Crate graph_oauth

Microsoft Identity Platform Client

Support For OAuth 2.0 and OpenId authorization flows from the Microsoft Identity Platform.

Part of the graph-rs-sdk project on GitHub

Example ConfidentialClientApplication Authorization Code Flow

use url::Url;
use graph_oauth::{AuthorizationCodeCredential, ConfidentialClientApplication};

pub fn authorization_url(client_id: &str) -> anyhow::Result<Url> {
    Ok(ConfidentialClientApplication::builder(client_id)
        .auth_code_url_builder()
        .with_redirect_uri(Url::parse("http://localhost:8000/redirect")?)
        .with_scope(vec!["user.read"])
        .url()?)
}

pub fn get_confidential_client(authorization_code: &str, client_id: &str, client_secret: &str) -> anyhow::Result<ConfidentialClientApplication<AuthorizationCodeCredential>> {
    Ok(ConfidentialClientApplication::builder(client_id)
        .with_auth_code(authorization_code)
        .with_client_secret(client_secret)
        .with_scope(vec!["user.read"])
        .with_redirect_uri(Url::parse("http://localhost:8000/redirect")?)
        .build())
}

Supported Authorization Flows From The Microsoft Identity Platform

• Authorization Code Grant
• Authorization Code Grant PKCE
• Authorization Code Certificate
• Open ID Connect
• Implicit Grant
• Device Code Flow
• Client Credentials - Client Secret
• Client Credentials - Client Certificate
• Resource Owner Password Credentials

Modules

• extensions
• legacy

Structs

• AZURE_CHINA_CLOUD_INSTANCE
• AZURE_GERMANY_CLOUD_INSTANCE
• AZURE_PUBLIC_CLOUD_INSTANCE
• AZURE_US_GOVERNMENT
• AllowedHostValidator
• AppConfig
• AppConfigBuilder
• ApplicationOptions
  Application Options typically stored as JSON file in .net applications.
• Assertion
• AuthCodeAuthorizationUrlParameterBuilder
• AuthCodeAuthorizationUrlParameters
  Get the authorization url required to perform the initial authorization and redirect in the authorization code flow.
• AuthorizationCodeAssertionCredential
  Authorization Code Using An Assertion
• AuthorizationCodeAssertionCredentialBuilder
• AuthorizationCodeCertificateCredential
  The OAuth 2.0 authorization code grant type, or auth code flow, enables a client application to obtain authorized access to protected resources like web APIs. The auth code flow requires a user-agent that supports redirection from the authorization server (the Microsoft identity platform) back to your application. For example, a web browser, desktop, or mobile application operated by a user to sign in to your app and access their data. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow’
• AuthorizationCodeCertificateCredentialBuilder
• AuthorizationCodeCredential
  The OAuth 2.0 authorization code grant type, or auth code flow, enables a client application to obtain authorized access to protected resources like web APIs. The auth code flow requires a user-agent that supports redirection from the authorization server (the Microsoft identity platform) back to your application. For example, a web browser, desktop, or mobile application operated by a user to sign in to your app and access their data. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
• AuthorizationCodeCredentialBuilder
• AuthorizationError
• AuthorizationRequestParts
• AuthorizationResponse
• BearerTokenCredential
• ClientAssertionCredential
  Client Credentials Using an Assertion.
• ClientAssertionCredentialBuilder
• ClientCertificateCredential
  Client Credentials Using A Certificate
• ClientCertificateCredentialBuilder
• ClientCredentialAdminConsentResponse
• ClientCredentialsAuthorizationUrlParameterBuilder
• ClientCredentialsAuthorizationUrlParameters
• ClientSecretCredential
  Client Credentials flow using a client secret.
• ClientSecretCredentialBuilder
• ConfidentialClientApplication
  Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.
• ConfidentialClientApplicationBuilder
• DeviceAuthorizationResponse
  The Device Authorization Response: the authorization server generates a unique device verification code and an end-user code that are valid for a limited time and includes them in the HTTP response body using the “application/json” format [RFC8259] with a 200 (OK) status code
• DeviceCodeCredential
  The device authorization grant: allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. To enable this flow, the device has the user visit a webpage in a browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed.
• DeviceCodeCredentialBuilder
• DeviceCodePollingExecutor
• EnvironmentCredential
• Header
  A basic JWT header, the alg defaults to HS256 and typ is automatically set to JWT. All the other fields are optional.
• IdToken
  ID tokens are sent to the client application as part of an OpenID Connect flow. They can be sent alongside or instead of an access token. ID tokens are used by the client to authenticate the user. To learn more about how the Microsoft identity platform issues ID tokens, see ID tokens in the Microsoft identity platform.
• OpenIdAuthorizationUrlParameterBuilder
• OpenIdAuthorizationUrlParameters
  OpenID Connect (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol. You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications by using a security token called an ID token. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
• OpenIdCredential
  OpenID Connect (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol. You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications by using a security token called an ID token. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
• OpenIdCredentialBuilder
• ProofKeyCodeExchange
• PublicClientApplication
  Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.
• PublicClientApplicationBuilder
• ResourceOwnerPasswordCredential
  Allows an application to sign in the user by directly handling their password. Not recommended. ROPC can also be done using a client secret or assertion, however this client implementation does not offer this use case. This is the same as all MSAL clients. https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.3
• ResourceOwnerPasswordCredentialBuilder
• Secret
• Token
  An access token is a security token issued by an authorization server as part of an OAuth 2.0 flow. It contains information about the user and the resource for which the token is intended. The information can be used to access web APIs and other protected resources. Resources validate access tokens to grant access to a client application. For more information, see Access tokens in the Microsoft Identity Platform
• TokenData
  The return type of a successful call to decode.

Enums

• AadAuthorityAudience
  Specifies which Microsoft accounts can be used for sign-in with a given application. See https://aka.ms/msal-net-application-configuration
• Authority
  Specifies which Microsoft accounts can be used for sign-in with a given application. See https://aka.ms/msal-net-application-configuration
• AuthorizationResponseError
  The specification defines errors here: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-31#section-4.2.2.1
• AzureCloudInstance
  STS instance (for instance https://login.microsoftonline.com for the Azure public cloud). Maps to the instance url string.
• HostIs
• PollDeviceCodeEvent
  Response types used when polling for a device code https://datatracker.ietf.org/doc/html/rfc8628#section-3.5
• Prompt
  Indicates the type of user interaction that is required. Valid values are login, none, consent, and select_account.
• ResponseMode
  Specifies how the identity platform should return the requested token to your app.
• ResponseType

Traits

• AuthorizationUrl
• GenPkce
• IntoCredentialBuilder
• TokenCredentialExecutor
• ValidateHosts