Struct openidconnect::IdTokenVerifier
source · pub struct IdTokenVerifier<'a, JS, JT, JU, K>where
JS: JwsSigningAlgorithm<JT>,
JT: JsonWebKeyType,
JU: JsonWebKeyUse,
K: JsonWebKey<JS, JT, JU>,{ /* private fields */ }
Expand description
ID token verifier.
Implementations§
source§impl<'a, JS, JT, JU, K> IdTokenVerifier<'a, JS, JT, JU, K>where
JS: JwsSigningAlgorithm<JT>,
JT: JsonWebKeyType,
JU: JsonWebKeyUse,
K: JsonWebKey<JS, JT, JU>,
impl<'a, JS, JT, JU, K> IdTokenVerifier<'a, JS, JT, JU, K>where
JS: JwsSigningAlgorithm<JT>,
JT: JsonWebKeyType,
JU: JsonWebKeyUse,
K: JsonWebKey<JS, JT, JU>,
sourcepub fn new_public_client(
client_id: ClientId,
issuer: IssuerUrl,
signature_keys: JsonWebKeySet<JS, JT, JU, K>
) -> Self
pub fn new_public_client( client_id: ClientId, issuer: IssuerUrl, signature_keys: JsonWebKeySet<JS, JT, JU, K> ) -> Self
Initializes a new verifier for a public client (i.e., one without a client secret).
sourcepub fn new_insecure_without_verification() -> Self
pub fn new_insecure_without_verification() -> Self
Initializes a no-op verifier that performs no signature, audience, or issuer verification. The token’s expiration time is still checked, and the token is otherwise required to conform to the expected format.
sourcepub fn new_confidential_client(
client_id: ClientId,
client_secret: ClientSecret,
issuer: IssuerUrl,
signature_keys: JsonWebKeySet<JS, JT, JU, K>
) -> Self
pub fn new_confidential_client( client_id: ClientId, client_secret: ClientSecret, issuer: IssuerUrl, signature_keys: JsonWebKeySet<JS, JT, JU, K> ) -> Self
Initializes a new verifier for a confidential client (i.e., one with a client secret).
A confidential client verifier is required in order to verify ID tokens signed using a
shared secret algorithm such as HS256
, HS384
, or HS512
. For these algorithms, the
client secret is the shared secret.
sourcepub fn set_allowed_algs<I>(self, algs: I) -> Selfwhere
I: IntoIterator<Item = JS>,
pub fn set_allowed_algs<I>(self, algs: I) -> Selfwhere
I: IntoIterator<Item = JS>,
Specifies which JSON Web Signature algorithms are supported.
sourcepub fn allow_any_alg(self) -> Self
pub fn allow_any_alg(self) -> Self
Specifies that any signature algorithm is supported.
sourcepub fn set_auth_context_verifier_fn<T>(self, acr_verifier_fn: T) -> Self
pub fn set_auth_context_verifier_fn<T>(self, acr_verifier_fn: T) -> Self
Specifies a function for verifying the acr
claim.
The function should return Ok(())
if the claim is valid, or a string describing the error
otherwise.
sourcepub fn set_auth_time_verifier_fn<T>(self, auth_time_verifier_fn: T) -> Self
pub fn set_auth_time_verifier_fn<T>(self, auth_time_verifier_fn: T) -> Self
Specifies a function for verifying the auth_time
claim.
The function should return Ok(())
if the claim is valid, or a string describing the error
otherwise.
sourcepub fn enable_signature_check(self) -> Self
pub fn enable_signature_check(self) -> Self
Enables signature verification.
Signature verification is enabled by default, so this function is only useful if
IdTokenVerifier::insecure_disable_signature_check
was previously invoked.
sourcepub fn insecure_disable_signature_check(self) -> Self
pub fn insecure_disable_signature_check(self) -> Self
Disables signature verification.
§Security Warning
Unverified ID tokens may be subject to forgery. See Section 16.3 for more information.
sourcepub fn require_issuer_match(self, iss_required: bool) -> Self
pub fn require_issuer_match(self, iss_required: bool) -> Self
Specifies whether the issuer claim must match the expected issuer URL for the provider.
sourcepub fn require_audience_match(self, aud_required: bool) -> Self
pub fn require_audience_match(self, aud_required: bool) -> Self
Specifies whether the audience claim must match this client’s client ID.
sourcepub fn set_time_fn<T>(self, time_fn: T) -> Self
pub fn set_time_fn<T>(self, time_fn: T) -> Self
Specifies a function for returning the current time.
This function is used for verifying the ID token expiration time.
sourcepub fn set_issue_time_verifier_fn<T>(self, iat_verifier_fn: T) -> Self
pub fn set_issue_time_verifier_fn<T>(self, iat_verifier_fn: T) -> Self
Specifies a function for verifying the ID token issue time.
The function should return Ok(())
if the claim is valid, or a string describing the error
otherwise.
sourcepub fn set_other_audience_verifier_fn<T>(self, other_aud_verifier_fn: T) -> Self
pub fn set_other_audience_verifier_fn<T>(self, other_aud_verifier_fn: T) -> Self
Specifies a function for verifying audiences included in the aud
claim that differ from
this client’s client ID.
The function should return true
if the audience is trusted, or false
otherwise.
Section 3.1.3.7 states that “The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.”
Trait Implementations§
source§impl<'a, JS, JT, JU, K> Clone for IdTokenVerifier<'a, JS, JT, JU, K>where
JS: JwsSigningAlgorithm<JT> + Clone,
JT: JsonWebKeyType + Clone,
JU: JsonWebKeyUse + Clone,
K: JsonWebKey<JS, JT, JU> + Clone,
impl<'a, JS, JT, JU, K> Clone for IdTokenVerifier<'a, JS, JT, JU, K>where
JS: JwsSigningAlgorithm<JT> + Clone,
JT: JsonWebKeyType + Clone,
JU: JsonWebKeyUse + Clone,
K: JsonWebKey<JS, JT, JU> + Clone,
source§fn clone(&self) -> IdTokenVerifier<'a, JS, JT, JU, K>
fn clone(&self) -> IdTokenVerifier<'a, JS, JT, JU, K>
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source
. Read more