1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
//! M67 — id_token at_hash binding (OIDC Core 1.0 §3.1.3.8).
//!
//! Defends against access-token substitution: when an authorization
//! response carries both an id_token and an access_token, the id_token's
//! `at_hash` claim binds the two together. An attacker cannot swap in a
//! different access_token without either re-issuing the id_token (which
//! requires the IdP's signing key) or stripping the binding (which
//! `AtHashMissing` catches).
//!
//! ── Opt-in semantics ────────────────────────────────────────────────────
//!
//! Engine inspects `at_hash` only when the verifier supplied an expected
//! access_token via `VerifyConfig::with_access_token_binding`. Pure code
//! flow consumers (today: RCW/CTW) leave the binding unset and the
//! engine returns `Ok(())` without touching the claim — at_hash is
//! conditionally required by RFC, never universally.
//!
//! ── Composition ─────────────────────────────────────────────────────────
//!
//! Cryptography lives in `engine::hash_binding`. This module is a thin
//! adapter that maps `HashBindingError` → `id_token::AuthError` (the
//! profile-specific carrier). The same shape is mirrored at `check_c_hash`
//! for M68; consolidating them into one file would couple two distinct
//! mitigation rows behind one entry-point and break the codebase's
//! per-row file convention (see `check_nonce.rs`, `check_replay.rs`).
use crate;
use crate;
pub