Expand description
RFC 9068 access-token profile.
Public surface: a single verify / issue entry-point pair plus
the supporting types (Claims, VerifyConfig, IssueConfig,
IssueRequest, AuthError, IssueError, and the operational ports
for replay/session/epoch revocation).
── Profile boundary ────────────────────────────────────────────────────
Every type that is RFC 9068-coupled (sv epoch, jti replay, sid
liveness, cat/account_type/caps/scopes/admin/active_ppnum/
delegator/dlg_depth domain claims, at+jwt typ pin) lives here.
The OIDC Core 1.0 id-token profile (Phase 10.1+) carries its own
Claims<S> / VerifyConfig / IssueConfig shapes inside
crate::id_token::* and never imports from this module.
Shared JOSE primitives (Algorithm, KeySet, SigningKey, Jwk,
Jwks) live at the crate root — neither profile owns them.
Engine submodules (crate::engine::*) are pub(crate); the
verify / issue re-exports below are the only paths through which
consumers reach the JWS check pipeline (M51/M52/M54 structural).
Structs§
Enums§
- Auth
Error - Epoch
Revocation Error - Issue
Error - Replay
Defense Error - Failure modes from a
ReplayDefensesubstrate call. - Session
Revocation Error
Traits§
- Epoch
Revocation - Current per-account
session_versionlookup. - Replay
Defense - Atomic check-and-record over a per-token uniqueness key.
- Session
Revocation - Per-session liveness check.