Skip to main content

IdVerifyError

pas_external::oidc::port

Enum IdVerifyError 

Source 
pub enum IdVerifyError {

Show 22 variants    InvalidFormat,
    SignatureInvalid,
    Expired,
    IssuerInvalid,
    AudienceInvalid,
    MissingClaim(&'static str),
    KeysetUnavailable,
    NonceMissing,
    NonceMismatch,
    AtHashMissing,
    AtHashMismatch,
    CHashMissing,
    CHashMismatch,
    AzpMissing,
    AzpMismatch,
    AuthTimeMissing,
    AuthTimeStale,
    AcrMissing,
    AcrNotAllowed,
    UnknownClaim(String),
    CatMismatch(String),
    Other(String),

}
Expand description

id_token verification failure surface.

One variant per logical failure class; mirrors VerifyError for access tokens but adds OIDC-specific rows (M66-M73 + M29-mirror CatMismatch). The PAS-engine variants reflect the boundary contract: audit logs map them 1:1 to engine ppoppo_token::id_token::AuthError rows. Adapter-side variants (InvalidFormat) cover failures upstream of engine entry.

Variants§

§

InvalidFormat

Token did not parse as a JWS Compact serialization.

§

SignatureInvalid

Cryptographic signature verification failed.

§

Expired

exp claim is in the past.

§

IssuerInvalid

iss did not match the verifier’s expected issuer.

§

AudienceInvalid

aud did not match the verifier’s expected audience.

§

MissingClaim(&'static str)

A required claim was absent or malformed.

§

KeysetUnavailable

JWKS fetch failed and there is no usable cached snapshot.

§

NonceMissing

M66 — nonce claim is absent from the id_token payload.

§

NonceMismatch

M66 — payload nonce is present but does not match the expected_nonce the RP stored at the auth-request boundary.

§

AtHashMissing

M67 — at_hash claim absent from payload while the verifier was configured with an expected access_token binding (hybrid + implicit flows).

§

AtHashMismatch

M67 — payload at_hash is present but does not match the expected access_token binding.

§

CHashMissing

M68 — c_hash claim absent while the verifier was configured with an expected authorization-code binding (hybrid flow).

§

CHashMismatch

M68 — payload c_hash is present but does not match the expected authorization-code binding.

§

AzpMissing

M69 — azp claim absent on multi-audience id_token.

§

AzpMismatch

M69 — payload azp does not equal the RP’s client_id.

§

AuthTimeMissing

M70 — auth_time claim absent while the verifier was configured with a max_age window.

§

AuthTimeStale

M70 — now - auth_time > max_age. The user authenticated too long ago for this RP’s freshness policy.

§

AcrMissing

M71 — acr claim absent while the verifier was configured with acr_values.

§

AcrNotAllowed

M71 — payload acr not in the RP’s acr_values allowlist.

§

UnknownClaim(String)

M72 — id_token payload contains a claim outside the per-scope allowlist. Carries the offending name for audit log disambiguation (forgery vs issuer drift).

§

CatMismatch(String)

M29-mirror — id_token payload carries a cat claim whose value is not "id". Refuses access_token shapes presented to the id_token verifier (the symmetric counterpart to M73 on the access-token side). Carries the offending value.

§

Other(String)

Catch-all for engine variants that don’t map to a structural SDK rejection. Carries the engine’s [AuthError] Display so the audit log retains the precise M-code.

Trait Implementations§

Source§

impl Clone for IdVerifyError

Source§

fn clone(&self) -> IdVerifyError

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for IdVerifyError

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Display for IdVerifyError

Source§

fn fmt(&self, __formatter: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Error for IdVerifyError

1.30.0 · Source§

fn source(&self) -> Option<&(dyn Error + 'static)>

Returns the lower-level source of this error, if any. Read more
1.0.0 · Source§

fn description(&self) -> &str

👎Deprecated since 1.42.0:

use the Display impl or to_string()

Read more
1.0.0 · Source§

fn cause(&self) -> Option<&dyn Error>

👎Deprecated since 1.33.0:

replaced by Error::source, which can support downcasting

Source§

fn provide<'a>(&'a self, request: &mut Request<'a>)

🔬This is a nightly-only experimental API. (error_generic_member_access)
Provides type-based access to context intended for error reports. Read more
Source§

impl PartialEq for IdVerifyError

Source§

fn eq(&self, other: &IdVerifyError) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Eq for IdVerifyError

Source§

impl StructuralPartialEq for IdVerifyError

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T> ToStringFallible for T
where T: Display,

Source§

fn try_to_string(&self) -> Result<String, TryReserveError>

ToString::to_string, but without panic on OOM.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more