pub async fn validate_github_token(
token: &str,
jwks: Arc<RwLock<Value>>,
expected_audience: &str,
) -> Result<GitHubClaims>Expand description
Validates a GitHub OIDC token against the provided JSON Web Key Set (JWKS) and expected audience.
This function decodes and verifies the JSON Web Token (JWT), checks its claims against expected values, and ensures it was issued by the expected GitHub OIDC provider.
§Arguments
token- A string slice that holds the GitHub OIDC token to validate.jwks- An Arc<RwLock> containing the JSON Web Key Set (JWKS) used to verify the token’s signature. expected_audience- A string slice specifying the expected audience claim value.
§Returns
Result<GitHubClaims>- A Result containing the validated GitHubClaims if successful, or an error if validation fails.
§Errors
This function will return an error if:
- The token is not in a valid JWT format
- The token’s signature cannot be verified using the provided JWKS
- The token’s claims do not match the expected values (e.g., audience, issuer)
- The token is not from the expected GitHub organization or repository (if set in environment)
§Example
use git_oidc::{fetch_jwks, validate_github_token};
use std::sync::Arc;
use tokio::sync::RwLock;
use color_eyre::eyre::Result;
#[tokio::main]
async fn main() -> Result<()> {
let jwks = fetch_jwks("https://token.actions.githubusercontent.com").await?;
let jwks = Arc::new(RwLock::new(jwks));
let token = "your_github_oidc_token";
let expected_audience = "your_expected_audience";
let claims = validate_github_token(token, jwks, expected_audience).await?;
println!("Validated claims: {:?}", claims);
Ok(())
}