Struct openidconnect::Client

pub struct Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
    AC: AdditionalClaims,
    AD: AuthDisplay,
    GC: GenderClaim,
    JE: JweContentEncryptionAlgorithm<JT>,
    JS: JwsSigningAlgorithm<JT>,
    JT: JsonWebKeyType,
    JU: JsonWebKeyUse,
    K: JsonWebKey<JS, JT, JU>,
    P: AuthPrompt,
    TE: ErrorResponse,
    TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
    TT: TokenType + 'static,
    TIR: TokenIntrospectionResponse<TT>,
    RT: RevocableToken,
    TRE: ErrorResponse,  { /* fields omitted */ }

OpenID Connect client.

Error Types

To enable compile time verification that only the correct and complete set of errors for the Client function being invoked are exposed to the caller, the Client type is specialized on multiple implementations of the ErrorResponse trait. The exact ErrorResponse implementation returned varies by the RFC that the invoked Client function implements:

• Generic type TE (aka Token Error) for errors defined by RFC 6749 OAuth 2.0 Authorization Framework.
• Generic type TRE (aka Token Revocation Error) for errors defined by RFC 7009 OAuth 2.0 Token Revocation.

For example when revoking a token, error code unsupported_token_type (from RFC 7009) may be returned:

let res = client
    .revoke_token(AccessToken::new("some token".to_string()).into())
    .unwrap()
    .request(http_client);

assert!(matches!(res, Err(
    RequestTokenError::ServerResponse(err)) if matches!(err.error(),
        RevocationErrorResponseType::UnsupportedTokenType)));

Implementations

impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
    AC: AdditionalClaims,
    AD: AuthDisplay,
    GC: GenderClaim,
    JE: JweContentEncryptionAlgorithm<JT>,
    JS: JwsSigningAlgorithm<JT>,
    JT: JsonWebKeyType,
    JU: JsonWebKeyUse,
    K: JsonWebKey<JS, JT, JU>,
    P: AuthPrompt,
    TE: ErrorResponse + 'static,
    TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
    TT: TokenType + 'static,
    TIR: TokenIntrospectionResponse<TT>,
    RT: RevocableToken,
    TRE: ErrorResponse + 'static, 

pub fn new(
    client_id: ClientId,
    client_secret: Option<ClientSecret>,
    issuer: IssuerUrl,
    auth_url: AuthUrl,
    token_url: Option<TokenUrl>,
    userinfo_endpoint: Option<UserInfoUrl>,
    jwks: JsonWebKeySet<JS, JT, JU, K>
) -> Self

Initializes an OpenID Connect client.

pub fn from_provider_metadata<A, CA, CN, CT, G, JK, RM, RS, S>(
    provider_metadata: ProviderMetadata<A, AD, CA, CN, CT, G, JE, JK, JS, JT, JU, K, RM, RS, S>,
    client_id: ClientId,
    client_secret: Option<ClientSecret>
) -> Self where
    A: AdditionalProviderMetadata,
    CA: ClientAuthMethod,
    CN: ClaimName,
    CT: ClaimType,
    G: GrantType,
    JK: JweKeyManagementAlgorithm,
    RM: ResponseMode,
    RS: ResponseType,
    S: SubjectIdentifierType, 

Initializes an OpenID Connect client from OpenID Connect Discovery provider metadata.

Use ProviderMetadata::discover or ProviderMetadata::discover_async to fetch the provider metadata.

pub fn set_auth_type(self, auth_type: AuthType) -> Self

Configures the type of client authentication used for communicating with the authorization server.

The default is to use HTTP Basic authentication, as recommended in Section 2.3.1 of RFC 6749.

pub fn set_redirect_uri(self, redirect_url: RedirectUrl) -> Self

Sets the the redirect URL used by the authorization endpoint.

pub fn set_introspection_uri(self, introspection_url: IntrospectionUrl) -> Self

Sets the introspection URL for contacting the (RFC 7662) introspection endpoint.

pub fn set_revocation_uri(self, revocation_url: RevocationUrl) -> Self

Sets the revocation URL for contacting the revocation endpoint (RFC 7009).

See: revoke_token()

pub fn enable_openid_scope(self) -> Self

Enables the openid scope to be requested automatically.

This scope is requested by default, so this function is only useful after previous calls to disable_openid_scope.

pub fn disable_openid_scope(self) -> Self

Disables the openid scope from being requested automatically.

pub fn id_token_verifier(&self) -> IdTokenVerifier<'_, JS, JT, JU, K>

Returns an ID token verifier for use with the IdToken::claims method.

pub fn authorize_url<NF, RS, SF>(
    &self,
    authentication_flow: AuthenticationFlow<RS>,
    state_fn: SF,
    nonce_fn: NF
) -> AuthorizationRequest<'_, AD, P, RS> where
    NF: FnOnce() -> Nonce + 'static,
    RS: ResponseType,
    SF: FnOnce() -> CsrfToken + 'static, 

Generates an authorization URL for a new authorization request.

NOTE: Passing authorization request parameters as a JSON Web Token instead of URL query parameters is not currently supported. The claims parameter is also not directly supported, although the AuthorizationRequest::add_extra_param method can be used to add custom parameters, including claims.

Arguments

• authentication_flow - The authentication flow to use (code, implicit, or hybrid).
• state_fn - A function that returns an opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client.
• nonce_fn - Similar to state_fn, but used to generate an opaque nonce to be used when verifying the ID token returned by the OpenID Connect Provider.

Security Warning

Callers should use a fresh, unpredictable state for each authorization request and verify that this value matches the state parameter passed by the authorization server to the redirect URI. Doing so mitigates Cross-Site Request Forgery attacks.

Similarly, callers should use a fresh, unpredictable nonce to help protect against ID token reuse and forgery.

pub fn exchange_code(
    &self,
    code: AuthorizationCode
) -> CodeTokenRequest<'_, TE, TR, TT>

Creates a request builder for exchanging an authorization code for an access token.

Acquires ownership of the code because authorization codes may only be used once to retrieve an access token from the authorization server.

See https://tools.ietf.org/html/rfc6749#section-4.1.3

pub fn exchange_refresh_token<'a, 'b>(
    &'a self,
    refresh_token: &'b RefreshToken
) -> RefreshTokenRequest<'b, TE, TR, TT> where
    'a: 'b, 

Creates a request builder for exchanging a refresh token for an access token.

See https://tools.ietf.org/html/rfc6749#section-6

pub fn exchange_password<'a, 'b>(
    &'a self,
    username: &'b ResourceOwnerUsername,
    password: &'b ResourceOwnerPassword
) -> PasswordTokenRequest<'b, TE, TR, TT> where
    'a: 'b, 

Creates a request builder for exchanging credentials for an access token.

See https://tools.ietf.org/html/rfc6749#section-6

pub fn exchange_client_credentials<'a, 'b>(
    &'a self
) -> ClientCredentialsTokenRequest<'b, TE, TR, TT> where
    'a: 'b, 

Creates a request builder for exchanging client credentials for an access token.

See https://tools.ietf.org/html/rfc6749#section-4.4

pub fn user_info(
    &self,
    access_token: AccessToken,
    expected_subject: Option<SubjectIdentifier>
) -> Result<UserInfoRequest<'_, JE, JS, JT, JU, K>, ConfigurationError>

Creates a request builder for info about the user associated with the given access token.

This function requires that this Client be configured with a user info endpoint, which is an optional feature for OpenID Connect Providers to implement. If this Client does not know the provider’s user info endpoint, it returns the ConfigurationError error.

To help protect against token substitution attacks, this function optionally allows clients to provide the subject identifier whose user info they expect to receive. If provided and the subject returned by the OpenID Connect Provider does not match, the UserInfoRequest::request or UserInfoRequest::request_async functions will return UserInfoError::ClaimsVerification. If set to None, any subject is accepted.

pub fn introspect<'a>(
    &'a self,
    token: &'a AccessToken
) -> Result<IntrospectionRequest<'a, TE, TIR, TT>, ConfigurationError>

Creates a request builder for obtaining metadata about a previously received token.

See https://tools.ietf.org/html/rfc7662

pub fn revoke_token(
    &self,
    token: RT
) -> Result<RevocationRequest<'_, RT, TRE>, ConfigurationError>

Creates a request builder for revoking a previously received token.

Requires that set_revocation_url() have already been called to set the revocation endpoint URL.

Attempting to submit the generated request without calling set_revocation_url() first will result in an error.

See https://tools.ietf.org/html/rfc7009

Trait Implementations

impl<AC: Clone, AD: Clone, GC: Clone, JE: Clone, JS: Clone, JT: Clone, JU: Clone, K: Clone, P: Clone, TE: Clone, TR: Clone, TT: Clone, TIR: Clone, RT: Clone, TRE: Clone> Clone for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
    AC: AdditionalClaims,
    AD: AuthDisplay,
    GC: GenderClaim,
    JE: JweContentEncryptionAlgorithm<JT>,
    JS: JwsSigningAlgorithm<JT>,
    JT: JsonWebKeyType,
    JU: JsonWebKeyUse,
    K: JsonWebKey<JS, JT, JU>,
    P: AuthPrompt,
    TE: ErrorResponse,
    TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
    TT: TokenType + 'static,
    TIR: TokenIntrospectionResponse<TT>,
    RT: RevocableToken,
    TRE: ErrorResponse, 

fn clone(
    &self
) -> Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>

Returns a copy of the value.

pub fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl<AC: Debug, AD: Debug, GC: Debug, JE: Debug, JS: Debug, JT: Debug, JU: Debug, K: Debug, P: Debug, TE: Debug, TR: Debug, TT: Debug, TIR: Debug, RT: Debug, TRE: Debug> Debug for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
    AC: AdditionalClaims,
    AD: AuthDisplay,
    GC: GenderClaim,
    JE: JweContentEncryptionAlgorithm<JT>,
    JS: JwsSigningAlgorithm<JT>,
    JT: JsonWebKeyType,
    JU: JsonWebKeyUse,
    K: JsonWebKey<JS, JT, JU>,
    P: AuthPrompt,
    TE: ErrorResponse,
    TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
    TT: TokenType + 'static,
    TIR: TokenIntrospectionResponse<TT>,
    RT: RevocableToken,
    TRE: ErrorResponse, 

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.