingAuthRequest, RelativePath,
106    RelativePathError, State, StateStore, StateStoreError,
107};
108
109#[cfg(feature = "well-known-fetch")]
110pub use discovery::{fetch_discovery, Discovery, DiscoveryError};
111
112#[cfg(feature = "well-known-fetch")]
113pub use relying_party::{
114    CallbackError, EndSessionError, RefreshError, RelyingParty, RelyingPartyInitError,
115    RequestedScope, StartError,
116};
117
118#[cfg(feature = "well-known-fetch")]
119pub use refresh_outcome::RefreshOutcome;
120
121#[cfg(all(feature = "token", any(test, feature = "test-support")))]
122pub use memory::MemoryIdTokenVerifier;
123
124#[cfg(all(
125    feature = "token",
126    feature = "oauth",
127    any(test, feature = "test-support")
128))]
129pub use memory::InMemoryStateStore;
130
131// Engine re-exports — consumers reach scope markers + Nonce via the SDK
132// boundary rather than depending on `ppoppo-token` directly.
133#[cfg(feature = "token")]
134pub use ppoppo_token::id_token::{
135    Nonce,
136    scopes::{
137        Email, EmailProfile, EmailProfilePhone, EmailProfilePhoneAddress, HasAddress, HasEmail,
138        HasPhone, HasProfile, Openid, Profile, ScopeSet,
139    },
140};