1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210
use std::collections::HashMap;
use josekit::{jwk::Jwk, jwt::JwtPayload};
use serde::{Deserialize, Serialize};
use serde_json::Value;
use crate::helpers::get_serde_value_as_string;
/// # CallbackParams
/// These are the fields that is recieved from the Authorization server to the client.
/// Which of these fields are present will depend up on the type of authorization request
#[derive(Default, Serialize, Debug)]
pub struct CallbackParams {
/// Access token obtained
pub access_token: Option<String>,
/// Authorization code for exchanging at token endpoint
pub code: Option<String>,
/// Error recieved from the Auth server. [See RFC](https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.7)
pub error: Option<String>,
/// Error description recieved from the Auth server. [See RFC](https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.7)
pub error_description: Option<String>,
/// Error uri recieved from the Auth server. [See RFC](https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.7)
pub error_uri: Option<String>,
/// Token expiry
pub expires_in: Option<String>,
/// Id token
pub id_token: Option<String>,
/// State that was recieved from the Auth server
pub state: Option<String>,
/// Specified the access token type
pub token_type: Option<String>,
/// Session state
pub session_state: Option<String>,
/// The JARM response
pub response: Option<String>,
/// Issuer url
pub iss: Option<String>,
/// Scopes requested
pub scope: Option<String>,
/// Other fields received from Auth server
#[serde(flatten, skip_serializing_if = "Option::is_none")]
pub other: Option<HashMap<String, String>>,
}
impl CallbackParams {
/// Sets the access_token field.
pub fn access_token(mut self, access_token: Option<String>) -> Self {
self.access_token = access_token;
self
}
/// Sets the code field.
pub fn code(mut self, code: Option<String>) -> Self {
self.code = code;
self
}
/// Sets the error field.
pub fn error(mut self, error: Option<String>) -> Self {
self.error = error;
self
}
/// Sets the error_description field.
pub fn error_description(mut self, error_description: Option<String>) -> Self {
self.error_description = error_description;
self
}
/// Sets the error_uri field.
pub fn error_uri(mut self, error_uri: Option<String>) -> Self {
self.error_uri = error_uri;
self
}
/// Sets the expires_in field.
pub fn expires_in(mut self, expires_in: Option<String>) -> Self {
self.expires_in = expires_in;
self
}
/// Sets the id_token field.
pub fn id_token(mut self, id_token: Option<String>) -> Self {
self.id_token = id_token;
self
}
/// Sets the state field.
pub fn state(mut self, state: Option<String>) -> Self {
self.state = state;
self
}
/// Sets the token_type field.
pub fn token_type(mut self, token_type: Option<String>) -> Self {
self.token_type = token_type;
self
}
/// Sets the session_state field.
pub fn session_state(mut self, session_state: Option<String>) -> Self {
self.session_state = session_state;
self
}
/// Sets the response field.
pub fn response(mut self, response: Option<String>) -> Self {
self.response = response;
self
}
/// Sets the iss field.
pub fn iss(mut self, iss: Option<String>) -> Self {
self.iss = iss;
self
}
/// Sets the scope field.
pub fn scope(mut self, scope: Option<String>) -> Self {
self.scope = scope;
self
}
/// Sets the other field.
pub fn other(mut self, other: Option<HashMap<String, String>>) -> Self {
self.other = other;
self
}
}
impl CallbackParams {
pub(crate) fn from_jwt_payload(payload: &JwtPayload) -> Self {
let mut params = Self {
access_token: Self::json_value_to_string_option(payload.claim("access_token")),
code: Self::json_value_to_string_option(payload.claim("code")),
error: Self::json_value_to_string_option(payload.claim("error")),
error_description: Self::json_value_to_string_option(
payload.claim("error_description"),
),
error_uri: Self::json_value_to_string_option(payload.claim("error_uri")),
expires_in: Self::json_value_to_string_option(payload.claim("exp")),
id_token: Self::json_value_to_string_option(payload.claim("id_token")),
state: Self::json_value_to_string_option(payload.claim("state")),
token_type: Self::json_value_to_string_option(payload.claim("token_type")),
session_state: Self::json_value_to_string_option(payload.claim("session_state")),
response: Self::json_value_to_string_option(payload.claim("response")),
iss: Self::json_value_to_string_option(payload.claim("iss")),
scope: Self::json_value_to_string_option(payload.claim("scope")),
other: None,
};
let mut other = HashMap::<String, String>::new();
for (k, v) in payload.claims_set().iter() {
if let Ok(v_string) = get_serde_value_as_string(v) {
other.insert(k.to_string(), v_string);
}
}
params.other = Some(other);
params
}
fn json_value_to_string_option(value: Option<&Value>) -> Option<String> {
if let Some(v) = value {
return get_serde_value_as_string(v).ok();
}
None
}
}
/// # CallbackExtras
/// Extra details to be used for the callback
pub struct CallbackExtras {
/// Extra request body properties to be sent to the AS during code exchange.
pub exchange_body: Option<HashMap<String, String>>,
/// Extra client assertion payload parameters to be sent as part of a client JWT assertion.
/// This is only used when the client's token_endpoint_auth_method is either client_secret_jwt or private_key_jwt
pub client_assertion_payload: Option<HashMap<String, Value>>,
/// When provided the client will send a DPoP Proof JWT.
pub dpop: Option<Jwk>,
}
/// # OAuthCallbackChecks
/// Checks that needs to be performed against the OAuth [CallbackParams] recieved from the Auth server.
#[derive(Default, Serialize, Deserialize)]
pub struct OAuthCallbackChecks<'a> {
/// When provided the authorization response will be checked for presence of required parameters for a given response_type. Use of this check is recommended.
pub response_type: Option<&'a str>,
/// Expected state from the response
pub state: Option<&'a str>,
/// PKCE code verified to be sent to the token endpoint
pub code_verifier: Option<&'a str>,
/// Specifies that the response will be a JARM response
pub jarm: Option<bool>,
}
/// # OpenIDCallbackChecks
/// Checks that needs to be performed against the Oidc [CallbackParams] recieved from the Auth server.
#[derive(Default, Serialize, Deserialize)]
pub struct OpenIDCallbackChecks<'a> {
/// When provided the authorization response's ID Token auth_time parameter will be checked to be conform to the max_age value. Use of this check is required if you sent a max_age parameter into an authorization request. Default: uses client's default_max_age.
pub max_age: Option<u64>,
/// When provided the authorization response's ID Token nonce parameter will be checked to be the this expected one.
pub nonce: Option<&'a str>,
/// See [OAuthCallbackChecks]
pub oauth_checks: Option<OAuthCallbackChecks<'a>>,
}