Struct OIDCClient 

pub struct OIDCClient {
    pub config: OIDCProviderConfig,
    pub client_id: String,
    pub jwks_cache: Arc<JwksCache>,
    /* private fields */
}

OIDC client for OpenID Connect flow.

Fields

config: OIDCProviderConfig

Provider configuration.

client_id: String

Client ID.

jwks_cache: Arc<JwksCache>

JWKS key cache for ID token signature verification.

Implementations

impl OIDCClient

pub fn new( config: OIDCProviderConfig, client_id: impl Into<String>, client_secret: impl Into<String>, ) -> Result<Self, JwksError>

Create new OIDC client with JWKS caching.

The JWKS cache TTL defaults to 1 hour.

Errors

Returns JwksError if config.jwks_uri is not a valid HTTPS URL (HTTP is allowed only for localhost).

pub fn with_jwks_cache( config: OIDCProviderConfig, client_id: impl Into<String>, client_secret: impl Into<String>, jwks_cache: Arc<JwksCache>, ) -> Self

Create OIDC client with a pre-built JWKS cache (for testing).

pub fn authorization_url(&self, redirect_uri: &str) -> AuthorizationRequest

Generate an OIDC authorization URL with a fresh nonce for replay protection.

This extends the standard OAuth2 flow by appending a nonce parameter to the authorization URL. The returned AuthorizationRequest::nonce must be stored (e.g. in the encrypted session state) and passed to verify_id_token at callback time.

PKCE is always enabled for OIDC flows started via this method.

pub async fn verify_id_token( &self, id_token: &str, expected_nonce: Option<&str>, max_age_secs: Option<u64>, ) -> Result<IdTokenClaims, String>

Verify an ID token’s JWT signature and claims.

Decodes the JWT header to extract the kid, fetches the matching public key from the JWKS cache, then validates signature, issuer, audience, and required claims.

Nonce: when expected_nonce is Some, the token’s nonce claim must match exactly. When it is None but the token contains a nonce claim, validation still succeeds — callers that generated the authorization URL via authorization_url MUST pass the stored nonce here.

max_age: when max_age_secs is Some, the token’s auth_time claim is required and must be within max_age_secs seconds of the current time. This prevents accepting tokens from sessions that were authenticated too long ago (RFC 6749 §3.1.2.1 / OIDC Core §3.1.2.1).

Errors

Returns an error if the token is malformed, the signature is invalid, claims validation fails, the nonce doesn’t match, or the auth_time / max_age constraint is violated.

pub async fn get_userinfo(&self, access_token: &str) -> Result<UserInfo, String>

Fetch user information from the provider’s userinfo endpoint.

Errors

Returns an error if no userinfo endpoint is configured, the HTTP request fails, or the response cannot be parsed.

Trait Implementations

impl Debug for OIDCClient

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.