Crate openid_client

OpenID Client

A feature complete OpenID Client library for Rust. Not stable, kindly report any bugs.

Implemented specs & features

The following client/RP features from OpenID Connect/OAuth2.0 specifications are implemented by openid-client.

• OpenID Connect Core 1.0
  • Authorization Callback
    • Authorization Code Flow
    • Implicit Flow
    • Hybrid Flow
  • UserInfo Request
  • Offline Access / Refresh Token Grant
  • Client Credentials Grant
  • Client Authentication
    • none
    • client_secret_basic
    • client_secret_post
    • client_secret_jwt
    • private_key_jwt
  • Consuming Self-Issued OpenID Provider ID Token response
• OpenID Connect Discovery 1.0
  • Discovery of OpenID Provider (Issuer) Metadata
  • Discovery of OpenID Provider (Issuer) Metadata via user provided inputs (via [webfinger][documentation-webfinger])
• OpenID Connect Dynamic Client Registration 1.0
  • Dynamic Client Registration request
  • Client initialization via registration client uri
• RFC7009 - OAuth 2.0 Token revocation
  • Client Authenticated request to token revocation
• RFC7662 - OAuth 2.0 Token introspection
  • Client Authenticated request to token introspection
• RFC8628 - OAuth 2.0 Device Authorization Grant (Device Flow)
• RFC8705 - OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens
  • Mutual TLS Client Certificate-Bound Access Tokens
  • Metadata for Mutual TLS Endpoint Aliases
  • Client Authentication
    • tls_client_auth
    • self_signed_tls_client_auth
• RFC9101 - OAuth 2.0 JWT-Secured Authorization Request (JAR)
• RFC9126 - OAuth 2.0 Pushed Authorization Requests (PAR)
• RFC9449 - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)
• OpenID Connect RP-Initiated Logout 1.0
• Financial-grade API Security Profile 1.0 - Part 2: Advanced (FAPI)
• JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
• OAuth 2.0 Authorization Server Issuer Identification

Generating JWKs

This crate uses Josekit for JWKs. To create JWKs, refer JWK in the Josekit documentation.

Using MTLS

To use MTLS, ie; certificate authentication, you’ll need to create your own http client out of the types::OidcHttpClient trait. Override the types::OidcHttpClient::get_client_certificate function (which returns None by default) to return Some(types::http_client::ClientCertificate).

When the request requires MTLS, and the types::OidcHttpClient::get_client_certificate method returns None, a client error will be returned.

Issuer API

New Instance

• issuer::Issuer::new

OIDC Discovery

• issuer::Issuer::discover_async

Webfinger Discovery

• issuer::Issuer::webfinger_async

Client from Issuer

• issuer::Issuer::client

Client

Instance methods

• client::Client::callback_async
• client::Client::oauth_callback_async
• client::Client::grant_async
• client::Client::authorization_url
• client::Client::end_session_url
• client::Client::authorization_post
• client::Client::introspect_async
• client::Client::callback_params
• client::Client::request_resource_async
• client::Client::refresh_async
• client::Client::revoke_async
• client::Client::userinfo_async
• client::Client::request_object_async
• client::Client::pushed_authorization_request_async
• client::Client::device_authorization_async

Client Read

• client::Client::from_uri_async

Dynamic Client Registration

• client::Client::register_async

Modules

client

OIDC Client module

helpers

Helpers

http_client

Default Http Client

issuer

Issuer

jwks

Jwks implementation used by this crate.

re_exports

Re exports from the crate

tokenset

TokenSet Module

types

Types Module