Skip to main content

pas_external/oidc/
mod.rs

1//! γ port-and-adapter SDK boundary for OpenID Connect Relying Party
2//! (RP) integration.
3//!
4//! Phase 10.11 — sibling of [`crate::token`]. Where `token::*` exposes
5//! the [`BearerVerifier`](crate::token::BearerVerifier) port for RFC 9068
6//! access-token verification (the resource-server side of OAuth), this
7//! module exposes [`IdTokenVerifier`] for OIDC id_token verification
8//! (the user-authentication side). The two are intentionally disjoint:
9//! id_tokens authenticate the user *to the RP*, access_tokens authorize
10//! the RP *to the resource server* (OIDC Core §1.2 / RFC 9068 §1).
11//!
12//! ── Module layout — mirrors [`crate::token`] for parallel structure ─────
13//!
14//! - [`port`] — [`IdTokenVerifier`], [`IdAssertion`], [`IdVerifyError`]
15//!   (always compiled when `token` feature is on; depends on engine
16//!   `ScopeSet` / `Nonce` types).
17//! - [`verifier`] — [`PasIdTokenVerifier<S>`] production adapter (gated
18//!   `well-known-fetch`; depends on the engine's id_token verify entry
19//!   and a TTL-cached JWKS).
20//! - [`memory`] — [`MemoryIdTokenVerifier<S>`] test-support adapter
21//!   (gated `cfg(any(test, feature = "test-support"))`).
22//!
23//! ── Phase 9 inheritance — [`AuditSink`] reuse ───────────────────────────
24//!
25//! Verify-failure emission travels through the same
26//! [`AuditSink`](crate::AuditSink) port that [`PasJwtVerifier`](crate::PasJwtVerifier)
27//! uses. One audit pipeline serves both verifiers; consumers pass the
28//! same `Arc<dyn AuditSink>` to both `with_audit` builders. The
29//! [`VerifyErrorKind`](crate::VerifyErrorKind) enum gains an
30//! `IdToken(_)` nested variant in 10.11.B so dashboard pivots can
31//! filter "all id_token failures" with a single match arm.
32//!
33//! ── Scope re-exports ────────────────────────────────────────────────────
34//!
35//! The engine's [`scopes`](ppoppo_token::id_token::scopes) markers are
36//! re-exported here so consumers reach them via the SDK boundary:
37//!
38//! ```ignore
39//! use pas_external::oidc::{IdTokenVerifier, Openid, Email, EmailProfile};
40//! ```
41//!
42//! rather than depending on `ppoppo-token` directly. This preserves the
43//! γ invariant: the engine type never crosses the SDK boundary except
44//! through SDK-shaped re-exports.
45
46#[cfg(feature = "token")]
47pub mod port;
48
49#[cfg(feature = "well-known-fetch")]
50pub mod verifier;
51
52#[cfg(all(feature = "token", any(test, feature = "test-support")))]
53pub mod memory;
54
55#[cfg(feature = "token")]
56pub use port::{Address, IdAssertion, IdTokenVerifier, IdVerifyError, ScopePiiReader};
57
58#[cfg(feature = "well-known-fetch")]
59pub use verifier::PasIdTokenVerifier;
60
61#[cfg(all(feature = "token", any(test, feature = "test-support")))]
62pub use memory::MemoryIdTokenVerifier;
63
64// Engine re-exports — consumers reach scope markers + Nonce via the SDK
65// boundary rather than depending on `ppoppo-token` directly.
66#[cfg(feature = "token")]
67pub use ppoppo_token::id_token::{
68    Nonce,
69    scopes::{
70        Email, EmailProfile, EmailProfilePhone, EmailProfilePhoneAddress, HasAddress, HasEmail,
71        HasPhone, HasProfile, Openid, Profile, ScopeSet,
72    },
73};