Skip to main content

Module oidc

pas_external

Module oidc 

Source
Expand description

γ port-and-adapter SDK boundary for OpenID Connect Relying Party (RP) integration.

Phase 10.11 — sibling of crate::token. Where token::* exposes the BearerVerifier port for RFC 9068 access-token verification (the resource-server side of OAuth), this module exposes IdTokenVerifier for OIDC id_token verification (the user-authentication side). The two are intentionally disjoint: id_tokens authenticate the user to the RP, access_tokens authorize the RP to the resource server (OIDC Core §1.2 / RFC 9068 §1).

── Module layout — mirrors crate::token for parallel structure ─────

  • portIdTokenVerifier, IdAssertion, IdVerifyError (always compiled when token feature is on; depends on engine ScopeSet / Nonce types).
  • [verifier] — [PasIdTokenVerifier<S>] production adapter (gated well-known-fetch; depends on the engine’s id_token verify entry and a TTL-cached JWKS).
  • [memory] — [MemoryIdTokenVerifier<S>] test-support adapter (gated cfg(any(test, feature = "test-support"))).

── Phase 9 inheritance — [AuditSink] reuse ───────────────────────────

Verify-failure emission travels through the same AuditSink port that PasJwtVerifier uses. One audit pipeline serves both verifiers; consumers pass the same Arc<dyn AuditSink> to both with_audit builders. The VerifyErrorKind enum gains an IdToken(_) nested variant in 10.11.B so dashboard pivots can filter “all id_token failures” with a single match arm.

── Scope re-exports ────────────────────────────────────────────────────

The engine’s scopes markers are re-exported here so consumers reach them via the SDK boundary:

use pas_external::oidc::{IdTokenVerifier, Openid, Email, EmailProfile};

rather than depending on ppoppo-token directly. This preserves the γ invariant: the engine type never crosses the SDK boundary except through SDK-shaped re-exports.

Re-exports§

pub use port::Address;
pub use port::IdAssertion;
pub use port::IdTokenVerifier;
pub use port::IdVerifyError;
pub use port::ScopePiiReader;

Modules§

port
γ port — IdTokenVerifier, IdAssertion, IdVerifyError.

Structs§

Email
scope=openid email.
EmailProfile
scope=openid email profile.
EmailProfilePhone
scope=openid email profile phone.
EmailProfilePhoneAddress
scope=openid email profile phone address — the maximal request.
Nonce
Opaque nonce value. Construction validates non-emptiness; the inner string is private so callers cannot bypass the invariant by minting Nonce(String::new()) directly.
Openid
scope=openid — the mandatory baseline. No PII accessors.
Profile
scope=openid profile.

Traits§

HasAddress
Token grants address. Gates Claims::address().
HasEmail
Token grants openid email (or any superset including email). Gates Claims::email() / Claims::email_verified().
HasPhone
Token grants phone. Gates Claims::phone_number() / phone_number_verified().
HasProfile
Token grants profile (name fields + locale + updated_at — OIDC §5.4). Gates Claims::name() / given_name() / family_name().
ScopeSet
Sealed trait. Every scope marker (the 6 structs below) implements it; nothing outside this module can. Bounds verify<S> and Claims<S> so callers cannot smuggle in Claims<()> and bypass the Has* gating.