Struct oidc::Client

pub struct Client { /* fields omitted */ }

OpenID Connect Client for a provider specified at construction.

Methods

impl Client

pub fn discover(
    id: String,
    secret: String,
    redirect: Url,
    issuer: Url
) -> Result<Self, Error>

Constructs a client from an issuer url and client parameters via discovery

pub fn new(
    id: String,
    secret: String,
    redirect: Url,
    provider: Discovered,
    jwks: JWKSet<Empty>
) -> Self

Constructs a client from a given provider, key set, and parameters. Unlike ::discover(..) this function does not perform any network operations.

pub fn redirect_url(&self) -> &str

Passthrough to the redirect_url stored in inth_oauth2 as a str.

pub fn request_token(
    &self,
    client: &Client,
    auth_code: &str
) -> Result<Token, Error>

Passthrough to the inth_oauth2::client's request token.

pub fn config(&self) -> &Config

A reference to the config document of the provider obtained via discovery

pub fn auth_url(&self, options: &Options) -> Url

Constructs the auth_url to redirect a client to the provider. Options are... optional. Use them as needed. Keep the Options struct around for authentication, or at least the nonce and max_age parameter - we need to verify they stay the same and validate if you used them.

pub fn authenticate(
    &self,
    auth_code: &str,
    nonce: Option<&str>,
    max_age: Option<&Duration>
) -> Result<Token, Error>

Given an auth_code and auth options, request the token, decode, and validate it.

pub fn decode_token(
    &self,
    token: &mut Compact<Claims, Empty>
) -> Result<(), Error>

Mutates a Compact::encoded Token to Compact::decoded. Errors are:

• Decode::MissingKid if the keyset has multiple keys but the key id on the token is missing
• Decode::MissingKey if the given key id is not in the key set
• Decode::EmptySet if the keyset is empty
• Jose::WrongKeyType if the alg of the key and the alg in the token header mismatch
• Jose::WrongKeyType if the specified key alg isn't a signature algorithm
• Jose error if decoding fails

pub fn validate_token(
    &self,
    token: &Compact<Claims, Empty>,
    nonce: Option<&str>,
    max_age: Option<&Duration>
) -> Result<(), Error>

Validate a decoded token. If you don't get an error, its valid! Nonce and max_age come from your auth_uri options. Errors are:

• Jose Error if the Token isn't decoded
• Validation::Mismatch::Issuer if the provider issuer and token issuer mismatch
• Validation::Mismatch::Nonce if a given nonce and the token nonce mismatch
• Validation::Missing::Nonce if either the token or args has a nonce and the other does not
• Validation::Missing::Audience if the token aud doesn't contain the client id
• Validation::Missing::AuthorizedParty if there are multiple audiences and azp is missing
• Validation::Mismatch::AuthorizedParty if the azp is not the client_id
• Validation::Expired::Expires if the current time is past the expiration time
• Validation::Expired::MaxAge is the token is older than the provided max_age
• Validation::Missing::Authtime if a max_age was given and the token has no auth time

pub fn request_userinfo(
    &self,
    client: &Client,
    token: &Token
) -> Result<Userinfo, Error>

Get a userinfo json document for a given token at the provider's userinfo endpoint. Errors are:

• Userinfo::NoUrl if this provider doesn't have a userinfo endpoint
• Error::Insecure if the userinfo url is not https
• Error::Jose if the token is not decoded
• Error::Http if something goes wrong getting the document
• Error::Json if the response is not a valid Userinfo document
• Userinfo::MismatchSubject if the returned userinfo document and tokens subject mismatch