pub struct OidcConfig {
pub issuer: String,
pub audience: Option<String>,
pub additional_audiences: Vec<String>,
pub jwks_cache_ttl_secs: u64,
pub allowed_algorithms: Vec<String>,
pub clock_skew_secs: u64,
pub jwks_uri: Option<String>,
pub required: bool,
pub scope_claim: String,
pub require_jti: bool,
pub me: Option<MeEndpointConfig>,
}Expand description
OIDC authentication configuration.
Configure this with your identity provider’s issuer URL. The validator will automatically discover JWKS endpoint.
SECURITY CRITICAL: You MUST configure the audience field to prevent
token confusion attacks. See the audience field documentation for details.
Fields§
§issuer: StringIssuer URL (e.g., https://your-tenant.auth0.com/)
Must match the iss claim in tokens exactly.
Should include trailing slash if provider expects it.
audience: Option<String>Expected audience claim (REQUIRED for security).
SECURITY CRITICAL: This field is mandatory. Tokens must have this value in their aud
claim. This prevents token confusion attacks where tokens intended for service A
can be used for service B.
For Auth0, this is typically your API identifier (e.g., https://api.example.com).
For other providers, use a unique identifier that represents your application.
Set at least one of:
audience(primary audience)additional_audiences(secondary audiences)
additional_audiences: Vec<String>Additional allowed audiences (optional).
Some tokens may have multiple audiences. Add extras here.
jwks_cache_ttl_secs: u64JWKS cache TTL in seconds.
How long to cache the JWKS before refetching. This is the MAXIMUM
stolen-key replay window once a key rotation has propagated upstream:
after an IdP rotates keys, FraiseQL keeps accepting tokens signed by a
cached-but-rotated-out key until the cached entry expires or is flushed.
To close the window immediately on a known compromise, call
OidcValidator::invalidate_jwks_cache (e.g. via POST /admin/v1/auth/refresh-jwks).
Default: 300 (5 minutes) — short to bound the replay window.
allowed_algorithms: Vec<String>Allowed token algorithms.
Default: RS256 (most common for OIDC providers)
clock_skew_secs: u64Clock skew tolerance in seconds.
Allow this many seconds of clock difference when validating exp/nbf/iat claims. Default: 60 seconds
jwks_uri: Option<String>Custom JWKS URI (optional).
If set, skip OIDC discovery and use this URI directly. Useful for providers that don’t support standard discovery.
required: boolRequire authentication for all requests.
If false, requests without tokens are allowed (anonymous access). Default: true
scope_claim: StringScope claim name.
The claim containing user scopes/permissions. Default: “scope” (space-separated string) Some providers use “scp” or “permissions” (array)
require_jti: boolRequire the jti (JWT ID) claim on every validated token.
When true, tokens without a jti are rejected with a validation error.
When false (default), a missing jti is accepted but the token cannot
be replay-checked.
Set to true when you have a ReplayCache configured, so that every
token is guaranteed to be uniquely identifiable.
me: Option<MeEndpointConfig>Configuration for the GET /auth/me session-identity endpoint.
When present and enabled = true, mounts GET /auth/me behind
OIDC authentication. The endpoint reflects a configurable subset of
the current session’s JWT claims to the frontend.
Default: None (endpoint not mounted).
Implementations§
Source§impl OidcConfig
impl OidcConfig
Sourcepub fn auth0(domain: &str, audience: &str) -> Self
pub fn auth0(domain: &str, audience: &str) -> Self
Create config for Auth0.
§Arguments
domain- Your Auth0 domain (e.g., “your-tenant.auth0.com”)audience- Your API identifier
Sourcepub fn keycloak(base_url: &str, realm: &str, client_id: &str) -> Self
pub fn keycloak(base_url: &str, realm: &str, client_id: &str) -> Self
Create config for Keycloak.
§Arguments
base_url- Keycloak server URL (e.g.,https://keycloak.example.com)realm- Realm nameclient_id- Client ID (used as audience)
Sourcepub fn okta(domain: &str, audience: &str) -> Self
pub fn okta(domain: &str, audience: &str) -> Self
Create config for Okta.
§Arguments
domain- Your Okta domain (e.g., “your-org.okta.com”)audience- Your API audience (often “api://default”)
Sourcepub fn cognito(region: &str, user_pool_id: &str, client_id: &str) -> Self
pub fn cognito(region: &str, user_pool_id: &str, client_id: &str) -> Self
Create config for AWS Cognito.
§Arguments
region- AWS region (e.g., “us-east-1”)user_pool_id- Cognito User Pool IDclient_id- App client ID (used as audience)
Sourcepub fn azure_ad(tenant_id: &str, client_id: &str) -> Self
pub fn azure_ad(tenant_id: &str, client_id: &str) -> Self
Create config for Microsoft Entra ID (Azure AD).
§Arguments
tenant_id- Azure AD tenant IDclient_id- Application (client) ID
Trait Implementations§
Source§impl Clone for OidcConfig
impl Clone for OidcConfig
Source§fn clone(&self) -> OidcConfig
fn clone(&self) -> OidcConfig
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more