rauthy-client 0.14.0

Client for the Rauthy OIDC IAM project
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167

use crate::provider::OidcProvider;
use crate::rauthy_error::RauthyError;
use crate::tokens::token::JwtToken;
use serde::{Deserialize, Serialize};
use std::collections::HashMap;

#[derive(Debug, Serialize, Deserialize)]
pub struct JktClaim {
    pub jkt: String,
}

#[derive(Debug, Serialize, Deserialize)]
pub struct CommonClaims {
    pub iat: i64,
    pub nbf: i64,
    pub exp: i64,
    pub iss: String,
    pub jti: Option<String>,
    pub aud: String,
    pub sub: Option<String>,
    // pub nonce: Option<&'a str>,
    pub typ: TokenType,
    pub azp: String,
    pub scope: Option<String>,
    pub did: Option<String>,
    pub cnf: Option<JktClaim>,
}

#[derive(Debug, Default, Serialize, Deserialize)]
pub struct AddressClaim {
    pub formatted: String,
    pub street_address: Option<String>,
    pub locality: Option<String>,
    // pub region: Option<String>,
    pub postal_code: Option<String>,
    pub country: Option<String>,
}

#[derive(Debug, Serialize, Deserialize)]
pub struct AccessToken {
    #[serde(flatten)]
    pub common: CommonClaims,

    // pub scope: &'a str,
    pub allowed_origins: Option<Vec<String>>,
    // user part
    pub email: Option<String>,
    pub roles: Option<Vec<String>>,
    pub groups: Option<Vec<String>>,
    pub custom: Option<HashMap<String, serde_json::Value>>,
}

impl AccessToken {
    #[inline(always)]
    pub async fn from_token_validated(token: &str) -> Result<Self, RauthyError> {
        let mut buf = Vec::with_capacity(1024);
        Self::from_token_validated_buf(token, &mut buf).await
    }

    #[inline(always)]
    pub async fn from_token_validated_buf(
        token: &str,
        buf: &mut Vec<u8>,
    ) -> Result<Self, RauthyError> {
        JwtToken::validate_claims_into(token, Some(TokenType::Bearer), buf).await?;
        let slf = serde_json::from_slice::<Self>(buf)?;

        Ok(slf)
    }
}

#[derive(Debug, Serialize, Deserialize)]
pub struct IdToken {
    #[serde(flatten)]
    pub common: CommonClaims,

    pub amr: Vec<String>,
    pub auth_time: i64,
    pub at_hash: String,
    pub sid: Option<String>,
    pub email: Option<String>,
    pub email_verified: Option<bool>,
    pub preferred_username: Option<String>,
    pub given_name: Option<String>,
    pub family_name: Option<String>,
    pub address: Option<AddressClaim>,
    pub birthdate: Option<String>,
    pub picture: Option<String>,
    pub locale: Option<String>,
    pub nonce: Option<String>,
    pub phone_number: Option<String>,
    pub phone_number_verified: Option<bool>,
    pub roles: Vec<String>,
    pub groups: Option<Vec<String>>,
    pub custom: Option<HashMap<String, serde_json::Value>>,
    pub webid: Option<String>,
    pub zoneinfo: Option<String>,
}

impl IdToken {
    #[inline(always)]
    pub async fn from_token_validated(token: &str, nonce: &str) -> Result<Self, RauthyError> {
        let mut buf = Vec::with_capacity(1024);
        Self::from_token_validated_buf(token, nonce, &mut buf).await
    }

    #[inline(always)]
    pub async fn from_token_validated_buf(
        token: &str,
        nonce: &str,
        buf: &mut Vec<u8>,
    ) -> Result<Self, RauthyError> {
        JwtToken::validate_claims_into(token, Some(TokenType::Id), buf).await?;
        let slf = serde_json::from_slice::<Self>(buf)?;

        if OidcProvider::config()?.email_verified && slf.email_verified != Some(true) {
            return Err(RauthyError::InvalidClaims("'email_verified' is false"));
        }
        // we want to validate the nonce manually each time for more efficiency
        if slf.nonce.as_deref() != Some(nonce) {
            return Err(RauthyError::InvalidClaims("'nonce' is not correct"));
        }

        Ok(slf)
    }
}

#[derive(Debug, Serialize, Deserialize)]
pub struct RefreshToken {
    #[serde(flatten)]
    pub common: CommonClaims,

    pub uid: String,
    pub auth_time: Option<i64>,
}

/// Rauthy-supported token types. This client however does currently not support `DPoP`.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub enum TokenType {
    Bearer,
    DPoP,
    Id,
    Refresh,
    #[cfg(feature = "backchannel-logout")]
    #[serde(rename = "logout+jwt")]
    Logout,
}

impl TokenType {
    pub fn as_str(&self) -> &str {
        match self {
            Self::Bearer => "Bearer",
            Self::DPoP => "DPoP",
            Self::Id => "Id",
            #[cfg(feature = "backchannel-logout")]
            Self::Logout => "logout+jwt",
            Self::Refresh => "Refresh",
        }
    }
}

#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all(serialize = "lowercase"))]
pub enum JwtAmrValue {
    Pwd,
    Mfa,
}