Struct openidconnect::IdTokenVerifier

source · 
pub struct IdTokenVerifier<'a, JS, JT, JU, K>
where
    JS: JwsSigningAlgorithm<JT>,
    JT: JsonWebKeyType,
    JU: JsonWebKeyUse,
    K: JsonWebKey<JS, JT, JU>,
{ /* private fields */ }
Expand description

ID token verifier.

Implementations§

source§

impl<'a, JS, JT, JU, K> IdTokenVerifier<'a, JS, JT, JU, K>
where JS: JwsSigningAlgorithm<JT>, JT: JsonWebKeyType, JU: JsonWebKeyUse, K: JsonWebKey<JS, JT, JU>,

source

pub fn new_public_client( client_id: ClientId, issuer: IssuerUrl, signature_keys: JsonWebKeySet<JS, JT, JU, K> ) -> Self

Initializes a new verifier for a public client (i.e., one without a client secret).

source

pub fn new_insecure_without_verification() -> Self

Initializes a no-op verifier that performs no signature, audience, or issuer verification. The token’s expiration time is still checked, and the token is otherwise required to conform to the expected format.

source

pub fn new_confidential_client( client_id: ClientId, client_secret: ClientSecret, issuer: IssuerUrl, signature_keys: JsonWebKeySet<JS, JT, JU, K> ) -> Self

Initializes a new verifier for a confidential client (i.e., one with a client secret).

A confidential client verifier is required in order to verify ID tokens signed using a shared secret algorithm such as HS256, HS384, or HS512. For these algorithms, the client secret is the shared secret.

source

pub fn set_allowed_algs<I>(self, algs: I) -> Self
where I: IntoIterator<Item = JS>,

Specifies which JSON Web Signature algorithms are supported.

source

pub fn allow_any_alg(self) -> Self

Specifies that any signature algorithm is supported.

source

pub fn set_auth_context_verifier_fn<T>(self, acr_verifier_fn: T) -> Self
where T: Fn(Option<&AuthenticationContextClass>) -> Result<(), String> + 'a + Send + Sync,

Specifies a function for verifying the acr claim.

The function should return Ok(()) if the claim is valid, or a string describing the error otherwise.

source

pub fn set_auth_time_verifier_fn<T>(self, auth_time_verifier_fn: T) -> Self
where T: Fn(Option<DateTime<Utc>>) -> Result<(), String> + 'a + Send + Sync,

Specifies a function for verifying the auth_time claim.

The function should return Ok(()) if the claim is valid, or a string describing the error otherwise.

source

pub fn enable_signature_check(self) -> Self

Enables signature verification.

Signature verification is enabled by default, so this function is only useful if IdTokenVerifier::insecure_disable_signature_check was previously invoked.

source

pub fn insecure_disable_signature_check(self) -> Self

Disables signature verification.

§Security Warning

Unverified ID tokens may be subject to forgery. See Section 16.3 for more information.

source

pub fn require_issuer_match(self, iss_required: bool) -> Self

Specifies whether the issuer claim must match the expected issuer URL for the provider.

source

pub fn require_audience_match(self, aud_required: bool) -> Self

Specifies whether the audience claim must match this client’s client ID.

source

pub fn set_time_fn<T>(self, time_fn: T) -> Self
where T: Fn() -> DateTime<Utc> + 'a + Send + Sync,

Specifies a function for returning the current time.

This function is used for verifying the ID token expiration time.

source

pub fn set_issue_time_verifier_fn<T>(self, iat_verifier_fn: T) -> Self
where T: Fn(DateTime<Utc>) -> Result<(), String> + 'a + Send + Sync,

Specifies a function for verifying the ID token issue time.

The function should return Ok(()) if the claim is valid, or a string describing the error otherwise.

source

pub fn set_other_audience_verifier_fn<T>(self, other_aud_verifier_fn: T) -> Self
where T: Fn(&Audience) -> bool + 'a + Send + Sync,

Specifies a function for verifying audiences included in the aud claim that differ from this client’s client ID.

The function should return true if the audience is trusted, or false otherwise.

Section 3.1.3.7 states that “The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.”

Trait Implementations§

source§

impl<'a, JS, JT, JU, K> Clone for IdTokenVerifier<'a, JS, JT, JU, K>
where JS: JwsSigningAlgorithm<JT> + Clone, JT: JsonWebKeyType + Clone, JU: JsonWebKeyUse + Clone, K: JsonWebKey<JS, JT, JU> + Clone,

source§

fn clone(&self) -> IdTokenVerifier<'a, JS, JT, JU, K>

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more

Auto Trait Implementations§

§

impl<'a, JS, JT, JU, K> !RefUnwindSafe for IdTokenVerifier<'a, JS, JT, JU, K>

§

impl<'a, JS, JT, JU, K> Send for IdTokenVerifier<'a, JS, JT, JU, K>
where JS: Send, JT: Send, JU: Send, K: Send,

§

impl<'a, JS, JT, JU, K> Sync for IdTokenVerifier<'a, JS, JT, JU, K>
where JS: Sync, JT: Sync, JU: Sync, K: Sync,

§

impl<'a, JS, JT, JU, K> Unpin for IdTokenVerifier<'a, JS, JT, JU, K>
where JS: Unpin, JT: Unpin, JU: Unpin, K: Unpin,

§

impl<'a, JS, JT, JU, K> !UnwindSafe for IdTokenVerifier<'a, JS, JT, JU, K>

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> DynClone for T
where T: Clone,

source§

fn __clone_box(&self, _: Private) -> *mut ()

source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T> Instrument for T

§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided [Span], returning an Instrumented wrapper. Read more
§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> Same for T

§

type Output = T

Should always be Self
source§

impl<T> ToOwned for T
where T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

§

fn vzip(self) -> V

§

impl<T> WithSubscriber for T

§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a [WithDispatch] wrapper. Read more
§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a [WithDispatch] wrapper. Read more