Skip to main content

OidcConfig

fraiseql_core::security::oidc

Struct OidcConfig 

Source 
pub struct OidcConfig {
    pub issuer: String,
    pub audience: Option<String>,
    pub additional_audiences: Vec<String>,
    pub jwks_cache_ttl_secs: u64,
    pub allowed_algorithms: Vec<String>,
    pub clock_skew_secs: u64,
    pub jwks_uri: Option<String>,
    pub required: bool,
    pub scope_claim: String,
}
Expand description

OIDC authentication configuration.

Configure this with your identity provider’s issuer URL. The validator will automatically discover JWKS endpoint.

SECURITY CRITICAL: You MUST configure the audience field to prevent token confusion attacks. See the audience field documentation for details.

Fields§

§issuer: String

Issuer URL (e.g., https://your-tenant.auth0.com/)

Must match the iss claim in tokens exactly. Should include trailing slash if provider expects it.

§audience: Option<String>

Expected audience claim (REQUIRED for security).

SECURITY CRITICAL: This field is mandatory. Tokens must have this value in their aud claim. This prevents token confusion attacks where tokens from one service can be used in another.

For Auth0, this is typically your API identifier (e.g., https://api.example.com). For other providers, use a unique identifier that represents your application.

Set at least one of:

  • audience (primary audience)
  • additional_audiences (secondary audiences)
§additional_audiences: Vec<String>

Additional allowed audiences (optional).

Some tokens may have multiple audiences. Add extras here.

§jwks_cache_ttl_secs: u64

JWKS cache TTL in seconds.

How long to cache the JWKS before refetching. Default: 3600 (1 hour)

§allowed_algorithms: Vec<String>

Allowed token algorithms.

Default: RS256 (most common for OIDC providers)

§clock_skew_secs: u64

Clock skew tolerance in seconds.

Allow this many seconds of clock difference when validating exp/nbf/iat claims. Default: 60 seconds

§jwks_uri: Option<String>

Custom JWKS URI (optional).

If set, skip OIDC discovery and use this URI directly. Useful for providers that don’t support standard discovery.

§required: bool

Require authentication for all requests.

If false, requests without tokens are allowed (anonymous access). Default: true

§scope_claim: String

Scope claim name.

The claim containing user scopes/permissions. Default: “scope” (space-separated string) Some providers use “scp” or “permissions” (array)

Implementations§

Source§

impl OidcConfig

Source

pub fn auth0(domain: &str, audience: &str) -> Self

Create config for Auth0.

§Arguments
  • domain - Your Auth0 domain (e.g., “your-tenant.auth0.com”)
  • audience - Your API identifier
Source

pub fn keycloak(base_url: &str, realm: &str, client_id: &str) -> Self

Create config for Keycloak.

§Arguments
  • base_url - Keycloak server URL (e.g., https://keycloak.example.com)
  • realm - Realm name
  • client_id - Client ID (used as audience)
Source

pub fn okta(domain: &str, audience: &str) -> Self

Create config for Okta.

§Arguments
  • domain - Your Okta domain (e.g., “your-org.okta.com”)
  • audience - Your API audience (often “api://default”)
Source

pub fn cognito(region: &str, user_pool_id: &str, client_id: &str) -> Self

Create config for AWS Cognito.

§Arguments
  • region - AWS region (e.g., “us-east-1”)
  • user_pool_id - Cognito User Pool ID
  • client_id - App client ID (used as audience)
Source

pub fn azure_ad(tenant_id: &str, client_id: &str) -> Self

Create config for Microsoft Entra ID (Azure AD).

§Arguments
  • tenant_id - Azure AD tenant ID
  • client_id - Application (client) ID
Source

pub fn google(client_id: &str) -> Self

Create config for Google Identity.

§Arguments
  • client_id - Google OAuth client ID
Source

pub fn validate(&self) -> Result<()>

Validate the configuration.

Trait Implementations§

Source§

impl Clone for OidcConfig

Source§

fn clone(&self) -> OidcConfig

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for OidcConfig

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for OidcConfig

Source§

fn default() -> Self

Returns the “default value” for a type. Read more
Source§

impl<'de> Deserialize<'de> for OidcConfig

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Serialize for OidcConfig

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,