Struct openidconnect::Client
source · pub struct Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>where
AC: AdditionalClaims,
AD: AuthDisplay,
GC: GenderClaim,
JE: JweContentEncryptionAlgorithm<JT>,
JS: JwsSigningAlgorithm<JT>,
JT: JsonWebKeyType,
JU: JsonWebKeyUse,
K: JsonWebKey<JS, JT, JU>,
P: AuthPrompt,
TE: ErrorResponse,
TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
TT: TokenType + 'static,
TIR: TokenIntrospectionResponse<TT>,
RT: RevocableToken,
TRE: ErrorResponse,{ /* private fields */ }
Expand description
OpenID Connect client.
§Error Types
To enable compile time verification that only the correct and complete set of errors for the Client
function being
invoked are exposed to the caller, the Client
type is specialized on multiple implementations of the
ErrorResponse
trait. The exact ErrorResponse
implementation returned varies by the RFC that the invoked
Client
function implements:
- Generic type
TE
(aka Token Error) for errors defined by RFC 6749 OAuth 2.0 Authorization Framework. - Generic type
TRE
(aka Token Revocation Error) for errors defined by RFC 7009 OAuth 2.0 Token Revocation.
For example when revoking a token, error code unsupported_token_type
(from RFC 7009) may be returned:
let res = client
.revoke_token(AccessToken::new("some token".to_string()).into())
.unwrap()
.request(http_client);
assert!(matches!(res, Err(
RequestTokenError::ServerResponse(err)) if matches!(err.error(),
RevocationErrorResponseType::UnsupportedTokenType)));
Implementations§
source§impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>where
AC: AdditionalClaims,
AD: AuthDisplay,
GC: GenderClaim,
JE: JweContentEncryptionAlgorithm<JT>,
JS: JwsSigningAlgorithm<JT>,
JT: JsonWebKeyType,
JU: JsonWebKeyUse,
K: JsonWebKey<JS, JT, JU>,
P: AuthPrompt,
TE: ErrorResponse + 'static,
TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
TT: TokenType + 'static,
TIR: TokenIntrospectionResponse<TT>,
RT: RevocableToken,
TRE: ErrorResponse + 'static,
impl<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE> Client<AC, AD, GC, JE, JS, JT, JU, K, P, TE, TR, TT, TIR, RT, TRE>where
AC: AdditionalClaims,
AD: AuthDisplay,
GC: GenderClaim,
JE: JweContentEncryptionAlgorithm<JT>,
JS: JwsSigningAlgorithm<JT>,
JT: JsonWebKeyType,
JU: JsonWebKeyUse,
K: JsonWebKey<JS, JT, JU>,
P: AuthPrompt,
TE: ErrorResponse + 'static,
TR: TokenResponse<AC, GC, JE, JS, JT, TT>,
TT: TokenType + 'static,
TIR: TokenIntrospectionResponse<TT>,
RT: RevocableToken,
TRE: ErrorResponse + 'static,
sourcepub fn new(
client_id: ClientId,
client_secret: Option<ClientSecret>,
issuer: IssuerUrl,
auth_url: AuthUrl,
token_url: Option<TokenUrl>,
userinfo_endpoint: Option<UserInfoUrl>,
jwks: JsonWebKeySet<JS, JT, JU, K>
) -> Self
pub fn new( client_id: ClientId, client_secret: Option<ClientSecret>, issuer: IssuerUrl, auth_url: AuthUrl, token_url: Option<TokenUrl>, userinfo_endpoint: Option<UserInfoUrl>, jwks: JsonWebKeySet<JS, JT, JU, K> ) -> Self
Initializes an OpenID Connect client.
sourcepub fn from_provider_metadata<A, CA, CN, CT, G, JK, RM, RS, S>(
provider_metadata: ProviderMetadata<A, AD, CA, CN, CT, G, JE, JK, JS, JT, JU, K, RM, RS, S>,
client_id: ClientId,
client_secret: Option<ClientSecret>
) -> Selfwhere
A: AdditionalProviderMetadata,
CA: ClientAuthMethod,
CN: ClaimName,
CT: ClaimType,
G: GrantType,
JK: JweKeyManagementAlgorithm,
RM: ResponseMode,
RS: ResponseType,
S: SubjectIdentifierType,
pub fn from_provider_metadata<A, CA, CN, CT, G, JK, RM, RS, S>(
provider_metadata: ProviderMetadata<A, AD, CA, CN, CT, G, JE, JK, JS, JT, JU, K, RM, RS, S>,
client_id: ClientId,
client_secret: Option<ClientSecret>
) -> Selfwhere
A: AdditionalProviderMetadata,
CA: ClientAuthMethod,
CN: ClaimName,
CT: ClaimType,
G: GrantType,
JK: JweKeyManagementAlgorithm,
RM: ResponseMode,
RS: ResponseType,
S: SubjectIdentifierType,
Initializes an OpenID Connect client from OpenID Connect Discovery provider metadata.
Use ProviderMetadata::discover
or
ProviderMetadata::discover_async
to fetch the provider metadata.
sourcepub fn set_auth_type(self, auth_type: AuthType) -> Self
pub fn set_auth_type(self, auth_type: AuthType) -> Self
Configures the type of client authentication used for communicating with the authorization server.
The default is to use HTTP Basic authentication, as recommended in
Section 2.3.1 of RFC 6749. Note that
if a client secret is omitted (i.e., client_secret
is set to None
when calling
Client::new
), AuthType::RequestBody
is used regardless of the auth_type
passed to
this function.
sourcepub fn set_redirect_uri(self, redirect_url: RedirectUrl) -> Self
pub fn set_redirect_uri(self, redirect_url: RedirectUrl) -> Self
Sets the the redirect URL used by the authorization endpoint.
sourcepub fn set_introspection_uri(self, introspection_url: IntrospectionUrl) -> Self
pub fn set_introspection_uri(self, introspection_url: IntrospectionUrl) -> Self
Sets the introspection URL for contacting the (RFC 7662) introspection endpoint.
sourcepub fn set_revocation_uri(self, revocation_url: RevocationUrl) -> Self
pub fn set_revocation_uri(self, revocation_url: RevocationUrl) -> Self
Sets the revocation URL for contacting the revocation endpoint (RFC 7009).
See: revoke_token()
Sets the device authorization URL for contacting the device authorization endpoint (RFC 8628).
sourcepub fn enable_openid_scope(self) -> Self
pub fn enable_openid_scope(self) -> Self
Enables the openid
scope to be requested automatically.
This scope is requested by default, so this function is only useful after previous calls to
disable_openid_scope
.
sourcepub fn disable_openid_scope(self) -> Self
pub fn disable_openid_scope(self) -> Self
Disables the openid
scope from being requested automatically.
sourcepub fn id_token_verifier(&self) -> IdTokenVerifier<'_, JS, JT, JU, K>
pub fn id_token_verifier(&self) -> IdTokenVerifier<'_, JS, JT, JU, K>
Returns an ID token verifier for use with the IdToken::claims
method.
Generates an authorization URL for a new authorization request.
NOTE: Passing authorization request parameters as a JSON Web Token
instead of URL query parameters is not currently supported. The
claims
parameter
is also not directly supported, although the AuthorizationRequest::add_extra_param
method can be used to add custom parameters, including claims
.
§Arguments
authentication_flow
- The authentication flow to use (code, implicit, or hybrid).state_fn
- A function that returns an opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client.nonce_fn
- Similar tostate_fn
, but used to generate an opaque nonce to be used when verifying the ID token returned by the OpenID Connect Provider.
§Security Warning
Callers should use a fresh, unpredictable state
for each authorization request and verify
that this value matches the state
parameter passed by the authorization server to the
redirect URI. Doing so mitigates
Cross-Site Request Forgery
attacks.
Similarly, callers should use a fresh, unpredictable nonce
to help protect against ID
token reuse and forgery.
sourcepub fn exchange_code(
&self,
code: AuthorizationCode
) -> CodeTokenRequest<'_, TE, TR, TT>
pub fn exchange_code( &self, code: AuthorizationCode ) -> CodeTokenRequest<'_, TE, TR, TT>
Creates a request builder for exchanging an authorization code for an access token.
Acquires ownership of the code
because authorization codes may only be used once to
retrieve an access token from the authorization server.
sourcepub fn exchange_device_code(
&self
) -> Result<DeviceAuthorizationRequest<'_, TE>, ConfigurationError>
pub fn exchange_device_code( &self ) -> Result<DeviceAuthorizationRequest<'_, TE>, ConfigurationError>
Creates a request builder for device authorization.
sourcepub fn exchange_device_access_token<'a, 'b, 'c, EF>(
&'a self,
auth_response: &'b DeviceAuthorizationResponse<EF>
) -> DeviceAccessTokenRequest<'b, 'c, TR, TT, EF>where
EF: ExtraDeviceAuthorizationFields,
'a: 'b,
pub fn exchange_device_access_token<'a, 'b, 'c, EF>(
&'a self,
auth_response: &'b DeviceAuthorizationResponse<EF>
) -> DeviceAccessTokenRequest<'b, 'c, TR, TT, EF>where
EF: ExtraDeviceAuthorizationFields,
'a: 'b,
Creates a request builder for exchanging a device code for an access token.
sourcepub fn exchange_refresh_token<'a, 'b>(
&'a self,
refresh_token: &'b RefreshToken
) -> RefreshTokenRequest<'b, TE, TR, TT>where
'a: 'b,
pub fn exchange_refresh_token<'a, 'b>(
&'a self,
refresh_token: &'b RefreshToken
) -> RefreshTokenRequest<'b, TE, TR, TT>where
'a: 'b,
Creates a request builder for exchanging a refresh token for an access token.
sourcepub fn exchange_password<'a, 'b>(
&'a self,
username: &'b ResourceOwnerUsername,
password: &'b ResourceOwnerPassword
) -> PasswordTokenRequest<'b, TE, TR, TT>where
'a: 'b,
pub fn exchange_password<'a, 'b>(
&'a self,
username: &'b ResourceOwnerUsername,
password: &'b ResourceOwnerPassword
) -> PasswordTokenRequest<'b, TE, TR, TT>where
'a: 'b,
Creates a request builder for exchanging credentials for an access token.
sourcepub fn exchange_client_credentials<'a, 'b>(
&'a self
) -> ClientCredentialsTokenRequest<'b, TE, TR, TT>where
'a: 'b,
pub fn exchange_client_credentials<'a, 'b>(
&'a self
) -> ClientCredentialsTokenRequest<'b, TE, TR, TT>where
'a: 'b,
Creates a request builder for exchanging client credentials for an access token.
sourcepub fn user_info(
&self,
access_token: AccessToken,
expected_subject: Option<SubjectIdentifier>
) -> Result<UserInfoRequest<'_, JE, JS, JT, JU, K>, ConfigurationError>
pub fn user_info( &self, access_token: AccessToken, expected_subject: Option<SubjectIdentifier> ) -> Result<UserInfoRequest<'_, JE, JS, JT, JU, K>, ConfigurationError>
Creates a request builder for info about the user associated with the given access token.
This function requires that this Client
be configured with a user info endpoint,
which is an optional feature for OpenID Connect Providers to implement. If this Client
does not know the provider’s user info endpoint, it returns the ConfigurationError
error.
To help protect against token substitution attacks, this function optionally allows clients
to provide the subject identifier whose user info they expect to receive. If provided and
the subject returned by the OpenID Connect Provider does not match, the
UserInfoRequest::request
or UserInfoRequest::request_async
functions will return
UserInfoError::ClaimsVerification
. If set to None
, any subject is accepted.
sourcepub fn introspect<'a>(
&'a self,
token: &'a AccessToken
) -> Result<IntrospectionRequest<'a, TE, TIR, TT>, ConfigurationError>
pub fn introspect<'a>( &'a self, token: &'a AccessToken ) -> Result<IntrospectionRequest<'a, TE, TIR, TT>, ConfigurationError>
Creates a request builder for obtaining metadata about a previously received token.
sourcepub fn revoke_token(
&self,
token: RT
) -> Result<RevocationRequest<'_, RT, TRE>, ConfigurationError>
pub fn revoke_token( &self, token: RT ) -> Result<RevocationRequest<'_, RT, TRE>, ConfigurationError>
Creates a request builder for revoking a previously received token.
Requires that set_revocation_uri()
have already been called to set the
revocation endpoint URL.
Attempting to submit the generated request without calling set_revocation_uri()
first will result in an error.