Expand description
loopauth acquires OAuth 2.0 provider tokens for CLI applications via the
Authorization Code + PKCE flow (RFC 6749, RFC 7636). It is provider token
acquisition only, rather than app authentication or session management.
Given a client_id, auth_url, and token_url, CliTokenClient opens the
user’s browser to the authorization URL, spins up a short-lived loopback HTTP
server to receive the redirect callback, exchanges the authorization code for
tokens, and returns a TokenSet to the caller.
Token storage and downstream identity consumption are intentionally out of
scope; use the TokenStore trait to provide your own persistence.
§Two-Layer Pattern
loopauth returns provider tokens only. Your backend handles app identity:
- Call
CliTokenClient::run_authorization_flow→ provider returns aTokenSet - Send
TokenSet::id_token_rawto your backend → validate and issue your own session token
§Quick start
With explicit URLs:
use loopauth::{CliTokenClient, RequestScope};
let client = CliTokenClient::builder()
.client_id("my-client-id")
.auth_url(url::Url::parse("https://provider.example.com/authorize")?)
.token_url(url::Url::parse("https://provider.example.com/token")?)
.with_openid_scope()
.add_scopes([RequestScope::Email])
.without_jwks_validation() // or .jwks_validator(Box::new(my_validator))
.build();
// let tokens = client.run_authorization_flow().await?;With OIDC auto-discovery (provider URLs are fetched automatically):
use loopauth::{CliTokenClientBuilder, RequestScope, oidc::OpenIdConfiguration};
use url::Url;
let open_id_configuration = OpenIdConfiguration::fetch(
Url::parse("https://provider.example.com")?,
).await?;
let client = CliTokenClientBuilder::from_open_id_configuration(&open_id_configuration)
.client_id("my-client-id")
.with_open_id_configuration_jwks_validator(&open_id_configuration)
.add_scopes([RequestScope::Email])
.build();
// let tokens = client.run_authorization_flow().await?;Modules§
- oidc
OpenIDConnect support: discovery document fetching and ID token claims.
Structs§
- Access
Token - An OAuth 2.0 access token.
- CliToken
Client - Acquires OAuth 2.0 provider tokens for CLI applications via the Authorization Code + PKCE flow.
- CliToken
Client Builder - Builder for
CliTokenClient. - Error
Page Context - Context provided to
ErrorPageRendererimplementations. - HasAuth
Url - Type-state:
auth_urlhas been provided. - HasClient
Id - Type-state:
client_idhas been provided. - HasToken
Url - Type-state:
token_urlhas been provided. - Jwks
Disabled - Type-state: OIDC mode engaged with JWKS signature verification explicitly disabled.
- Jwks
Enabled - Type-state: OIDC mode engaged with JWKS signature verification enabled.
- Jwks
Validation Error - An error returned by a
JwksValidatorwhen theid_tokenfails validation. - NoAuth
Url - Type-state:
auth_urlnot yet provided. - NoClient
Id - Type-state:
client_idnot yet provided. - NoOidc
- Type-state: OIDC mode not yet engaged;
openidscope is not included. - NoToken
Url - Type-state:
token_urlnot yet provided. - Oidc
Pending - Type-state: OIDC mode engaged but JWKS decision not yet made.
- Page
Context - Context provided to
SuccessPageRendererimplementations. - Refresh
Token - An OAuth 2.0 refresh token.
- Remote
Jwks Validator - Validates JWTs against a remote JWKS endpoint.
- Token
Set - The set of tokens returned by a successful OAuth 2.0 authorization or refresh flow.
- Unvalidated
- Marker type: the
id_tokensignature has not yet been verified. - Validated
- Marker type: the
id_tokensignature has been verified, or noid_tokenwas present.
Enums§
- Auth
Error - Errors that can occur during
crate::CliTokenClient::run_authorization_flow. - Callback
Error - Errors that can occur during OAuth 2.0 callback validation.
- IdToken
Error - Errors that can occur while validating an
id_tokenafter a successful token exchange. - OAuth2
Scope - An OAuth 2.0 scope value.
- Refresh
Error - Errors that can occur during
crate::CliTokenClient::refreshorcrate::CliTokenClient::refresh_if_expiring. - Refresh
Outcome - Outcome of
crate::CliTokenClient::refresh_if_expiring. - Request
Scope - An OAuth 2.0 scope value for use with
crate::CliTokenClientBuilder::add_scopes. - Token
Store Error - Errors that can occur in
crate::TokenStoreimplementations.
Traits§
- Error
Page Renderer - Renders the error page HTML shown to the user when authentication fails.
- Jwks
Validator - Validates the raw
id_tokenstring returned from the token endpoint. - Success
Page Renderer - Renders the success page HTML shown to the user after authentication.
- Token
Store - Persistent storage interface for
TokenSetvalues. - Validation
State - Marker trait for
crate::TokenSetvalidation state. Sealed — onlyValidatedandUnvalidatedimplement it.