pas_external/oidc/

mod.rs

//! γ port-and-adapter SDK boundary for OpenID Connect Relying Party
//! (RP) integration.
//!
//! Phase 10.11 — sibling of [`crate::token`]. Where `token::*` exposes
//! the [`BearerVerifier`](crate::BearerVerifier) port for RFC 9068
//! access-token verification (the resource-server side of OAuth), this
//! module exposes [`IdTokenVerifier`] for OIDC id_token verification
//! (the user-authentication side). The two are intentionally disjoint:
//! id_tokens authenticate the user *to the RP*, access_tokens authorize
//! the RP *to the resource server* (OIDC Core §1.2 / RFC 9068 §1).
//!
//! Phase 11.A — adds [`RelyingParty<S>`] composition root + the
//! [`StateStore`] port + `discovery` primitive. The verify-half
//! ([`IdTokenVerifier`] + [`PasIdTokenVerifier`]) stays as the
//! resource-side surface; [`RelyingParty<S>`] composes both halves
//! (start_authorization → callback completion) for the user-flow side.
//!
//! ── Module layout — mirrors [`crate::token`] for parallel structure ─────
//!
//! - [`port`] — [`IdTokenVerifier`], [`IdAssertion`], [`IdVerifyError`]
//!   (always compiled when `token` feature is on; depends on engine
//!   `ScopeSet` / `Nonce` types).
//! - [`verifier`] — [`PasIdTokenVerifier<S>`] production adapter (gated
//!   `well-known-fetch`; depends on the engine's id_token verify entry
//!   and a TTL-cached JWKS).
//! - [`memory`] — [`MemoryIdTokenVerifier<S>`] +
//!   [`InMemoryStateStore`] test-support adapters (gated
//!   `cfg(any(test, feature = "test-support"))`).
//! - [`state_store`] — [`StateStore`] port + value types ([`Config`],
//!   [`State`], [`RelativePath`], [`PendingAuthRequest`],
//!   [`AuthorizationRedirect`], [`CallbackParams`], [`Completion<S>`])
//!   (gated `feature = "oauth"` + `feature = "token"`; Phase 11.A).
//! - [`discovery`] — `fetch_discovery` primitive for OIDC
//!   well-known-openid-configuration documents (gated
//!   `feature = "well-known-fetch"`; Phase 11.A).
//! - [`relying_party`] — [`RelyingParty<S>`] composition root (gated
//!   `feature = "well-known-fetch"`; Phase 11.A skeleton, Phase 11.B
//!   impl).
//!
//! ── Phase 9 inheritance — [`AuditSink`] reuse ───────────────────────────
//!
//! Verify-failure emission travels through the same
//! [`AuditSink`](crate::AuditSink) port that [`PasJwtVerifier`](crate::JwtVerifier)
//! uses. One audit pipeline serves both verifiers; consumers pass the
//! same `Arc<dyn AuditSink>` to both `with_audit` builders. The
//! [`VerifyErrorKind`](crate::VerifyErrorKind) enum gains an
//! `IdToken(_)` nested variant in 10.11.B so dashboard pivots can
//! filter "all id_token failures" with a single match arm.
//!
//! ── Scope re-exports ────────────────────────────────────────────────────
//!
//! The engine's [`scopes`](ppoppo_token::id_token::scopes) markers are
//! re-exported here so consumers reach them via the SDK boundary:
//!
//! ```ignore
//! use pas_external::oidc::{IdTokenVerifier, Openid, Email, EmailProfile};
//! ```
//!
//! rather than depending on `ppoppo-token` directly. This preserves the
//! γ invariant: the engine type never crosses the SDK boundary except
//! through SDK-shaped re-exports.

#[cfg(feature = "token")]
pub mod port;

#[cfg(feature = "well-known-fetch")]
pub(crate) mod verifier;

#[cfg(all(feature = "token", feature = "oauth"))]
pub mod state_store;

/// Thin re-export of `ppoppo_sdk_core::discovery::*` — Phase A Slice 2
/// moved the primitive to sdk-core so any RP composition root (today
/// pas-external; tomorrow pas-plims / pcs-external) consumes the same
/// `fetch_discovery` + `Discovery` + `DiscoveryError` shapes.
#[cfg(feature = "well-known-fetch")]
pub mod discovery {
    pub use ::ppoppo_sdk_core::discovery::*;
}

#[cfg(feature = "well-known-fetch")]
pub mod relying_party;

#[cfg(feature = "well-known-fetch")]
pub mod refresh_outcome;

#[cfg(all(feature = "token", any(test, feature = "test-support")))]
pub mod memory;

// Phase A Slice 4 — perimeter `BearerAuthLayer` Layer kit moved to
// `ppoppo_sdk_core::bearer::*` so 1st-party services (chat-auth) can
// import direct (audit decision B). pas-external re-exports the kit at
// the crate root as `pas_external::bearer::*` for 3rd-party RCW/CTW
// consumers (audit decision D — 1-level role-named module, no nesting).
// No `oidc::axum::*` namespace remains — see crate root `bearer` module
// in this crate's `lib.rs`.

#[cfg(feature = "token")]
pub use port::{Address, IdAssertion, IdTokenVerifier, IdVerifyError, ScopePiiReader};

#[cfg(all(feature = "token", feature = "oauth"))]
pub use state_store::{
    AuthorizationRedirect, CallbackParams, Completion, Config, PendingAuthRequest, RelativePath,
    RelativePathError, State, StateStore, StateStoreError,
};

#[cfg(feature = "well-known-fetch")]
pub use discovery::{fetch_discovery, Discovery, DiscoveryError};

#[cfg(feature = "well-known-fetch")]
pub use relying_party::{
    CallbackError, RefreshError, RelyingParty, RelyingPartyInitError, RequestedScope, StartError,
};

#[cfg(feature = "well-known-fetch")]
pub use refresh_outcome::RefreshOutcome;

#[cfg(all(feature = "token", any(test, feature = "test-support")))]
pub use memory::MemoryIdTokenVerifier;

#[cfg(all(
    feature = "token",
    feature = "oauth",
    any(test, feature = "test-support")
))]
pub use memory::InMemoryStateStore;

// Engine re-exports — consumers reach scope markers + Nonce via the SDK
// boundary rather than depending on `ppoppo-token` directly.
#[cfg(feature = "token")]
pub use ppoppo_token::id_token::{
    Nonce,
    scopes::{
        Email, EmailProfile, EmailProfilePhone, EmailProfilePhoneAddress, HasAddress, HasEmail,
        HasPhone, HasProfile, Openid, Profile, ScopeSet,
    },
};