Struct openidconnect::Client [−][src]
pub struct Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
AC: AdditionalClaims,
AD: AuthDisplay,
GC: GenderClaim,
JE: JweContentEncryptionAlgorithm<JT>,
JS: JwsSigningAlgorithm<JT>,
JT: JsonWebKeyType,
JU: JsonWebKeyUse,
K: JsonWebKey<JS, JT, JU>,
P: AuthPrompt,
TE: ErrorResponse,
TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
TT: TokenType + 'static,
TIR: TokenIntrospectionResponse<TT>,
RT: RevocableToken,
TRE: ErrorResponse, { /* fields omitted */ }
Expand description
OpenID Connect client.
Error Types
To enable compile time verification that only the correct and complete set of errors for the Client
function being
invoked are exposed to the caller, the Client
type is specialized on multiple implementations of the
ErrorResponse
trait. The exact ErrorResponse
implementation returned varies by the RFC that the invoked
Client
function implements:
- Generic type
TE
(aka Token Error) for errors defined by RFC 6749 OAuth 2.0 Authorization Framework. - Generic type
TRE
(aka Token Revocation Error) for errors defined by RFC 7009 OAuth 2.0 Token Revocation.
For example when revoking a token, error code unsupported_token_type
(from RFC 7009) may be returned:
let res = client
.revoke_token(AccessToken::new("some token".to_string()).into())
.unwrap()
.request(http_client);
assert!(matches!(res, Err(
RequestTokenError::ServerResponse(err)) if matches!(err.error(),
RevocationErrorResponseType::UnsupportedTokenType)));
Implementations
impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
AC: AdditionalClaims,
AD: AuthDisplay,
GC: GenderClaim,
JE: JweContentEncryptionAlgorithm<JT>,
JS: JwsSigningAlgorithm<JT>,
JT: JsonWebKeyType,
JU: JsonWebKeyUse,
K: JsonWebKey<JS, JT, JU>,
P: AuthPrompt,
TE: ErrorResponse + 'static,
TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
TT: TokenType + 'static,
TIR: TokenIntrospectionResponse<TT>,
RT: RevocableToken,
TRE: ErrorResponse + 'static,
impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
AC: AdditionalClaims,
AD: AuthDisplay,
GC: GenderClaim,
JE: JweContentEncryptionAlgorithm<JT>,
JS: JwsSigningAlgorithm<JT>,
JT: JsonWebKeyType,
JU: JsonWebKeyUse,
K: JsonWebKey<JS, JT, JU>,
P: AuthPrompt,
TE: ErrorResponse + 'static,
TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
TT: TokenType + 'static,
TIR: TokenIntrospectionResponse<TT>,
RT: RevocableToken,
TRE: ErrorResponse + 'static,
pub fn new(
client_id: ClientId,
client_secret: Option<ClientSecret>,
issuer: IssuerUrl,
auth_url: AuthUrl,
token_url: Option<TokenUrl>,
userinfo_endpoint: Option<UserInfoUrl>,
jwks: JsonWebKeySet<JS, JT, JU, K>
) -> Self
pub fn new(
client_id: ClientId,
client_secret: Option<ClientSecret>,
issuer: IssuerUrl,
auth_url: AuthUrl,
token_url: Option<TokenUrl>,
userinfo_endpoint: Option<UserInfoUrl>,
jwks: JsonWebKeySet<JS, JT, JU, K>
) -> Self
Initializes an OpenID Connect client.
pub fn from_provider_metadata<A, CA, CN, CT, G, JK, RM, RS, S>(
provider_metadata: ProviderMetadata<A, AD, CA, CN, CT, G, JE, JK, JS, JT, JU, K, RM, RS, S>,
client_id: ClientId,
client_secret: Option<ClientSecret>
) -> Self where
A: AdditionalProviderMetadata,
CA: ClientAuthMethod,
CN: ClaimName,
CT: ClaimType,
G: GrantType,
JK: JweKeyManagementAlgorithm,
RM: ResponseMode,
RS: ResponseType,
S: SubjectIdentifierType,
pub fn from_provider_metadata<A, CA, CN, CT, G, JK, RM, RS, S>(
provider_metadata: ProviderMetadata<A, AD, CA, CN, CT, G, JE, JK, JS, JT, JU, K, RM, RS, S>,
client_id: ClientId,
client_secret: Option<ClientSecret>
) -> Self where
A: AdditionalProviderMetadata,
CA: ClientAuthMethod,
CN: ClaimName,
CT: ClaimType,
G: GrantType,
JK: JweKeyManagementAlgorithm,
RM: ResponseMode,
RS: ResponseType,
S: SubjectIdentifierType,
Initializes an OpenID Connect client from OpenID Connect Discovery provider metadata.
Use ProviderMetadata::discover
or
ProviderMetadata::discover_async
to fetch the provider metadata.
Configures the type of client authentication used for communicating with the authorization server.
The default is to use HTTP Basic authentication, as recommended in Section 2.3.1 of RFC 6749.
Sets the the redirect URL used by the authorization endpoint.
Sets the introspection URL for contacting the (RFC 7662) introspection endpoint.
Sets the revocation URL for contacting the revocation endpoint (RFC 7009).
See: revoke_token()
Enables the openid
scope to be requested automatically.
This scope is requested by default, so this function is only useful after previous calls to
disable_openid_scope
.
Disables the openid
scope from being requested automatically.
Returns an ID token verifier for use with the IdToken::claims
method.
Generates an authorization URL for a new authorization request.
NOTE: Passing authorization request parameters as a JSON Web Token
instead of URL query parameters is not currently supported. The
claims
parameter
is also not directly supported, although the AuthorizationRequest::add_extra_param
method can be used to add custom parameters, including claims
.
Arguments
authentication_flow
- The authentication flow to use (code, implicit, or hybrid).state_fn
- A function that returns an opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client.nonce_fn
- Similar tostate_fn
, but used to generate an opaque nonce to be used when verifying the ID token returned by the OpenID Connect Provider.
Security Warning
Callers should use a fresh, unpredictable state
for each authorization request and verify
that this value matches the state
parameter passed by the authorization server to the
redirect URI. Doing so mitigates
Cross-Site Request Forgery
attacks.
Similarly, callers should use a fresh, unpredictable nonce
to help protect against ID
token reuse and forgery.
Creates a request builder for exchanging an authorization code for an access token.
Acquires ownership of the code
because authorization codes may only be used once to
retrieve an access token from the authorization server.
See https://tools.ietf.org/html/rfc6749#section-4.1.3
pub fn exchange_refresh_token<'a, 'b>(
&'a self,
refresh_token: &'b RefreshToken
) -> RefreshTokenRequest<'b, TE, TR, TT> where
'a: 'b,
pub fn exchange_refresh_token<'a, 'b>(
&'a self,
refresh_token: &'b RefreshToken
) -> RefreshTokenRequest<'b, TE, TR, TT> where
'a: 'b,
Creates a request builder for exchanging a refresh token for an access token.
See https://tools.ietf.org/html/rfc6749#section-6
pub fn exchange_password<'a, 'b>(
&'a self,
username: &'b ResourceOwnerUsername,
password: &'b ResourceOwnerPassword
) -> PasswordTokenRequest<'b, TE, TR, TT> where
'a: 'b,
pub fn exchange_password<'a, 'b>(
&'a self,
username: &'b ResourceOwnerUsername,
password: &'b ResourceOwnerPassword
) -> PasswordTokenRequest<'b, TE, TR, TT> where
'a: 'b,
Creates a request builder for exchanging credentials for an access token.
See https://tools.ietf.org/html/rfc6749#section-6
pub fn exchange_client_credentials<'a, 'b>(
&'a self
) -> ClientCredentialsTokenRequest<'b, TE, TR, TT> where
'a: 'b,
pub fn exchange_client_credentials<'a, 'b>(
&'a self
) -> ClientCredentialsTokenRequest<'b, TE, TR, TT> where
'a: 'b,
Creates a request builder for exchanging client credentials for an access token.
See https://tools.ietf.org/html/rfc6749#section-4.4
pub fn user_info(
&self,
access_token: AccessToken,
expected_subject: Option<SubjectIdentifier>
) -> Result<UserInfoRequest<'_, JE, JS, JT, JU, K>, ConfigurationError>
pub fn user_info(
&self,
access_token: AccessToken,
expected_subject: Option<SubjectIdentifier>
) -> Result<UserInfoRequest<'_, JE, JS, JT, JU, K>, ConfigurationError>
Creates a request builder for info about the user associated with the given access token.
This function requires that this Client
be configured with a user info endpoint,
which is an optional feature for OpenID Connect Providers to implement. If this Client
does not know the provider’s user info endpoint, it returns the ConfigurationError
error.
To help protect against token substitution attacks, this function optionally allows clients
to provide the subject identifier whose user info they expect to receive. If provided and
the subject returned by the OpenID Connect Provider does not match, the
UserInfoRequest::request
or UserInfoRequest::request_async
functions will return
UserInfoError::ClaimsVerification
. If set to None
, any subject is accepted.
pub fn introspect<'a>(
&'a self,
token: &'a AccessToken
) -> Result<IntrospectionRequest<'a, TE, TIR, TT>, ConfigurationError>
pub fn introspect<'a>(
&'a self,
token: &'a AccessToken
) -> Result<IntrospectionRequest<'a, TE, TIR, TT>, ConfigurationError>
Creates a request builder for obtaining metadata about a previously received token.
See https://tools.ietf.org/html/rfc7662
pub fn revoke_token(
&self,
token: RT
) -> Result<RevocationRequest<'_, RT, TRE>, ConfigurationError>
pub fn revoke_token(
&self,
token: RT
) -> Result<RevocationRequest<'_, RT, TRE>, ConfigurationError>
Creates a request builder for revoking a previously received token.
Requires that set_revocation_uri()
have already been called to set the
revocation endpoint URL.
Attempting to submit the generated request without calling set_revocation_uri()
first will result in an error.
See https://tools.ietf.org/html/rfc7009
Trait Implementations
impl<AC: Clone, AD: Clone, GC: Clone, JE: Clone, JS: Clone, JT: Clone, JU: Clone, K: Clone, P: Clone, TE: Clone, TR: Clone, TT: Clone, TIR: Clone, RT: Clone, TRE: Clone> Clone for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
AC: AdditionalClaims,
AD: AuthDisplay,
GC: GenderClaim,
JE: JweContentEncryptionAlgorithm<JT>,
JS: JwsSigningAlgorithm<JT>,
JT: JsonWebKeyType,
JU: JsonWebKeyUse,
K: JsonWebKey<JS, JT, JU>,
P: AuthPrompt,
TE: ErrorResponse,
TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
TT: TokenType + 'static,
TIR: TokenIntrospectionResponse<TT>,
RT: RevocableToken,
TRE: ErrorResponse,
impl<AC: Clone, AD: Clone, GC: Clone, JE: Clone, JS: Clone, JT: Clone, JU: Clone, K: Clone, P: Clone, TE: Clone, TR: Clone, TT: Clone, TIR: Clone, RT: Clone, TRE: Clone> Clone for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
AC: AdditionalClaims,
AD: AuthDisplay,
GC: GenderClaim,
JE: JweContentEncryptionAlgorithm<JT>,
JS: JwsSigningAlgorithm<JT>,
JT: JsonWebKeyType,
JU: JsonWebKeyUse,
K: JsonWebKey<JS, JT, JU>,
P: AuthPrompt,
TE: ErrorResponse,
TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
TT: TokenType + 'static,
TIR: TokenIntrospectionResponse<TT>,
RT: RevocableToken,
TRE: ErrorResponse,
impl<AC: Debug, AD: Debug, GC: Debug, JE: Debug, JS: Debug, JT: Debug, JU: Debug, K: Debug, P: Debug, TE: Debug, TR: Debug, TT: Debug, TIR: Debug, RT: Debug, TRE: Debug> Debug for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
AC: AdditionalClaims,
AD: AuthDisplay,
GC: GenderClaim,
JE: JweContentEncryptionAlgorithm<JT>,
JS: JwsSigningAlgorithm<JT>,
JT: JsonWebKeyType,
JU: JsonWebKeyUse,
K: JsonWebKey<JS, JT, JU>,
P: AuthPrompt,
TE: ErrorResponse,
TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
TT: TokenType + 'static,
TIR: TokenIntrospectionResponse<TT>,
RT: RevocableToken,
TRE: ErrorResponse,
impl<AC: Debug, AD: Debug, GC: Debug, JE: Debug, JS: Debug, JT: Debug, JU: Debug, K: Debug, P: Debug, TE: Debug, TR: Debug, TT: Debug, TIR: Debug, RT: Debug, TRE: Debug> Debug for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
AC: AdditionalClaims,
AD: AuthDisplay,
GC: GenderClaim,
JE: JweContentEncryptionAlgorithm<JT>,
JS: JwsSigningAlgorithm<JT>,
JT: JsonWebKeyType,
JU: JsonWebKeyUse,
K: JsonWebKey<JS, JT, JU>,
P: AuthPrompt,
TE: ErrorResponse,
TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
TT: TokenType + 'static,
TIR: TokenIntrospectionResponse<TT>,
RT: RevocableToken,
TRE: ErrorResponse,
Auto Trait Implementations
impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> RefUnwindSafe for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
AC: RefUnwindSafe,
AD: RefUnwindSafe,
GC: RefUnwindSafe,
JE: RefUnwindSafe,
JS: RefUnwindSafe,
JT: RefUnwindSafe,
JU: RefUnwindSafe,
K: RefUnwindSafe,
P: RefUnwindSafe,
RT: RefUnwindSafe,
TE: RefUnwindSafe,
TIR: RefUnwindSafe,
TR: RefUnwindSafe,
TRE: RefUnwindSafe,
TT: RefUnwindSafe,
impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Send for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
AC: Send,
AD: Send,
GC: Send,
JE: Send,
JS: Send,
JT: Send,
JU: Send,
K: Send,
P: Send,
RT: Send,
TE: Send,
TIR: Send,
TR: Send,
TRE: Send,
TT: Send,
impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Sync for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
AC: Sync,
AD: Sync,
GC: Sync,
JE: Sync,
JS: Sync,
JT: Sync,
JU: Sync,
K: Sync,
P: Sync,
RT: Sync,
TE: Sync,
TIR: Sync,
TR: Sync,
TRE: Sync,
TT: Sync,
impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Unpin for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
AC: Unpin,
AD: Unpin,
GC: Unpin,
JE: Unpin,
JS: Unpin,
JT: Unpin,
JU: Unpin,
K: Unpin,
P: Unpin,
RT: Unpin,
TE: Unpin,
TIR: Unpin,
TR: Unpin,
TRE: Unpin,
TT: Unpin,
impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> UnwindSafe for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> where
AC: UnwindSafe,
AD: UnwindSafe,
GC: UnwindSafe,
JE: UnwindSafe,
JS: UnwindSafe,
JT: UnwindSafe,
JU: UnwindSafe,
K: UnwindSafe,
P: UnwindSafe,
RT: UnwindSafe,
TE: UnwindSafe,
TIR: UnwindSafe,
TR: UnwindSafe,
TRE: UnwindSafe,
TT: UnwindSafe,
Blanket Implementations
Mutably borrows from an owned value. Read more
Instruments this type with the provided Span
, returning an
Instrumented
wrapper. Read more
Instruments this type with the provided Span
, returning an
Instrumented
wrapper. Read more
type Output = T
type Output = T
Should always be Self