Expand description

Provides an implementation of the IndieAuth standard.

The implementations in this crate allows for one to request a Token, verify it and other common operations. All known operations can be found under the request representation as well as the responses.

§Requesting A Token

In order to request a token or a profile, one needs to construct an authorization URL that’ll allow the user to provide you with an authorization code. You can build the such by doing the following:

use indieweb::standards::indieauth;
use indieweb::http::reqwest::Client as HttpClient;
use indieauth::Client;
use url::Url;

// Get networking client.
let http_client = HttpClient::default();

// Define who I want to be.
let me: Url = "https://jacky.wtf".parse().unwrap();

// Create a simple client for making requests.
let client: indieauth::Client = (
    indieauth::ClientId::new("https://jacky.wtf".into()),
    indieauth::EndpointDiscovery::Classic {
        authorization: "https://jacky.wtf/auth/auth".parse().unwrap(),
        token: "https://jacky.wtf/auth/token".parse().unwrap(),
        ticket: None
    }).into();

// Build the authorization URL to get an authorization code.
let response = client.dispatch(&http_client,
    indieauth::Request::BuildAuthorizationUrl {
        me: Some(me.clone()),
        scope: None,
        redirect_uri: None
    });

// Prune out the fields from the request.
let response_opt: Option<(_, _, _, _)> = response.await.as_ref()
        .ok()
        .and_then(|r| {
            if let indieauth::Response::AuthenticationUrl { url, verifier, challenge,
            csrf_token, issuer: _ } = r {
                Some((url.clone(), challenge.clone(), verifier.clone(), csrf_token.clone()))
                  .filter(|_| {
                    url.query_pairs().any(|(key, value)| {
                        key == "me" && value == me.as_str()
                    })
                  })
            } else {
                None
            }
         })
         .clone();

 assert!(
    response_opt
        .as_ref()
        .map(|(url, _, _, _)| url)
        .map(|url| {
            url.query_pairs().any(|(key, value)| {
                key == "me" && value == me.as_str()
            })
        }).unwrap_or(false),
    "confirms the authorization URL to send the user to on behalf of them");
// Direct the user to the location of `response_opt.unwrap().0`.

§Redeeming an Authorization Code

The IndieAuth server will do the work of confirming the identity and scopes that the site ends up permitting. You’ll be redirected back to with an authoriz ation code or error information. This step is meant to help capture that kind of information.

§Note

  • The logic for checking CSRF tokens is up to your implementation. It’s strongly recommended to do to prevent forged requests.
use indieweb::{
    standards::indieauth::{
        Client, EndpointDiscovery, ClientId, AuthUrl, TokenUrl, 
        Request, DesiredResourceAuthorization, AuthorizationCode
    },
    http::reqwest::Client as HttpClient
};

let http_client = HttpClient::default();

let client: Client = (
   ClientId::new("https://jacky.wtf".into()),
   EndpointDiscovery::Classic {
     authorization: "https://jacky.wtf/auth/auth".parse().unwrap(),
     token: "https://jacky.wtf/auth/token".parse().unwrap(),
     ticket: None
   }
).into();

let code = AuthorizationCode::new("abcdefghijklmnopqrstuvxwyz123456".to_string());

client.dispatch(&http_client, Request::CompleteAuthorization {
  code,
  resource: DesiredResourceAuthorization::Profile,
  code_verifier: String::default(),
  redirect_uri: None
});

The expected response from that dispatch call could be either the providing of a profile or of a token.

§Verifying A Token

The act of verification is done by doing the following:

use indieweb::{
    standards::indieauth::{AccessToken, Client,
        EndpointDiscovery, EndpointMetadata,
        ClientId, AuthUrl, TokenUrl, Request, DesiredResourceAuthorization},
    http::reqwest::Client as HttpClient
};

let http_client = HttpClient::default();

let client: Client = (
   ClientId::new("https://jacky.wtf".into()),
   EndpointDiscovery::Classic {
    authorization: "https://jacky.wtf/auth/auth".parse().unwrap(),
    token: "https://jacky.wtf/auth/token".parse().unwrap(),
    ticket: None
   }
).into();
let token = AccessToken::new("magic-token".to_string());

client.dispatch(&http_client, Request::VerifyAccessToken(token));

What’s missing from this implementation is logic for things like AutoAuth or TicketAuth. This also is locked at the 26 Nov 2020 version.

Structs§

  • Access token returned by the token endpoint and used to access protected resources.
  • URL of the authorization server’s authorization endpoint.
  • Authorization code returned from the authorization endpoint.
  • A helper object for representing an interaction with a fixed client for fetching tokens.
  • Client identifier issued to the client during the registration process described by Section 2.2.
  • Represents a successful attempt at collecting metadata info.
  • Represents all of the server metadata known.
  • Provides a structured interface to use for OAuth2.
  • Represents a collection of the most common values in IndieAuth contexts.
  • Code Challenge used for PKCE protection via the code_challenge parameter.
  • Code Verifier used for PKCE protection via the code_verifier parameter. The value must have a minimum length of 43 characters and a maximum length of 128 characters. Each character must be ASCII alphanumeric or one of the characters “-” / “.” / “_” / “~”.
  • Represents the canonically relevant fields of a profile response.
  • URL of the client’s redirection endpoint.
  • Refresh token used to obtain a new access token (if supported by the authorization server).
  • Authorization endpoint response (grant) type defined in Section 3.1.1.
  • Access token scope, as defined by the authorization server.
  • A representation of a list of scopes.
  • Represents the canonically relevant fields of an access token.
  • URL of the authorization server’s token endpoint.
  • Represents the canonically relevant fields of an verified token.

Enums§

  • Describes the different kinds of authorization attempts supported by this client.
  • Represents the different kinds of discovery results one can find when looking for IndieAuth.
  • Represents all of the known errors that can happen with IndieAuth.
  • Different kinds of requests made with IndieAuth.
  • Different kinds of responses made with IndieAuth.

Functions§

Type Aliases§

  • Provides a structured response for OAuth2 failures.
  • Represents the OAuth 2 client that IndieAuth is based on.