Expand description
OpenID Connect library.
This library provides extensible, strongly-typed interfaces for the OpenID Connect protocol.
For convenience, the core module provides type aliases for common usage that adheres to the
OpenID Connect Core spec. Users of
this crate may define their own extensions and custom type parameters in lieu of using the
core module.
§Contents
- Importing
openidconnect: selecting an HTTP client interface - OpenID Connect Relying Party (Client) Interface
- OpenID Connect Provider (Server) Interface
- Asynchronous API
§Importing openidconnect: selecting an HTTP client interface
This library offers a flexible HTTP client interface with two modes:
-
Synchronous (blocking)
NOTE: Be careful not to use a blocking HTTP client within
asyncRust code, which may panic or cause other issues. Thetokio::task::spawn_blockingfunction may be useful in this situation. -
Asynchronous
§Security Warning
To prevent
SSRF
vulnerabilities, be sure to configure the HTTP client not to follow redirects. For example,
use redirect::Policy::none when using
reqwest, or redirects(0) when using ureq.
§HTTP Clients
For the HTTP client modes described above, the following HTTP client implementations can be used:
-
The
reqwestHTTP client supports both the synchronous and asynchronous modes and is enabled by default.Synchronous client:
reqwest::blocking::Client(requires thereqwest-blockingfeature flag)Asynchronous client:
reqwest::Client(requires either thereqwestorreqwest-blockingfeature flags) -
The
curlHTTP client only supports the synchronous HTTP client mode and can be enabled inCargo.tomlvia thecurlfeature flag.Synchronous client:
CurlHttpClient -
The
ureqHTTP client is a simple HTTP client with minimal dependencies. It only supports the synchronous HTTP client mode and can be enabled inCargo.tomlvia theureqfeature flag.Synchronous client:
ureq::Agent -
Custom
In addition to the clients above, users may define their own HTTP clients, which must accept an
HttpRequestand return anHttpResponseor error. Users writing their own clients may wish to disable the defaultreqwestdependency by specifyingdefault-features = falseinCargo.toml(replacing...with the desired version of this crate):openidconnect = { version = "...", default-features = false }Synchronous HTTP clients should implement the
SyncHttpClienttrait, which is automatically implemented for any function/closure that implements:ⓘFn(HttpRequest) -> Result<HttpResponse, E> where E: std::error::Error + 'staticAsynchronous HTTP clients should implement the
AsyncHttpClienttrait, which is automatically implemented for any function/closure that implements:ⓘFn(HttpRequest) -> F where E: std::error::Error + 'static, F: Future<Output = Result<HttpResponse, E>>,
§Comparing secrets securely
OpenID Connect flows require comparing secrets received from providers. To do so securely
while avoiding timing side-channels, the
comparison must be done in constant time, either using a constant-time crate such as
constant_time_eq (which could break if a future
compiler version decides to be overly smart
about its optimizations), or by first computing a cryptographically-secure hash (e.g., SHA-256)
of both values and then comparing the hashes using ==.
The timing-resistant-secret-traits feature flag adds a safe (but comparatively expensive)
PartialEq implementation to the secret types. Timing side-channels are why PartialEq is
not auto-derived for this crate’s secret types, and the lack of PartialEq is intended to
prompt users to think more carefully about these comparisons.
§OpenID Connect Relying Party (Client) Interface
The Client struct provides the OpenID Connect Relying Party interface. The most common
usage is provided by the core::CoreClient type alias.
§Examples
§Getting started: Authorization Code Grant w/ PKCE
This is the most common OIDC/OAuth2 flow. PKCE is recommended whenever the client has no client secret or has a client secret that cannot remain confidential (e.g., native, mobile, or client-side web applications).
§Example
use anyhow::anyhow;
use openidconnect::{
AccessTokenHash,
AuthenticationFlow,
AuthorizationCode,
ClientId,
ClientSecret,
CsrfToken,
IssuerUrl,
Nonce,
OAuth2TokenResponse,
PkceCodeChallenge,
RedirectUrl,
Scope,
TokenResponse,
};
use openidconnect::core::{
CoreAuthenticationFlow,
CoreClient,
CoreProviderMetadata,
CoreResponseType,
CoreUserInfoClaims,
};
use openidconnect::reqwest;
use url::Url;
let http_client = reqwest::blocking::ClientBuilder::new()
// Following redirects opens the client up to SSRF vulnerabilities.
.redirect(reqwest::redirect::Policy::none())
.build()
.expect("Client should build");
// Use OpenID Connect Discovery to fetch the provider metadata.
let provider_metadata = CoreProviderMetadata::discover(
&IssuerUrl::new("https://accounts.example.com".to_string())?,
&http_client,
)?;
// Create an OpenID Connect client by specifying the client ID, client secret, authorization URL
// and token URL.
let client =
CoreClient::from_provider_metadata(
provider_metadata,
ClientId::new("client_id".to_string()),
Some(ClientSecret::new("client_secret".to_string())),
)
// Set the URL the user will be redirected to after the authorization process.
.set_redirect_uri(RedirectUrl::new("http://redirect".to_string())?);
// Generate a PKCE challenge.
let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
// Generate the full authorization URL.
let (auth_url, csrf_token, nonce) = client
.authorize_url(
CoreAuthenticationFlow::AuthorizationCode,
CsrfToken::new_random,
Nonce::new_random,
)
// Set the desired scopes.
.add_scope(Scope::new("read".to_string()))
.add_scope(Scope::new("write".to_string()))
// Set the PKCE code challenge.
.set_pkce_challenge(pkce_challenge)
.url();
// This is the URL you should redirect the user to, in order to trigger the authorization
// process.
println!("Browse to: {}", auth_url);
// Once the user has been redirected to the redirect URL, you'll have access to the
// authorization code. For security reasons, your code should verify that the `state`
// parameter returned by the server matches `csrf_state`.
// Now you can exchange it for an access token and ID token.
let token_response =
client
.exchange_code(AuthorizationCode::new("some authorization code".to_string()))?
// Set the PKCE code verifier.
.set_pkce_verifier(pkce_verifier)
.request(&http_client)?;
// Extract the ID token claims after verifying its authenticity and nonce.
let id_token = token_response
.id_token()
.ok_or_else(|| anyhow!("Server did not return an ID token"))?;
let id_token_verifier = client.id_token_verifier();
let claims = id_token.claims(&id_token_verifier, &nonce)?;
// Verify the access token hash to ensure that the access token hasn't been substituted for
// another user's.
if let Some(expected_access_token_hash) = claims.access_token_hash() {
let actual_access_token_hash = AccessTokenHash::from_token(
token_response.access_token(),
id_token.signing_alg()?,
id_token.signing_key(&id_token_verifier)?,
)?;
if actual_access_token_hash != *expected_access_token_hash {
return Err(anyhow!("Invalid access token"));
}
}
// The authenticated user's identity is now available. See the IdTokenClaims struct for a
// complete listing of the available claims.
println!(
"User {} with e-mail address {} has authenticated successfully",
claims.subject().as_str(),
claims.email().map(|email| email.as_str()).unwrap_or("<not provided>"),
);
// If available, we can use the user info endpoint to request additional information.
// The user_info request uses the AccessToken returned in the token response. To parse custom
// claims, use UserInfoClaims directly (with the desired type parameters) rather than using the
// CoreUserInfoClaims type alias.
let userinfo: CoreUserInfoClaims = client
.user_info(token_response.access_token().to_owned(), None)?
.request(&http_client)
.map_err(|err| anyhow!("Failed requesting user info: {}", err))?;
// See the OAuth2TokenResponse trait for a listing of other available fields such as
// access_token() and refresh_token().
§OpenID Connect Provider (Server) Interface
This library does not implement a complete OpenID Connect Provider, which requires functionality such as credential and session management. However, it does provide strongly-typed interfaces for parsing and building OpenID Connect protocol messages.
§OpenID Connect Discovery document
The ProviderMetadata struct implements the
OpenID Connect Discovery document.
This data structure should be serialized to JSON and served via the
GET .well-known/openid-configuration path relative to your provider’s issuer URL.
§Example
use openidconnect::{
AuthUrl,
EmptyAdditionalProviderMetadata,
IssuerUrl,
JsonWebKeySetUrl,
ResponseTypes,
Scope,
TokenUrl,
UserInfoUrl,
};
use openidconnect::core::{
CoreClaimName,
CoreJwsSigningAlgorithm,
CoreProviderMetadata,
CoreResponseType,
CoreSubjectIdentifierType
};
use url::Url;
let provider_metadata = CoreProviderMetadata::new(
// Parameters required by the OpenID Connect Discovery spec.
IssuerUrl::new("https://accounts.example.com".to_string())?,
AuthUrl::new("https://accounts.example.com/authorize".to_string())?,
// Use the JsonWebKeySet struct to serve the JWK Set at this URL.
JsonWebKeySetUrl::new("https://accounts.example.com/jwk".to_string())?,
// Supported response types (flows).
vec![
// Recommended: support the code flow.
ResponseTypes::new(vec![CoreResponseType::Code]),
// Optional: support the implicit flow.
ResponseTypes::new(vec![CoreResponseType::Token, CoreResponseType::IdToken])
// Other flows including hybrid flows may also be specified here.
],
// For user privacy, the Pairwise subject identifier type is preferred. This prevents
// distinct relying parties (clients) from knowing whether their users represent the same
// real identities. This identifier type is only useful for relying parties that don't
// receive the 'email', 'profile' or other personally-identifying scopes.
// The Public subject identifier type is also supported.
vec![CoreSubjectIdentifierType::Pairwise],
// Support the RS256 signature algorithm.
vec![CoreJwsSigningAlgorithm::RsaSsaPssSha256],
// OpenID Connect Providers may supply custom metadata by providing a struct that
// implements the AdditionalProviderMetadata trait. This requires manually using the
// generic ProviderMetadata struct rather than the CoreProviderMetadata type alias,
// however.
EmptyAdditionalProviderMetadata {},
)
// Specify the token endpoint (required for the code flow).
.set_token_endpoint(Some(TokenUrl::new("https://accounts.example.com/token".to_string())?))
// Recommended: support the user info endpoint.
.set_userinfo_endpoint(
Some(UserInfoUrl::new("https://accounts.example.com/userinfo".to_string())?)
)
// Recommended: specify the supported scopes.
.set_scopes_supported(Some(vec![
Scope::new("openid".to_string()),
Scope::new("email".to_string()),
Scope::new("profile".to_string()),
]))
// Recommended: specify the supported ID token claims.
.set_claims_supported(Some(vec![
// Providers may also define an enum instead of using CoreClaimName.
CoreClaimName::new("sub".to_string()),
CoreClaimName::new("aud".to_string()),
CoreClaimName::new("email".to_string()),
CoreClaimName::new("email_verified".to_string()),
CoreClaimName::new("exp".to_string()),
CoreClaimName::new("iat".to_string()),
CoreClaimName::new("iss".to_string()),
CoreClaimName::new("name".to_string()),
CoreClaimName::new("given_name".to_string()),
CoreClaimName::new("family_name".to_string()),
CoreClaimName::new("picture".to_string()),
CoreClaimName::new("locale".to_string()),
]));
serde_json::to_string(&provider_metadata).map_err(From::from)§OpenID Connect Discovery JSON Web Key Set
The JSON Web Key Set (JWKS) provides the public keys that relying parties (clients) use to
verify the authenticity of ID tokens returned by this OpenID Connect Provider. The
JsonWebKeySet data structure should be serialized as JSON and served at the URL specified
in the jwks_uri field of the ProviderMetadata returned in the OpenID Connect Discovery
document.
§Example
use openidconnect::{JsonWebKeyId, PrivateSigningKey};
use openidconnect::core::{CoreJsonWebKey, CoreJsonWebKeySet, CoreRsaPrivateSigningKey};
let jwks = CoreJsonWebKeySet::new(
vec![
// RSA keys may also be constructed directly using CoreJsonWebKey::new_rsa(). Providers
// aiming to support other key types may provide their own implementation of the
// JsonWebKey trait or submit a PR to add the desired support to this crate.
CoreRsaPrivateSigningKey::from_pem(
&rsa_pem,
Some(JsonWebKeyId::new("key1".to_string()))
)
.expect("Invalid RSA private key")
.as_verification_key()
]
);
serde_json::to_string(&jwks).map_err(From::from)§OpenID Connect ID Token
The IdToken::new method is used for signing ID token claims, which can then be returned
from the token endpoint as part of the StandardTokenResponse struct
(or core::CoreTokenResponse type alias). The ID token can also be serialized to a string
using the IdToken::to_string method and returned directly from the authorization endpoint
when the implicit flow or certain hybrid flows are used. Note that in these flows, ID tokens
must only be returned in the URL fragment, and never as a query parameter.
The ID token contains a combination of the
OpenID Connect Standard Claims
(see StandardClaims) and claims specific to the
OpenID Connect ID Token
(see IdTokenClaims).
§Example
use chrono::{Duration, Utc};
use openidconnect::{
AccessToken,
Audience,
EmptyAdditionalClaims,
EmptyExtraTokenFields,
EndUserEmail,
IssuerUrl,
JsonWebKeyId,
StandardClaims,
SubjectIdentifier,
};
use openidconnect::core::{
CoreIdToken,
CoreIdTokenClaims,
CoreIdTokenFields,
CoreJwsSigningAlgorithm,
CoreRsaPrivateSigningKey,
CoreTokenResponse,
CoreTokenType,
};
let id_token = CoreIdToken::new(
CoreIdTokenClaims::new(
// Specify the issuer URL for the OpenID Connect Provider.
IssuerUrl::new("https://accounts.example.com".to_string())?,
// The audience is usually a single entry with the client ID of the client for whom
// the ID token is intended. This is a required claim.
vec![Audience::new("client-id-123".to_string())],
// The ID token expiration is usually much shorter than that of the access or refresh
// tokens issued to clients.
Utc::now() + Duration::seconds(300),
// The issue time is usually the current time.
Utc::now(),
// Set the standard claims defined by the OpenID Connect Core spec.
StandardClaims::new(
// Stable subject identifiers are recommended in place of e-mail addresses or other
// potentially unstable identifiers. This is the only required claim.
SubjectIdentifier::new("5f83e0ca-2b8e-4e8c-ba0a-f80fe9bc3632".to_string())
)
// Optional: specify the user's e-mail address. This should only be provided if the
// client has been granted the 'profile' or 'email' scopes.
.set_email(Some(EndUserEmail::new("bob@example.com".to_string())))
// Optional: specify whether the provider has verified the user's e-mail address.
.set_email_verified(Some(true)),
// OpenID Connect Providers may supply custom claims by providing a struct that
// implements the AdditionalClaims trait. This requires manually using the
// generic IdTokenClaims struct rather than the CoreIdTokenClaims type alias,
// however.
EmptyAdditionalClaims {},
),
// The private key used for signing the ID token. For confidential clients (those able
// to maintain a client secret), a CoreHmacKey can also be used, in conjunction
// with one of the CoreJwsSigningAlgorithm::HmacSha* signing algorithms. When using an
// HMAC-based signing algorithm, the UTF-8 representation of the client secret should
// be used as the HMAC key.
&CoreRsaPrivateSigningKey::from_pem(
&rsa_pem,
Some(JsonWebKeyId::new("key1".to_string()))
)
.expect("Invalid RSA private key"),
// Uses the RS256 signature algorithm. This crate supports any RS*, PS*, or HS*
// signature algorithm.
CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha256,
// When returning the ID token alongside an access token (e.g., in the Authorization Code
// flow), it is recommended to pass the access token here to set the `at_hash` claim
// automatically.
Some(&access_token),
// When returning the ID token alongside an authorization code (e.g., in the implicit
// flow), it is recommended to pass the authorization code here to set the `c_hash` claim
// automatically.
None,
)?;
Ok(CoreTokenResponse::new(
AccessToken::new("some_secret".to_string()),
CoreTokenType::Bearer,
CoreIdTokenFields::new(Some(id_token), EmptyExtraTokenFields {}),
))§Asynchronous API
An asynchronous API for async/await is also provided.
§Example
use anyhow::anyhow;
use openidconnect::{
AccessTokenHash,
AuthenticationFlow,
AuthorizationCode,
ClientId,
ClientSecret,
CsrfToken,
IssuerUrl,
Nonce,
OAuth2TokenResponse,
PkceCodeChallenge,
RedirectUrl,
Scope,
TokenResponse,
};
use openidconnect::core::{
CoreAuthenticationFlow,
CoreClient,
CoreProviderMetadata,
CoreResponseType,
};
use openidconnect::reqwest;
use url::Url;
let http_client = reqwest::ClientBuilder::new()
// Following redirects opens the client up to SSRF vulnerabilities.
.redirect(reqwest::redirect::Policy::none())
.build()
.expect("Client should build");
// Use OpenID Connect Discovery to fetch the provider metadata.
let provider_metadata = CoreProviderMetadata::discover_async(
IssuerUrl::new("https://accounts.example.com".to_string())?,
&http_client,
)
.await?;
// Create an OpenID Connect client by specifying the client ID, client secret, authorization URL
// and token URL.
let client =
CoreClient::from_provider_metadata(
provider_metadata,
ClientId::new("client_id".to_string()),
Some(ClientSecret::new("client_secret".to_string())),
)
// Set the URL the user will be redirected to after the authorization process.
.set_redirect_uri(RedirectUrl::new("http://redirect".to_string())?);
// Generate a PKCE challenge.
let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
// Generate the full authorization URL.
let (auth_url, csrf_token, nonce) = client
.authorize_url(
CoreAuthenticationFlow::AuthorizationCode,
CsrfToken::new_random,
Nonce::new_random,
)
// Set the desired scopes.
.add_scope(Scope::new("read".to_string()))
.add_scope(Scope::new("write".to_string()))
// Set the PKCE code challenge.
.set_pkce_challenge(pkce_challenge)
.url();
// This is the URL you should redirect the user to, in order to trigger the authorization
// process.
println!("Browse to: {}", auth_url);
// Once the user has been redirected to the redirect URL, you'll have access to the
// authorization code. For security reasons, your code should verify that the `state`
// parameter returned by the server matches `csrf_state`.
// Now you can exchange it for an access token and ID token.
let token_response =
client
.exchange_code(AuthorizationCode::new("some authorization code".to_string()))?
// Set the PKCE code verifier.
.set_pkce_verifier(pkce_verifier)
.request_async(&http_client)
.await?;
// Extract the ID token claims after verifying its authenticity and nonce.
let id_token = token_response
.id_token()
.ok_or_else(|| anyhow!("Server did not return an ID token"))?;
let id_token_verifier = client.id_token_verifier();
let claims = id_token.claims(&id_token_verifier, &nonce)?;
// Verify the access token hash to ensure that the access token hasn't been substituted for
// another user's.
if let Some(expected_access_token_hash) = claims.access_token_hash() {
let actual_access_token_hash = AccessTokenHash::from_token(
token_response.access_token(),
id_token.signing_alg()?,
id_token.signing_key(&id_token_verifier)?,
)?;
if actual_access_token_hash != *expected_access_token_hash {
return Err(anyhow!("Invalid access token"));
}
}
// The authenticated user's identity is now available. See the IdTokenClaims struct for a
// complete listing of the available claims.
println!(
"User {} with e-mail address {} has authenticated successfully",
claims.subject().as_str(),
claims.email().map(|email| email.as_str()).unwrap_or("<not provided>"),
);
// See the OAuth2TokenResponse trait for a listing of other available fields such as
// access_token() and refresh_token().
Re-exports§
pub use oauth2::http;pub use oauth2::url;pub use oauth2::curl;pub use oauth2::reqwest;pub use oauth2::ureq;
Modules§
- core
- Baseline OpenID Connect implementation and types.
- registration
- OpenID Connect Dynamic Client Registration.
Structs§
- Access
Token - Access token returned by the token endpoint and used to access protected resources.
- Access
Token Hash - Access token hash.
- Address
Claim - Address claims.
- Address
Country - Country portion of address.
- Address
Locality - Locality portion of address.
- Address
Postal Code - Postal code portion of address.
- Address
Region - Region portion of address.
- Audience
- Audience claim value.
- AuthUrl
- URL of the authorization server’s authorization endpoint.
- Authentication
Context Class - Set of authentication methods or procedures that are considered to be equivalent to each other in a particular context.
- Authentication
Method Reference - Identifier for an authentication method (e.g.,
passwordortotp). - Authorization
Code - Authorization code returned from the authorization endpoint.
- Authorization
Code Hash - Authorization code hash.
- Authorization
Request - A request to the authorization endpoint.
- Client
- OpenID Connect client.
- Client
Config Url - Client configuration endpoint URL.
- Client
Contact Email - Client contact e-mail address.
- Client
Credentials Token Request - A request to exchange client credentials for an access token.
- Client
Id - Client identifier issued to the client during the registration process described by Section 2.2.
- Client
Name - OpenID Connect client name.
- Client
Secret - Client password issued to the client during the registration process described by Section 2.2.
- Client
Url - Client homepage URL.
- Code
Token Request - A request to exchange an authorization code for an access token.
- Csrf
Token - Value used for CSRF protection
via the
stateparameter. - Curl
Http Client - A synchronous HTTP client using
curl. - Device
Access Token Request - The request for a device access token from the authorization server.
- Device
Authorization Request - The request for a set of verification codes from the authorization server.
- Device
Authorization Response - Standard OAuth2 device authorization response.
- Device
Authorization Url - URL of the client’s device authorization endpoint.
- Device
Code - Device code returned by the device authorization endpoint and used to query the token endpoint.
- Empty
Additional Claims - No additional claims.
- Empty
Additional Provider Metadata - Empty (default) extra
ProviderMetadatafields. - Empty
Extra Device Authorization Fields - Empty (default) extra token fields.
- Empty
Extra Token Fields - Empty (default) extra token fields.
- EndSession
Url - URL for the OpenID Connect RP-Initiated Logout 1.0 end session endpoint.
- EndUser
Birthday - End user’s birthday, represented as an
ISO 8601:2004
YYYY-MM-DDformat. - EndUser
Email - End user’s e-mail address.
- EndUser
Family Name - End user’s family name.
- EndUser
Given Name - End user’s given name.
- EndUser
Middle Name - End user’s middle name.
- EndUser
Name - End user’s name.
- EndUser
Nickname - End user’s nickname.
- EndUser
Phone Number - End user’s phone number.
- EndUser
Picture Url - URL of end user’s profile picture.
- EndUser
Profile Url - URL of end user’s profile page.
- EndUser
Timezone - End user’s time zone as a string from the time zone database.
- EndUser
Username - End user’s username.
- EndUser
Verification Url - URL of the end-user verification URI on the authorization server.
- EndUser
Website Url - URL of end user’s website.
- Endpoint
Maybe Set - Typestate indicating that an endpoint may have been set and can be used via fallible methods.
- Endpoint
NotSet - Typestate indicating that an endpoint has not been set and cannot be used.
- Endpoint
Set - Typestate indicating that an endpoint has been set and is ready to be used.
- Formatted
Address - Full mailing address, formatted for display or use on a mailing label.
- IdToken
- OpenID Connect ID token.
- IdToken
Claims - OpenID Connect ID token claims.
- IdToken
Fields - Extends the base OAuth2 token response with an ID token.
- IdToken
Verifier - ID token verifier.
- Initiate
Login Url - URI using the
httpsscheme that a third party can use to initiate a login by the Relying Party. - Introspection
Request - A request to introspect an access token.
- Introspection
Url - URL of the client’s RFC 7662 OAuth 2.0 Token Introspection endpoint.
- Issuer
Url - URL using the
httpsscheme with no query or fragment component that the OP asserts as its Issuer Identifier. - Json
WebKey Id - ID of a JSON Web Key.
- Json
WebKey Set - JSON Web Key Set.
- Json
WebKey SetUrl - JSON Web Key Set URL.
- Json
WebToken Type - JSON Web Token type field (typ)
- Language
Tag - Language tag adhering to RFC 5646 (e.g.,
frorfr-CA). - Localized
Claim - A locale-aware claim.
- Login
Hint - Hint about the login identifier the End-User might use to log in.
- LogoUrl
- URL that references a logo for the Client application.
- Logout
Hint - Hint about the logout identifier the End-User might use to log out.
- Logout
Provider Metadata - Additional metadata for providers implementing OpenID Connect RP-Initiated Logout 1.0.
- Logout
Request - A request to the end session endpoint.
- Nonce
- String value used to associate a client session with an ID Token, and to mitigate replay attacks.
- Normalized
Json WebToken Type - Normalized JSON Web Token type field (typ)
- OpPolicy
Url - URL providing the OpenID Connect Provider’s data usage policies for client applications.
- OpTos
Url - URL providing the OpenID Connect Provider’s Terms of Service.
- Password
Token Request - A request to exchange resource owner credentials for an access token.
- Pkce
Code Challenge - Code Challenge used for PKCE protection via the
code_challengeparameter. - Pkce
Code Challenge Method - Code Challenge Method used for PKCE protection
via the
code_challenge_methodparameter. - Pkce
Code Verifier - Code Verifier used for PKCE protection via the
code_verifierparameter. The value must have a minimum length of 43 characters and a maximum length of 128 characters. Each character must be ASCII alphanumeric or one of the characters “-” / “.” / “_” / “~”. - Policy
Url - URL providing a client application’s data usage policy.
- Post
Logout Redirect Url - The post logout redirect URL, which should be passed to the end session endpoint of providers implementing OpenID Connect RP-Initiated Logout 1.0.
- Provider
Metadata - Provider metadata returned by OpenID Connect Discovery.
- Redirect
Url - URL of the client’s redirection endpoint.
- Refresh
Token - Refresh token used to obtain a new access token (if supported by the authorization server).
- Refresh
Token Request - A request to exchange a refresh token for an access token.
- Registration
Access Token - Access token used by a client application to access the Client Registration endpoint.
- Registration
Url - URL of the Client Registration endpoint.
- Request
Url - URL used to pass request parameters as JWTs by reference.
- Resource
Owner Password - Resource owner’s password used directly as an authorization grant to obtain an access token.
- Resource
Owner Username - Resource owner’s username used directly as an authorization grant to obtain an access token.
- Response
Types - Informs the Authorization Server of the desired authorization processing flow, including what parameters are returned from the endpoints used.
- Revocation
Request - A request to revoke a token via an
RFC 7009compatible endpoint. - Revocation
Url - URL of the authorization server’s RFC 7009 token revocation endpoint.
- Scope
- Access token scope, as defined by the authorization server.
- Sector
Identifier Url - URL for retrieving redirect URIs that should receive identical pairwise subject identifiers.
- Service
DocUrl - URL for developer documentation for an OpenID Connect Provider.
- Standard
Claims - Standard Claims defined by OpenID Connect Core.
- Standard
Error Response - Error response returned by server after requesting an access token.
- Standard
Token Introspection Response - Standard OAuth2 token introspection response.
- Standard
Token Response - Standard OAuth2 token response.
- Street
Address - A user’s street address.
- Subject
Identifier - Locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the client application.
- ToSUrl
- URL for the relying party’s Terms of Service.
- Token
Url - URL of the authorization server’s token endpoint.
- User
Code - User code returned by the device authorization endpoint and used by the user to authorize at the verification URI.
- User
Info Claims - User info claims.
- User
Info Json WebToken - JSON Web Token (JWT) containing user info claims.
- User
Info Request - User info request.
- User
Info Url - URL for a provider’s user info endpoint.
- User
Info Verifier - User info verifier.
- Verification
UriComplete - Verification URI returned by the device authorization endpoint and visited by the user to authorize. Contains the user code.
Enums§
- Auth
Type - Indicates whether requests to the authorization server should use basic authentication or include the parameters in the request body for requests in which either is valid.
- Authentication
Flow - Authentication flow, which determines how the Authorization Server returns the OpenID Connect ID token and OAuth2 access token to the Relying Party.
- Claims
Verification Error - Error verifying claims.
- Configuration
Error - There was a problem configuring the request.
- Device
Code Error Response Type - Basic access token error types.
- Discovery
Error - Error retrieving provider metadata.
- Http
Client Error - Error type returned by built-in HTTP clients when requests fail.
- Json
WebKey Algorithm - Encodes a JWK key’s alg field compatibility with either signing or encryption operations.
- Json
WebToken Error - Error creating a JSON Web Token.
- Request
Token Error - Error encountered while requesting access token.
- Revocation
Error Response Type - OAuth 2.0 Token Revocation error response types.
- Signature
Verification Error - Error verifying claims signature.
- Signing
Error - Error signing a message.
- User
Info Error - Error retrieving user info.
- User
Info Response Type - Indicates via the
Acceptheader the body response type the server should use to return the user info. Note that the server can ignore this header.
Traits§
- Additional
Claims - Additional claims beyond the set of Standard Claims defined by OpenID Connect Core.
- Additional
Provider Metadata - Trait for adding extra fields to
ProviderMetadata. - Application
Type - Client application type.
- Async
Http Client - An asynchronous (future-based) HTTP client.
- Auth
Display - How the Authorization Server displays the authentication and consent user interface pages to the End-User.
- Auth
Prompt - Whether the Authorization Server should prompt the End-User for reauthentication and consent.
- Claim
Name - Claim name.
- Claim
Type - Claim type (e.g., normal, aggregated, or distributed).
- Client
Auth Method - Client authentication method.
- Endpoint
State - Typestate base trait indicating whether an endpoint has been configured via its corresponding setter.
- Error
Response - Server Error Response
- Error
Response Type - Error types enum.
- Extra
Device Authorization Fields - Trait for adding extra fields to the
DeviceAuthorizationResponse. - Extra
Token Fields - Trait for adding extra fields to the
TokenResponse. - Gender
Claim - Gender claim.
- Grant
Type - Grant type.
- Json
WebKey - JSON Web Key.
- Json
WebKey Type - Key type (e.g., RSA).
- Json
WebKey Use - Allowed key usage.
- JweContent
Encryption Algorithm - JSON Web Encryption (JWE) content encryption algorithm.
- JweKey
Management Algorithm - JSON Web Encryption (JWE) key management algorithm.
- JwsSigning
Algorithm - JSON Web Signature (JWS) algorithm.
- Nonce
Verifier - Trait for verifying ID token nonces.
- OAuth2
Token Response - Common methods shared by all OAuth2 token implementations.
- Private
Signing Key - Private or symmetric key for signing.
- Response
Mode - Response mode indicating how the OpenID Connect Provider should return the Authorization Response to the Relying Party (client).
- Response
Type - Response type indicating the desired authorization processing flow, including what parameters are returned from the endpoints used.
- Revocable
Token - A revocable token.
- Subject
Identifier Type - Subject identifier type returned by an OpenID Connect Provider to uniquely identify its users.
- Sync
Http Client - A synchronous (blocking) HTTP client.
- Token
Introspection Response - Common methods shared by all OAuth2 token introspection implementations.
- Token
Response - Extends the base OAuth2 token response with an ID token.
- Token
Type - Type of OAuth2 access token.
Type Aliases§
- Device
Code Error Response - Error response specialization for device code OAuth2 implementation.
- Http
Request - An HTTP request.
- Http
Response - An HTTP response.
- Provider
Metadata With Logout - Provider metadata returned by OpenID Connect Discovery
that returns
ProviderMetadata::additional_metadatafor providers implementing OpenID Connect RP-Initiated Logout 1.0.