VerifierConfig

jwt_verify

Struct VerifierConfig 

Source 
pub struct VerifierConfig {
    pub region: String,
    pub user_pool_id: String,
    pub client_ids: Vec<String>,
    pub allowed_token_uses: Vec<TokenUse>,
    pub clock_skew: Duration,
    pub jwk_cache_duration: Duration,
    pub required_claims: HashSet<String>,
    pub custom_validators: Vec<Box<dyn ClaimValidator + Send + Sync>>,
    pub error_verbosity: ErrorVerbosity,
}
Expand description

Configuration for the Cognito JWT verification process.

This struct holds all configuration options for verifying Cognito JWT tokens, including AWS region, user pool ID, allowed client IDs, token types, clock skew, cache duration, required claims, custom validators, and error verbosity.

The configuration is immutable after creation, but can be modified using the builder pattern methods like with_clock_skew, with_cache_duration, etc.

§Examples

use jwt_verify::{VerifierConfig, StringValueValidator};
use std::time::Duration;

// Create a basic configuration
let config = VerifierConfig::new(
    "us-east-1",
    "us-east-1_example",
    &["client1".to_string()],
    None,
).unwrap();

// Add a custom validator
let config = config.with_custom_validator(
    Box::new(StringValueValidator::new("app_id", "my-app"))
);

Fields§

§region: String

AWS region where the Cognito user pool is located

§user_pool_id: String

Cognito user pool ID in the format “region_poolid”

§client_ids: Vec<String>

List of allowed client IDs for this user pool

§allowed_token_uses: Vec<TokenUse>

List of allowed token types (ID tokens, Access tokens)

§clock_skew: Duration

Clock skew tolerance for token expiration and issuance time validation

§jwk_cache_duration: Duration

Duration for which JWKs are cached before refreshing

§required_claims: HashSet<String>

Set of claims that must be present and valid in the token

§custom_validators: Vec<Box<dyn ClaimValidator + Send + Sync>>

List of custom validators for additional claim validation

§error_verbosity: ErrorVerbosity

Level of detail in error messages

Implementations§

Source§

impl VerifierConfig

Source

pub fn new( region: &str, user_pool_id: &str, client_ids: &[String], token_uses: Option<Vec<TokenUse>>, ) -> Result<Self, JwtError>

Create a new verifier configuration with validation for required parameters.

This method creates a new VerifierConfig with the specified region, user pool ID, and client IDs. It validates that the region and user pool ID are not empty and that the user pool ID has the correct format.

§Parameters
  • region - AWS region where the Cognito user pool is located (e.g., “us-east-1”)
  • user_pool_id - Cognito user pool ID in the format “region_poolid”
  • client_ids - List of allowed client IDs for this user pool
  • token_uses - Optional list of allowed token types (defaults to both ID and Access tokens)
§Returns

Returns a Result containing the new VerifierConfig if successful, or a JwtError if validation fails.

§Errors

Returns a JwtError::ConfigurationError if:

  • The region is empty
  • The user pool ID is empty
  • The user pool ID does not have the correct format (should contain an underscore)
§Examples
use jwt_verify::VerifierConfig;

// Create a basic configuration
let config = VerifierConfig::new(
    "us-east-1",
    "us-east-1_example",
    &["client1".to_string()],
    None,
).unwrap();
Source

pub fn with_clock_skew(self, skew: Duration) -> Self

Set clock skew tolerance for token validation.

Clock skew is used to account for time differences between the token issuer and the token verifier. This is important for validating token expiration and issuance times.

§Parameters
  • skew - The clock skew duration to allow (default: 60 seconds)
§Returns

Returns a new VerifierConfig with the updated clock skew.

§Examples
use jwt_verify::VerifierConfig;
use std::time::Duration;

let config = VerifierConfig::new("us-east-1", "us-east-1_example", &[], None)
    .unwrap()
    .with_clock_skew(Duration::from_secs(120)); // 2 minutes
Source

pub fn with_cache_duration(self, duration: Duration) -> Self

Set JWK cache duration for key management.

This determines how long JWKs (JSON Web Keys) are cached before being refreshed from the Cognito endpoint. Longer durations reduce network requests but may delay key rotation recognition.

§Parameters
  • duration - The cache duration (default: 24 hours)
§Returns

Returns a new VerifierConfig with the updated cache duration.

§Examples
use jwt_verify::VerifierConfig;
use std::time::Duration;

let config = VerifierConfig::new("us-east-1", "us-east-1_example", &[], None)
    .unwrap()
    .with_cache_duration(Duration::from_secs(3600 * 12)); // 12 hours
Source

pub fn with_required_claim(self, claim: &str) -> Self

Add a required claim to the validation process.

Required claims must be present in the token and will be validated. By default, the following claims are required: “sub”, “iss”, “client_id”, “exp”, “iat”.

§Parameters
  • claim - The name of the claim to require
§Returns

Returns a new VerifierConfig with the added required claim.

§Examples
use jwt_verify::VerifierConfig;

let config = VerifierConfig::new("us-east-1", "us-east-1_example", &[], None)
    .unwrap()
    .with_required_claim("custom_claim");
Source

pub fn with_custom_validator( self, validator: Box<dyn ClaimValidator + Send + Sync>, ) -> Self

Add a custom validator for additional claim validation.

Custom validators allow for application-specific validation logic beyond the standard JWT claim validation. They can validate specific claim values, formats, or relationships between claims.

§Parameters
  • validator - A boxed implementation of the ClaimValidator trait
§Returns

Returns a new VerifierConfig with the added custom validator.

§Examples
use jwt_verify::{VerifierConfig, StringValueValidator};

let config = VerifierConfig::new("us-east-1", "us-east-1_example", &[], None)
    .unwrap()
    .with_custom_validator(Box::new(StringValueValidator::new(
        "app_id", "my-application"
    )));
Source

pub fn with_error_verbosity(self, verbosity: ErrorVerbosity) -> Self

Set the error verbosity level for error reporting.

This controls how much detail is included in error messages and logs. Higher verbosity levels include more information but may expose sensitive data.

§Parameters
  • verbosity - The error verbosity level (default: Standard)
§Returns

Returns a new VerifierConfig with the updated error verbosity.

§Examples
use jwt_verify::{VerifierConfig, config::ErrorVerbosity};

let config = VerifierConfig::new("us-east-1", "us-east-1_example", &[], None)
    .unwrap()
    .with_error_verbosity(ErrorVerbosity::Detailed);
Source

pub fn get_issuer_url(&self) -> String

Get issuer URL

Source

pub fn get_jwk_url(&self) -> String

Get JWK URL

Trait Implementations§

Source§

impl Clone for VerifierConfig

Source§

fn clone(&self) -> Self

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for VerifierConfig

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> FromRef<T> for T
where T: Clone,

Source§

fn from_ref(input: &T) -> T

Converts to this type from a reference to the input type.
Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> ErasedDestructor for T
where T: 'static,