Struct openid::Client

pub struct Client<P = Discovered, C: CompactJson + Claims = StandardClaims> {
    pub provider: P,
    pub client_id: String,
    pub client_secret: String,
    pub redirect_uri: Option<String>,
    pub http_client: Client,
    pub jwks: Option<JWKSet<Empty>>,
    // some fields omitted
}

OAuth 2.0 client.

Fields

provider: P

OAuth provider.

client_id: String

Client ID.

client_secret: String

Client secret.

redirect_uri: Option<String>

Redirect URI.

http_client: Client

jwks: Option<JWKSet<Empty>>

Implementations

impl<C: CompactJson + Claims> Client<Discovered, C>

pub async fn discover(
    id: String,
    secret: String,
    redirect: Option<String>,
    issuer: Url
) -> Result<Self, Error>

Constructs a client from an issuer url and client parameters via discovery

impl<C: CompactJson + Claims, P: Provider + Configurable> Client<P, C>

pub fn redirect_url(&self) -> &str

Passthrough to the redirect_url stored in inth_oauth2 as a str.

pub fn config(&self) -> &Config

A reference to the config document of the provider obtained via discovery

pub fn auth_url(&self, options: &Options) -> Url

Constructs the auth_url to redirect a client to the provider. Options are... optional. Use them as needed. Keep the Options struct around for authentication, or at least the nonce and max_age parameter - we need to verify they stay the same and validate if you used them.

pub async fn authenticate<'_, '_, '_, '_>(
    &'_ self,
    auth_code: &'_ str,
    nonce: Option<&'_ str>,
    max_age: Option<&'_ Duration>
) -> Result<Token<C>, Error>

Given an auth_code and auth options, request the token, decode, and validate it.

pub fn decode_token(&self, token: &mut Jws<C, Empty>) -> Result<(), Error>

Mutates a Compact::encoded Token to Compact::decoded. Errors are:

• Decode::MissingKid if the keyset has multiple keys but the key id on the token is missing
• Decode::MissingKey if the given key id is not in the key set
• Decode::EmptySet if the keyset is empty
• Jose::WrongKeyType if the alg of the key and the alg in the token header mismatch
• Jose::WrongKeyType if the specified key alg isn't a signature algorithm
• Jose error if decoding fails

pub fn validate_token(
    &self,
    token: &Jws<C, Empty>,
    nonce: Option<&str>,
    max_age: Option<&Duration>
) -> Result<(), Error>

Validate a decoded token. If you don't get an error, its valid! Nonce and max_age come from your auth_uri options. Errors are:

• Jose Error if the Token isn't decoded
• Validation::Mismatch::Issuer if the provider issuer and token issuer mismatch
• Validation::Mismatch::Nonce if a given nonce and the token nonce mismatch
• Validation::Missing::Nonce if either the token or args has a nonce and the other does not
• Validation::Missing::Audience if the token aud doesn't contain the client id
• Validation::Missing::AuthorizedParty if there are multiple audiences and azp is missing
• Validation::Mismatch::AuthorizedParty if the azp is not the client_id
• Validation::Expired::Expires if the current time is past the expiration time
• Validation::Expired::MaxAge is the token is older than the provided max_age
• Validation::Missing::Authtime if a max_age was given and the token has no auth time

pub async fn request_userinfo<'_, '_>(
    &'_ self,
    token: &'_ Token<C>
) -> Result<Userinfo, Error>

Get a userinfo json document for a given token at the provider's userinfo endpoint. Errors are:

• Userinfo::NoUrl if this provider doesn't have a userinfo endpoint
• Error::Insecure if the userinfo url is not https
• Error::Jose if the token is not decoded
• Error::Http if something goes wrong getting the document
• Error::Json if the response is not a valid Userinfo document
• Userinfo::MismatchSubject if the returned userinfo document and tokens subject mismatch

impl<P, C> Client<P, C> where
    P: Provider,
    C: CompactJson + Claims, 

pub fn new(
    provider: P,
    client_id: String,
    client_secret: String,
    redirect_uri: Option<String>,
    http_client: Client,
    jwks: Option<JWKSet<Empty>>
) -> Self

Creates a client.

Examples

use openid::{Client, StandardClaims};
use openid::provider::google::Installed;

let client: Client<_, StandardClaims> = Client::new(
    Installed,
    String::from("CLIENT_ID"),
    String::from("CLIENT_SECRET"),
    Some(String::from("urn:ietf:wg:oauth:2.0:oob")),
    reqwest::Client::new(), None,
);

pub fn auth_uri(&self, scope: Option<&str>, state: Option<&str>) -> Url

Returns an authorization endpoint URI to direct the user to.

See RFC 6749, section 3.1.

Examples

use openid::Client;
use openid::provider::google::Installed;

let client: Client<_> = Client::new(
    Installed,
    String::from("CLIENT_ID"),
    String::from("CLIENT_SECRET"),
    Some(String::from("urn:ietf:wg:oauth:2.0:oob")),
    reqwest::Client::new(), None,
);

let auth_uri = client.auth_uri(
    Some("https://www.googleapis.com/auth/userinfo.email"),
    None,
);

pub async fn request_token<'_, '_>(
    &'_ self,
    code: &'_ str
) -> Result<Bearer, ClientError>

Requests an access token using an authorization code.

See RFC 6749, section 4.1.3.

pub async fn request_token_using_client_credentials<'_>(
    &'_ self
) -> Result<Bearer, ClientError>

Requests an access token using the Client Credentials Grant flow

See RFC 6749, section 4.4

pub async fn refresh_token<'_, '_>(
    &'_ self,
    token: Bearer,
    scope: Option<&'_ str>
) -> Result<Bearer, ClientError>

Refreshes an access token.

See RFC 6749, section 6.

pub async fn ensure_token<'_>(
    &'_ self,
    token: Bearer
) -> Result<Bearer, ClientError>

Ensures an access token is valid by refreshing it if necessary.

Trait Implementations

impl<P: Debug, C: Debug + CompactJson + Claims> Debug for Client<P, C>

fn fmt(&self, f: &mut Formatter) -> Result

Formats the value using the given formatter.