pas_external/oidc/

mod.rs

//! γ port-and-adapter SDK boundary for OpenID Connect Relying Party
//! (RP) integration.
//!
//! Phase 10.11 — sibling of [`crate::token`]. Where `token::*` exposes
//! the [`BearerVerifier`](crate::token::BearerVerifier) port for RFC 9068
//! access-token verification (the resource-server side of OAuth), this
//! module exposes [`IdTokenVerifier`] for OIDC id_token verification
//! (the user-authentication side). The two are intentionally disjoint:
//! id_tokens authenticate the user *to the RP*, access_tokens authorize
//! the RP *to the resource server* (OIDC Core §1.2 / RFC 9068 §1).
//!
//! Phase 11.A — adds [`RelyingParty<S>`] composition root + the
//! [`StateStore`] port + `discovery` primitive. The verify-half
//! ([`IdTokenVerifier`] + [`PasIdTokenVerifier`]) stays as the
//! resource-side surface; [`RelyingParty<S>`] composes both halves
//! (start_authorization → callback completion) for the user-flow side.
//!
//! ── Module layout — mirrors [`crate::token`] for parallel structure ─────
//!
//! - [`port`] — [`IdTokenVerifier`], [`IdAssertion`], [`IdVerifyError`]
//!   (always compiled when `token` feature is on; depends on engine
//!   `ScopeSet` / `Nonce` types).
//! - [`verifier`] — [`PasIdTokenVerifier<S>`] production adapter (gated
//!   `well-known-fetch`; depends on the engine's id_token verify entry
//!   and a TTL-cached JWKS).
//! - [`memory`] — [`MemoryIdTokenVerifier<S>`] +
//!   [`InMemoryStateStore`] test-support adapters (gated
//!   `cfg(any(test, feature = "test-support"))`).
//! - [`state_store`] — [`StateStore`] port + value types ([`Config`],
//!   [`State`], [`RelativePath`], [`PendingAuthRequest`],
//!   [`AuthorizationRedirect`], [`CallbackParams`], [`Completion<S>`])
//!   (gated `feature = "oauth"` + `feature = "token"`; Phase 11.A).
//! - [`discovery`] — `fetch_discovery` primitive for OIDC
//!   well-known-openid-configuration documents (gated
//!   `feature = "well-known-fetch"`; Phase 11.A).
//! - [`relying_party`] — [`RelyingParty<S>`] composition root (gated
//!   `feature = "well-known-fetch"`; Phase 11.A skeleton, Phase 11.B
//!   impl).
//!
//! ── Phase 9 inheritance — [`AuditSink`] reuse ───────────────────────────
//!
//! Verify-failure emission travels through the same
//! [`AuditSink`](crate::AuditSink) port that [`PasJwtVerifier`](crate::PasJwtVerifier)
//! uses. One audit pipeline serves both verifiers; consumers pass the
//! same `Arc<dyn AuditSink>` to both `with_audit` builders. The
//! [`VerifyErrorKind`](crate::VerifyErrorKind) enum gains an
//! `IdToken(_)` nested variant in 10.11.B so dashboard pivots can
//! filter "all id_token failures" with a single match arm.
//!
//! ── Scope re-exports ────────────────────────────────────────────────────
//!
//! The engine's [`scopes`](ppoppo_token::id_token::scopes) markers are
//! re-exported here so consumers reach them via the SDK boundary:
//!
//! ```ignore
//! use pas_external::oidc::{IdTokenVerifier, Openid, Email, EmailProfile};
//! ```
//!
//! rather than depending on `ppoppo-token` directly. This preserves the
//! γ invariant: the engine type never crosses the SDK boundary except
//! through SDK-shaped re-exports.

#[cfg(feature = "token")]
pub mod port;

#[cfg(feature = "well-known-fetch")]
pub(crate) mod verifier;

#[cfg(all(feature = "token", feature = "oauth"))]
pub mod state_store;

#[cfg(feature = "well-known-fetch")]
pub mod discovery;

#[cfg(feature = "well-known-fetch")]
pub mod relying_party;

#[cfg(feature = "well-known-fetch")]
pub mod refresh_outcome;

#[cfg(all(feature = "token", any(test, feature = "test-support")))]
pub mod memory;

// Phase 11.X.C — perimeter `BearerAuthLayer` lifted from chat-auth +
// RCW + CTW (N=3 evidence). Lives in its own submodule so the namespace
// signals "axum-framework adapter for the OIDC perimeter" vs the
// generic `oidc::*` (id_token verify-half, RP composition root). No
// crate-level or `oidc::*`-level re-export — consumers import via the
// explicit `pas_external::oidc::axum::*` path so the framework
// dependency is visible at the import site. See
// `RFC_2026-05-07_oidc-rp-phase-11x-rcw-ctw-migration.md` §11.
#[cfg(feature = "axum")]
pub mod axum;

#[cfg(feature = "token")]
pub use port::{Address, IdAssertion, IdTokenVerifier, IdVerifyError, ScopePiiReader};

#[cfg(all(feature = "token", feature = "oauth"))]
pub use state_store::{
    AuthorizationRedirect, CallbackParams, Completion, Config, PendingAuthRequest, RelativePath,
    RelativePathError, State, StateStore, StateStoreError,
};

#[cfg(feature = "well-known-fetch")]
pub use discovery::{fetch_discovery, Discovery, DiscoveryError};

#[cfg(feature = "well-known-fetch")]
pub use relying_party::{
    CallbackError, RefreshError, RelyingParty, RelyingPartyInitError, RequestedScope, StartError,
};

#[cfg(feature = "well-known-fetch")]
pub use refresh_outcome::RefreshOutcome;

#[cfg(all(feature = "token", any(test, feature = "test-support")))]
pub use memory::MemoryIdTokenVerifier;

#[cfg(all(
    feature = "token",
    feature = "oauth",
    any(test, feature = "test-support")
))]
pub use memory::InMemoryStateStore;

// Engine re-exports — consumers reach scope markers + Nonce via the SDK
// boundary rather than depending on `ppoppo-token` directly.
#[cfg(feature = "token")]
pub use ppoppo_token::id_token::{
    Nonce,
    scopes::{
        Email, EmailProfile, EmailProfilePhone, EmailProfilePhoneAddress, HasAddress, HasEmail,
        HasPhone, HasProfile, Openid, Profile, ScopeSet,
    },
};