Struct openidconnect::Client

source · 
pub struct Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>
where
    AC: AdditionalClaims,
    AD: AuthDisplay,
    GC: GenderClaim,
    JE: JweContentEncryptionAlgorithm<JT>,
    JS: JwsSigningAlgorithm<JT>,
    JT: JsonWebKeyType,
    JU: JsonWebKeyUse,
    K: JsonWebKey<JS, JT, JU>,
    P: AuthPrompt,
    TE: ErrorResponse,
    TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
    TT: TokenType + 'static,
    TIR: TokenIntrospectionResponse<TT>,
    RT: RevocableToken,
    TRE: ErrorResponse,
{ /* private fields */ }
Expand description

OpenID Connect client.

§Error Types

To enable compile time verification that only the correct and complete set of errors for the Client function being invoked are exposed to the caller, the Client type is specialized on multiple implementations of the ErrorResponse trait. The exact ErrorResponse implementation returned varies by the RFC that the invoked Client function implements:

For example when revoking a token, error code unsupported_token_type (from RFC 7009) may be returned:

let res = client
    .revoke_token(AccessToken::new("some token".to_string()).into())
    .unwrap()
    .request(http_client);

assert!(matches!(res, Err(
    RequestTokenError::ServerResponse(err)) if matches!(err.error(),
        RevocationErrorResponseType::UnsupportedTokenType)));

Implementations§

source§

impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>
where AC: AdditionalClaims, AD: AuthDisplay, GC: GenderClaim, JE: JweContentEncryptionAlgorithm<JT>, JS: JwsSigningAlgorithm<JT>, JT: JsonWebKeyType, JU: JsonWebKeyUse, K: JsonWebKey<JS, JT, JU>, P: AuthPrompt, TE: ErrorResponse + 'static, TR: TokenResponse<AC, GC, JE, JS, JT, TT>, TT: TokenType + 'static, TIR: TokenIntrospectionResponse<TT>, RT: RevocableToken, TRE: ErrorResponse + 'static,

source

pub fn new( client_id: ClientId, client_secret: Option<ClientSecret>, issuer: IssuerUrl, auth_url: AuthUrl, token_url: Option<TokenUrl>, userinfo_endpoint: Option<UserInfoUrl>, jwks: JsonWebKeySet<JS, JT, JU, K> ) -> Self

Initializes an OpenID Connect client.

source

pub fn from_provider_metadata<A, CA, CN, CT, G, JK, RM, RS, S>( provider_metadata: ProviderMetadata<A, AD, CA, CN, CT, G, JE, JK, JS, JT, JU, K, RM, RS, S>, client_id: ClientId, client_secret: Option<ClientSecret> ) -> Self
where A: AdditionalProviderMetadata, CA: ClientAuthMethod, CN: ClaimName, CT: ClaimType, G: GrantType, JK: JweKeyManagementAlgorithm, RM: ResponseMode, RS: ResponseType, S: SubjectIdentifierType,

Initializes an OpenID Connect client from OpenID Connect Discovery provider metadata.

Use ProviderMetadata::discover or ProviderMetadata::discover_async to fetch the provider metadata.

source

pub fn set_auth_type(self, auth_type: AuthType) -> Self

Configures the type of client authentication used for communicating with the authorization server.

The default is to use HTTP Basic authentication, as recommended in Section 2.3.1 of RFC 6749. Note that if a client secret is omitted (i.e., client_secret is set to None when calling Client::new), AuthType::RequestBody is used regardless of the auth_type passed to this function.

source

pub fn set_redirect_uri(self, redirect_url: RedirectUrl) -> Self

Sets the the redirect URL used by the authorization endpoint.

source

pub fn set_introspection_uri(self, introspection_url: IntrospectionUrl) -> Self

Sets the introspection URL for contacting the (RFC 7662) introspection endpoint.

source

pub fn set_revocation_uri(self, revocation_url: RevocationUrl) -> Self

Sets the revocation URL for contacting the revocation endpoint (RFC 7009).

See: revoke_token()

source

pub fn set_device_authorization_uri( self, device_authorization_url: DeviceAuthorizationUrl ) -> Self

Sets the device authorization URL for contacting the device authorization endpoint (RFC 8628).

source

pub fn enable_openid_scope(self) -> Self

Enables the openid scope to be requested automatically.

This scope is requested by default, so this function is only useful after previous calls to disable_openid_scope.

source

pub fn disable_openid_scope(self) -> Self

Disables the openid scope from being requested automatically.

source

pub fn id_token_verifier(&self) -> IdTokenVerifier<'_, JS, JT, JU, K>

Returns an ID token verifier for use with the IdToken::claims method.

source

pub fn authorize_url<NF, RS, SF>( &self, authentication_flow: AuthenticationFlow<RS>, state_fn: SF, nonce_fn: NF ) -> AuthorizationRequest<'_, AD, P, RS>
where NF: FnOnce() -> Nonce + 'static, RS: ResponseType, SF: FnOnce() -> CsrfToken + 'static,

Generates an authorization URL for a new authorization request.

NOTE: Passing authorization request parameters as a JSON Web Token instead of URL query parameters is not currently supported. The claims parameter is also not directly supported, although the AuthorizationRequest::add_extra_param method can be used to add custom parameters, including claims.

§Arguments
  • authentication_flow - The authentication flow to use (code, implicit, or hybrid).
  • state_fn - A function that returns an opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client.
  • nonce_fn - Similar to state_fn, but used to generate an opaque nonce to be used when verifying the ID token returned by the OpenID Connect Provider.
§Security Warning

Callers should use a fresh, unpredictable state for each authorization request and verify that this value matches the state parameter passed by the authorization server to the redirect URI. Doing so mitigates Cross-Site Request Forgery attacks.

Similarly, callers should use a fresh, unpredictable nonce to help protect against ID token reuse and forgery.

source

pub fn exchange_code( &self, code: AuthorizationCode ) -> CodeTokenRequest<'_, TE, TR, TT>

Creates a request builder for exchanging an authorization code for an access token.

Acquires ownership of the code because authorization codes may only be used once to retrieve an access token from the authorization server.

See https://tools.ietf.org/html/rfc6749#section-4.1.3

source

pub fn exchange_device_code( &self ) -> Result<DeviceAuthorizationRequest<'_, TE>, ConfigurationError>

Creates a request builder for device authorization.

See https://tools.ietf.org/html/rfc8628#section-3.4

source

pub fn exchange_device_access_token<'a, 'b, 'c, EF>( &'a self, auth_response: &'b DeviceAuthorizationResponse<EF> ) -> DeviceAccessTokenRequest<'b, 'c, TR, TT, EF>
where EF: ExtraDeviceAuthorizationFields, 'a: 'b,

Creates a request builder for exchanging a device code for an access token.

See https://tools.ietf.org/html/rfc8628#section-3.4

source

pub fn exchange_refresh_token<'a, 'b>( &'a self, refresh_token: &'b RefreshToken ) -> RefreshTokenRequest<'b, TE, TR, TT>
where 'a: 'b,

Creates a request builder for exchanging a refresh token for an access token.

See https://tools.ietf.org/html/rfc6749#section-6

source

pub fn exchange_password<'a, 'b>( &'a self, username: &'b ResourceOwnerUsername, password: &'b ResourceOwnerPassword ) -> PasswordTokenRequest<'b, TE, TR, TT>
where 'a: 'b,

Creates a request builder for exchanging credentials for an access token.

See https://tools.ietf.org/html/rfc6749#section-6

source

pub fn exchange_client_credentials<'a, 'b>( &'a self ) -> ClientCredentialsTokenRequest<'b, TE, TR, TT>
where 'a: 'b,

Creates a request builder for exchanging client credentials for an access token.

See https://tools.ietf.org/html/rfc6749#section-4.4

source

pub fn user_info( &self, access_token: AccessToken, expected_subject: Option<SubjectIdentifier> ) -> Result<UserInfoRequest<'_, JE, JS, JT, JU, K>, ConfigurationError>

Creates a request builder for info about the user associated with the given access token.

This function requires that this Client be configured with a user info endpoint, which is an optional feature for OpenID Connect Providers to implement. If this Client does not know the provider’s user info endpoint, it returns the ConfigurationError error.

To help protect against token substitution attacks, this function optionally allows clients to provide the subject identifier whose user info they expect to receive. If provided and the subject returned by the OpenID Connect Provider does not match, the UserInfoRequest::request or UserInfoRequest::request_async functions will return UserInfoError::ClaimsVerification. If set to None, any subject is accepted.

source

pub fn introspect<'a>( &'a self, token: &'a AccessToken ) -> Result<IntrospectionRequest<'a, TE, TIR, TT>, ConfigurationError>

Creates a request builder for obtaining metadata about a previously received token.

See https://tools.ietf.org/html/rfc7662

source

pub fn revoke_token( &self, token: RT ) -> Result<RevocationRequest<'_, RT, TRE>, ConfigurationError>

Creates a request builder for revoking a previously received token.

Requires that set_revocation_uri() have already been called to set the revocation endpoint URL.

Attempting to submit the generated request without calling set_revocation_uri() first will result in an error.

See https://tools.ietf.org/html/rfc7009

Trait Implementations§

source§

impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Clone for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>
where AC: AdditionalClaims + Clone, AD: AuthDisplay + Clone, GC: GenderClaim + Clone, JE: JweContentEncryptionAlgorithm<JT> + Clone, JS: JwsSigningAlgorithm<JT> + Clone, JT: JsonWebKeyType + Clone, JU: JsonWebKeyUse + Clone, K: JsonWebKey<JS, JT, JU> + Clone, P: AuthPrompt + Clone, TE: ErrorResponse + Clone, TR: TokenResponse<AC, GC, JE, JS, JT, TT> + Clone, TT: TokenType + 'static + Clone, TIR: TokenIntrospectionResponse<TT> + Clone, RT: RevocableToken + Clone, TRE: ErrorResponse + Clone,

source§

fn clone( &self ) -> Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Debug for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>
where AC: AdditionalClaims + Debug, AD: AuthDisplay + Debug, GC: GenderClaim + Debug, JE: JweContentEncryptionAlgorithm<JT> + Debug, JS: JwsSigningAlgorithm<JT> + Debug, JT: JsonWebKeyType + Debug, JU: JsonWebKeyUse + Debug, K: JsonWebKey<JS, JT, JU> + Debug, P: AuthPrompt + Debug, TE: ErrorResponse + Debug, TR: TokenResponse<AC, GC, JE, JS, JT, TT> + Debug, TT: TokenType + 'static + Debug, TIR: TokenIntrospectionResponse<TT> + Debug, RT: RevocableToken + Debug, TRE: ErrorResponse + Debug,

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

§

impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> RefUnwindSafe for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>
where AC: RefUnwindSafe, AD: RefUnwindSafe, GC: RefUnwindSafe, JE: RefUnwindSafe, JS: RefUnwindSafe, JT: RefUnwindSafe, JU: RefUnwindSafe, K: RefUnwindSafe, P: RefUnwindSafe, RT: RefUnwindSafe, TE: RefUnwindSafe, TIR: RefUnwindSafe, TR: RefUnwindSafe, TRE: RefUnwindSafe, TT: RefUnwindSafe,

§

impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Send for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>
where AC: Send, AD: Send, GC: Send, JE: Send, JS: Send, JT: Send, JU: Send, K: Send, P: Send, RT: Send, TE: Send, TIR: Send, TR: Send, TRE: Send, TT: Send,

§

impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Sync for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>
where AC: Sync, AD: Sync, GC: Sync, JE: Sync, JS: Sync, JT: Sync, JU: Sync, K: Sync, P: Sync, RT: Sync, TE: Sync, TIR: Sync, TR: Sync, TRE: Sync, TT: Sync,

§

impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Unpin for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>
where AC: Unpin, AD: Unpin, GC: Unpin, JE: Unpin, JS: Unpin, JT: Unpin, JU: Unpin, K: Unpin, P: Unpin, RT: Unpin, TE: Unpin, TIR: Unpin, TR: Unpin, TRE: Unpin, TT: Unpin,

§

impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> UnwindSafe for Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>
where AC: UnwindSafe, AD: UnwindSafe, GC: UnwindSafe, JE: UnwindSafe, JS: UnwindSafe, JT: UnwindSafe, JU: UnwindSafe, K: UnwindSafe, P: UnwindSafe, RT: UnwindSafe, TE: UnwindSafe, TIR: UnwindSafe, TR: UnwindSafe, TRE: UnwindSafe, TT: UnwindSafe,

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> DynClone for T
where T: Clone,

source§

fn __clone_box(&self, _: Private) -> *mut ()

source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T> Instrument for T

§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided [Span], returning an Instrumented wrapper. Read more
§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> Same for T

§

type Output = T

Should always be Self
source§

impl<T> ToOwned for T
where T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

§

fn vzip(self) -> V

§

impl<T> WithSubscriber for T

§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a [WithDispatch] wrapper. Read more
§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a [WithDispatch] wrapper. Read more