Struct openid_client::Issuer

source ·

pub struct Issuer {Show 19 fields
    pub issuer: String,
    pub authorization_endpoint: Option<String>,
    pub token_endpoint: Option<String>,
    pub jwks_uri: Option<String>,
    pub userinfo_endpoint: Option<String>,
    pub revocation_endpoint: Option<String>,
    pub claims_parameter_supported: Option<bool>,
    pub grant_types_supported: Option<Vec<String>>,
    pub request_parameter_supported: Option<bool>,
    pub request_uri_parameter_supported: Option<bool>,
    pub require_request_uri_registration: Option<bool>,
    pub response_modes_supported: Option<Vec<String>>,
    pub claim_types_supported: Vec<String>,
    pub token_endpoint_auth_methods_supported: Option<Vec<String>>,
    pub introspection_endpoint_auth_methods_supported: Option<Vec<String>>,
    pub introspection_endpoint_auth_signing_alg_values_supported: Option<Vec<String>>,
    pub revocation_endpoint_auth_methods_supported: Option<Vec<String>>,
    pub revocation_endpoint_auth_signing_alg_values_supported: Option<Vec<String>>,
    pub other_fields: HashMap<String, Value>,
    /* private fields */
}

Expand description

Holds all the discovered values from the OIDC Issuer

Fields§

§issuer: String

Discovered issuer uri.

§authorization_endpoint: Option<String>

OpenID Connect Authorization Endpoint.

§token_endpoint: Option<String>

OpenID Connect Token Endpoint.

§jwks_uri: Option<String>

URL of the authorization server’s JWK Set. See.

§userinfo_endpoint: Option<String>

OpenID Connect Userinfo Endpoint.

§revocation_endpoint: Option<String>

Endpoint for revoking refresh tokes and access tokens. Authorization Server Metadata.

§claims_parameter_supported: Option<bool>

Claims supported by the Authorization Server

§grant_types_supported: Option<Vec<String>>

OAuth 2.0 Grant Types supported by the Authorization Server. RFC 7591.

§request_parameter_supported: Option<bool>

Indicates whether request object is supported by Authorization Server. OIDC Request Object.

§request_uri_parameter_supported: Option<bool>

Indicates whether request object by reference is supported by Authorization Server. OIDC Request Object by Reference.

§require_request_uri_registration: Option<bool>

Whether a request uri has to be pre registered with Authorization Server.

§response_modes_supported: Option<Vec<String>>

OAuth 2.0 Response Mode values that Authorization Server supports. Authorization Server Metadata.

§claim_types_supported: Vec<String>

Claim Types supported. OIDC Claim types.

§token_endpoint_auth_methods_supported: Option<Vec<String>>

Client Authentication methods supported by Token Endpoint. Client Authentication

§introspection_endpoint_auth_methods_supported: Option<Vec<String>>

List of client authentication methods supported by the Authorization Server.

§introspection_endpoint_auth_signing_alg_values_supported: Option<Vec<String>>

List of JWS signing algorithms supported by the introspection endpoint for the signature of the JWT that the client uses to authenticate.

§revocation_endpoint_auth_methods_supported: Option<Vec<String>>

List of client authentication methods supported by the Authorization Server.

§revocation_endpoint_auth_signing_alg_values_supported: Option<Vec<String>>

List of JWS signing algorithms supported by the revocation endpoint for the signature of the JWT that the client uses to authenticate.

§other_fields: HashMap<String, Value>

Extra key values

Implementations§

source §

impl Issuer

source

pub fn new( metadata: IssuerMetadata, request_interceptor: Option<RequestInterceptor> ) -> Self

Instantiate new Issuer using IssuerMetadata


fn main() {
    let metadata = IssuerMetadata {
        issuer: "https://auth.example.com".to_string(),
        authorization_endpoint: Some("https://auth.example.com/authorize".to_string()),
        token_endpoint: Some("https://auth.example.com/token".to_string()),
        userinfo_endpoint: Some("https://auth.example.com/userinfo".to_string()),
        jwks_uri: Some("https://auth.example.com/certs".to_string()),
        ..IssuerMetadata::default()
    };

    let issuer = Issuer::new(metadata);
}

No OIDC Discovery defaults are set if Issuer is made through this method.

If no introspection/revocation endpoint auth methods or algorithms are specified, value of token endpoint auth methods and algorithms are used as the the value for the said properties.

source §

impl Issuer

OIDC Issuer Discovery

source

pub fn discover(issuer: &str) -> Result<Issuer, OidcClientError>

pub fn discover_with_interceptor( issuer: &str, interceptor: RequestInterceptor ) -> Result<Issuer, OidcClientError>

Discover OIDC Issuer with a request interceptor

This is a blocking method. Checkout Issuer::discover_with_interceptor_async for async version.

Allows you to pass in a closure that will be called for every request. First parameter is the actual request that is being processed. See Request. The expected return type is of type [RequestOptions] with custom headers and the timeout.


fn main(){
    let interceptor = |_request: &Request| {
                    let mut headers = HeaderMap::new();
                    headers.append("testHeader", HeaderValue::from_static("testHeaderValue"));

                    RequestOptions {
                        headers,
                        timeout: Duration::from_millis(3500),
                    }
                };

    let issuer = Issuer::discover_with_interceptor("https://auth.example.com", Box::new(request_options)).unwrap();
}

Headers that are returned with request options are appended to the headers of the request. If there are duplicate headers, all values are appended to the header like so: header: value1, value2, value3 ....

source

pub async fn discover_async(issuer: &str) -> Result<Issuer, OidcClientError>

Discover OIDC Issuer

This is an async method. Checkout Issuer::discover for blocking version.

Discover an OIDC Issuer using the issuer url method.


#[tokio::main]
async fn main(){
    let issuer = Issuer::discover_async("https://auth.example.com").await.unwrap();
}

Only an absolute urls are accepted, passing in auth.example.com will result in an error.

Urls with .well-known/openid-configuration can also be used to discover issuer.


#[tokio::main]
async fn main(){
    let issuer = Issuer::discover_async("https://auth.example.com/.well-known/openid-configurtaion").await.unwrap();
}

source

pub async fn discover_with_interceptor_async( issuer: &str, request_interceptor: RequestInterceptor ) -> Result<Issuer, OidcClientError>

Discover OIDC Issuer with a request interceptor

This is an async method. Checkout Issuer::discover_with_interceptor for blocking version.

Allows you to pass in a closure that will be called for every request. First parameter is the actual request that is being processed. See Request. The expected return type is of type [RequestOptions] with custom headers and the timeout.


#[tokio::main]
fn main(){
    let interceptor = |_request: &Request| {
                    let mut headers = HeaderMap::new();
                    headers.append("testHeader", HeaderValue::from_static("testHeaderValue"));

                    RequestOptions {
                        headers,
                        timeout: Duration::from_millis(3500),
                    }
                };

    let issuer = Issuer::discover_with_interceptor_async("https://auth.example.com", Box::new(request_options)).unwrap();
}

Headers that are returned with request options are appended to the headers of the request. If there are duplicate headers, all values are appended to the header like so: header: value1, value2, value3 ....

source §

impl Issuer

OIDC Issuer Webfinger Discovery

source

pub fn webfinger(input: &str) -> Result<Issuer, OidcClientError>

Webfinger OIDC Issuer Discovery

This is a blocking method. Checkout Issuer::webfinger_async for async version.

Discover an OIDC Issuer using the user email, url, url with port syntax or acct syntax.


fn main(){
    let issuer_email = Issuer::webfinger("joe@auth.example.com").unwrap();
    let issuer_url = Issuer::webfinger("https://auth.example.com/joe").unwrap();
    let issuer_url_port = Issuer::webfinger("auth.example.com:3000/joe").unwrap();
    let issuer_acct_email = Issuer::webfinger("acct:joe@auth.example.com").unwrap();
    let issuer_acct_host = Issuer::webfinger("acct:auth.example.com").unwrap();
}

source

pub fn webfinger_with_interceptor( input: &str, request_options: RequestInterceptor ) -> Result<Issuer, OidcClientError>

Webfinger OIDC Issuer Discovery with request interceptor

This is a blocking method. Checkout Issuer::webfinger_with_interceptor_async for async version.

Discover an OIDC Issuer using the user email, url, url with port syntax or acct syntax.

Allows you to pass in a closure as a second argument that will be called for every request. First parameter is the actual request that is being processed. See Request. The expected return type is of type [RequestOptions] with custom headers and the timeout.


fn main(){
    let interceptor = |_request: &Request| {
                    let mut headers = HeaderMap::new();
                    headers.append("testHeader", HeaderValue::from_static("testHeaderValue"));

                    RequestOptions {
                        headers,
                        timeout: Duration::from_millis(3500),
                    }
                };
    let issuer = Issuer::webfinger_with_interceptor("joe@auth.example.com", Box::new(interceptor)).unwrap();
}

source

pub async fn webfinger_async(input: &str) -> Result<Issuer, OidcClientError>

Webfinger OIDC Issuer Discovery

This is an async method. Checkout Issuer::webfinger for blocking version.

Discover an OIDC Issuer using the user email, url, url with port syntax or acct syntax.

use openid_client::Issuer;
#[tokio::main]
async fn main(){
    let issuer_email = Issuer::webfinger_async("joe@auth.example.com").await.unwrap();
    let issuer_url = Issuer::webfinger_async("https://auth.example.com/joe").await.unwrap();
    let issuer_url_port = Issuer::webfinger_async("auth.example.com:3000/joe").await.unwrap();
    let issuer_acct_email = Issuer::webfinger_async("acct:joe@auth.example.com").await.unwrap();
    let issuer_acct_host = Issuer::webfinger_async("acct:auth.example.com").await.unwrap();
}

source

pub async fn webfinger_with_interceptor_async( input: &str, request_options: RequestInterceptor ) -> Result<Issuer, OidcClientError>

Webfinger OIDC Issuer Discovery with request interceptor

This is an async method. Checkout Issuer::webfinger_with_interceptor for blocking version.

Discover an OIDC Issuer using the user email, url, url with port syntax or acct syntax.

Allows you to pass in a closure as a second argument that will be called for every request. First parameter is the actual request that is being processed. See Request. The expected return type is of type [RequestOptions] with custom headers and the timeout.

use openid_client::{Issuer, Request, HeaderMap, HeaderValue, RequestOptions};
use std::time::Duration;

#[tokio::main]
async fn main(){
    let interceptor = |_request: &Request| {
                    let mut headers = HeaderMap::new();
                    headers.append("testHeader", HeaderValue::from_static("testHeaderValue"));

                    RequestOptions {
                        headers,
                        timeout: Duration::from_millis(3500),
                    }
                };
    let issuer = Issuer::webfinger_with_interceptor_async("joe@auth.example.com", Box::new(interceptor)).await.unwrap();
}

source §

impl Issuer

New Client implementation for Issuer

source

pub fn client( &self, metadata: ClientMetadata, interceptor: Option<RequestInterceptor>, jwks: Option<Jwks>, client_options: Option<ClientOptions> ) -> Result<Client, OidcClientError>

Get client from the issuer

This method creates a new Client from the issuer. A client metadata with a required client_id field is also required

Note: The request interceptor from the issuer is not carried over to the client. If no interceptor is provided with the method, a client with default request interceptor is created. The reason for not taking the interceptor from the issuer is to avoid the confusion of which request interceptor a Client is being created with when you are trying to create a Client from the issuer that you get back from the Client::get_issuer().


fn main(){
  let issuer_metadata = IssuerMetadata {
      issuer: "https://auth.example.com".to_string(),
      token_endpoint_auth_methods_supported: Some(vec![
          "client_secret_post".to_string(),
          "private_key_jwt".to_string(),
       ]),
       ..IssuerMetadata::default()
   };
    
  let issuer = Issuer::new(issuer_metadata, None);

  let client_metadata = ClientMetadata {
      client_id: Some("client_id".to_string()),
      ..ClientMetadata::default()
  };

  let client = issuer.client(client_metadata, None, None, None).unwrap();
}

You can also create a client fromt the issuer with custom request interceptor, jwks and client options

TODO: Document the client options and jwks and how it will be used by the client, and refactor the code snippet



fn main() {
    let issuer_metadata = IssuerMetadata {
        issuer: "https://auth.example.com".to_string(),
        token_endpoint_auth_methods_supported: Some(vec![
            "client_secret_post".to_string(),
            "private_key_jwt".to_string(),
        ]),
        ..IssuerMetadata::default()
    };

    let issuer = Issuer::new(issuer_metadata, None);

    let client_metadata = ClientMetadata {
        client_id: Some("client_id".to_string()),
        ..ClientMetadata::default()
    };

    let interceptor = |_request: &crate::types::Request| {
        let mut headers = HeaderMap::new();
        headers.append("testHeader", HeaderValue::from_static("testHeaderValue"));

        RequestOptions {
            headers,
            timeout: Duration::from_millis(3500),
        }
    };

    let client = issuer
        .client(
            client_metadata,
            Some(Box::new(interceptor)),
            Some(Jwks::default()),
            Some(ClientOptions {
                additional_authorized_parties: Some(vec!["azp".to_string()]),
            }),
        )
        .unwrap();
}