pub struct OidcValidator { /* private fields */ }Expand description
OIDC token validator with JWKS caching.
Validates JWT tokens against an OIDC provider’s public keys. Automatically fetches and caches the JWKS for efficiency.
JWKS fetch/cache/key-selection helpers are in impl OidcValidator blocks
defined in the jwks sub-module.
Implementations§
Source§impl OidcValidator
impl OidcValidator
Sourcepub async fn new(config: OidcConfig) -> Result<Self, SecurityError>
pub async fn new(config: OidcConfig) -> Result<Self, SecurityError>
Create a new OIDC validator.
This will perform OIDC discovery to find the JWKS URI
unless jwks_uri is explicitly set in config.
§Errors
Returns error if:
- Config validation fails
- OIDC discovery fails
- JWKS endpoint cannot be determined
Sourcepub fn with_jwks_uri(config: OidcConfig, jwks_uri: String) -> Self
pub fn with_jwks_uri(config: OidcConfig, jwks_uri: String) -> Self
Create a validator without performing discovery.
Use this for testing or when you have the JWKS URI directly.
§Panics
Panics if the platform TLS backend is unavailable for the HTTP client. This would indicate a broken system-level TLS installation.
Sourcepub fn with_replay_cache(self, cache: Arc<ReplayCache>) -> Self
pub fn with_replay_cache(self, cache: Arc<ReplayCache>) -> Self
Attach a JWT replay cache to this validator.
When set, every validated token’s jti claim is checked against the
cache. A token whose jti has been seen before is rejected with
SecurityError::TokenReplayed, preventing stolen-token replay attacks.
If require_jti is true in OidcConfig, tokens without a jti
are also rejected before the replay check is reached.
Sourcepub async fn validate_token(
&self,
token: &str,
) -> Result<AuthenticatedUser, SecurityError>
pub async fn validate_token( &self, token: &str, ) -> Result<AuthenticatedUser, SecurityError>
Validate a JWT token and extract user information.
§Arguments
token- The JWT token string (without “Bearer “ prefix)
§Returns
AuthenticatedUser if token is valid, error otherwise.
§Errors
Returns error if:
- Token is malformed
- Signature verification fails
- Required claims are missing
- Token is expired
- Issuer/audience don’t match
Sourcepub const fn is_required(&self) -> bool
pub const fn is_required(&self) -> bool
Check if authentication is required.
Sourcepub fn clear_cache(&self)
pub fn clear_cache(&self)
Clear the JWKS cache.
Call this if you need to force a refresh of the signing keys.