Skip to main content

Module oidc

pas_external

Module oidc 

Source
Expand description

γ port-and-adapter SDK boundary for OpenID Connect Relying Party (RP) integration.

Phase 10.11 — sibling of [crate::token]. Where token::* exposes the BearerVerifier port for RFC 9068 access-token verification (the resource-server side of OAuth), this module exposes IdTokenVerifier for OIDC id_token verification (the user-authentication side). The two are intentionally disjoint: id_tokens authenticate the user to the RP, access_tokens authorize the RP to the resource server (OIDC Core §1.2 / RFC 9068 §1).

Phase 11.A — adds [RelyingParty<S>] composition root + the StateStore port + discovery primitive. The verify-half (IdTokenVerifier + [PasIdTokenVerifier]) stays as the resource-side surface; [RelyingParty<S>] composes both halves (start_authorization → callback completion) for the user-flow side.

── Module layout — mirrors [crate::token] for parallel structure ─────

  • portIdTokenVerifier, IdAssertion, IdVerifyError (always compiled when token feature is on; depends on engine ScopeSet / Nonce types).
  • [verifier] — [PasIdTokenVerifier<S>] production adapter (gated well-known-fetch; depends on the engine’s id_token verify entry and a TTL-cached JWKS).
  • [memory] — [MemoryIdTokenVerifier<S>] + [InMemoryStateStore] test-support adapters (gated cfg(any(test, feature = "test-support"))).
  • state_storeStateStore port + value types (Config, State, RelativePath, PendingAuthRequest, AuthorizationRedirect, CallbackParams, Completion<S>) (gated feature = "oauth" + feature = "token"; Phase 11.A).
  • [discovery] — fetch_discovery primitive for OIDC well-known-openid-configuration documents (gated feature = "well-known-fetch"; Phase 11.A).
  • [relying_party] — [RelyingParty<S>] composition root (gated feature = "well-known-fetch"; Phase 11.A skeleton, Phase 11.B impl).

── Phase 9 inheritance — [AuditSink] reuse ───────────────────────────

Verify-failure emission travels through the same AuditSink port that PasJwtVerifier uses. One audit pipeline serves both verifiers; consumers pass the same Arc<dyn AuditSink> to both with_audit builders. The VerifyErrorKind enum gains an IdToken(_) nested variant in 10.11.B so dashboard pivots can filter “all id_token failures” with a single match arm.

── Scope re-exports ────────────────────────────────────────────────────

The engine’s scopes markers are re-exported here so consumers reach them via the SDK boundary:

use pas_external::oidc::{IdTokenVerifier, Openid, Email, EmailProfile};

rather than depending on ppoppo-token directly. This preserves the γ invariant: the engine type never crosses the SDK boundary except through SDK-shaped re-exports.

Re-exports§

pub use port::Address;
pub use port::IdAssertion;
pub use port::IdTokenVerifier;
pub use port::IdVerifyError;
pub use port::ScopePiiReader;
pub use state_store::AuthorizationRedirect;
pub use state_store::CallbackParams;
pub use state_store::Completion;
pub use state_store::Config;
pub use state_store::PendingAuthRequest;
pub use state_store::RelativePath;
pub use state_store::RelativePathError;
pub use state_store::State;
pub use state_store::StateStore;
pub use state_store::StateStoreError;

Modules§

port
γ port — IdTokenVerifier, IdAssertion, IdVerifyError.
state_store
OIDC RP state-machine port + value types.

Structs§

Email
scope=openid email.
EmailProfile
scope=openid email profile.
EmailProfilePhone
scope=openid email profile phone.
EmailProfilePhoneAddress
scope=openid email profile phone address — the maximal request.
Nonce
Opaque nonce value. Construction validates non-emptiness; the inner string is private so callers cannot bypass the invariant by minting Nonce(String::new()) directly.
Openid
scope=openid — the mandatory baseline. No PII accessors.
Profile
scope=openid profile.

Traits§

HasAddress
Token grants address. Gates Claims::address().
HasEmail
Token grants openid email (or any superset including email). Gates Claims::email() / Claims::email_verified().
HasPhone
Token grants phone. Gates Claims::phone_number() / phone_number_verified().
HasProfile
Token grants profile (name fields + locale + updated_at — OIDC §5.4). Gates Claims::name() / given_name() / family_name().
ScopeSet
Sealed trait. Every scope marker (the 6 structs below) implements it; nothing outside this module can. Bounds verify<S> and Claims<S> so callers cannot smuggle in Claims<()> and bypass the Has* gating.