Crate multistore_oidc_provider 

OIDC provider for outbound authentication.

This crate enables the proxy to act as its own OIDC identity provider:

1. JWT signing — mint JWTs signed with the proxy’s RSA private key
2. JWKS serving — expose the corresponding public key as a JWK set
3. OIDC discovery — generate .well-known/openid-configuration responses
4. Credential exchange — trade self-signed JWTs for cloud provider credentials (AWS STS, Azure AD, GCP STS)
5. Route handler — route_handler::OidcRouterExt registers .well-known endpoint closures on a Router

The crate is runtime-agnostic: HTTP calls are abstracted behind an HttpExchange trait so that each runtime (reqwest, Fetch API, etc.) can provide its own implementation.

Modules

backend_auth

OIDC-based backend credential resolution.

cache

TTL credential cache.

discovery

OpenID Connect discovery document generation.

exchange

Credential exchange — trade a self-signed JWT for cloud provider credentials.

jwks

JWKS response generation — expose the proxy’s public key as a JWK set.

jwt

JWT minting — sign JWTs with the proxy’s RSA private key.

route_handler

Route handler for OIDC discovery endpoints.

Structs

CloudCredentials

Temporary cloud credentials obtained via token exchange.

OidcCredentialProvider

Top-level provider that combines signing, exchange, and caching.

Enums

OidcProviderError

Errors produced by this crate.

Traits

HttpExchange

HTTP client abstraction for outbound requests (STS token exchange).