ppoppo_token/access_token/mod.rs
1//! RFC 9068 access-token profile.
2//!
3//! Public surface: a single `verify` / `issue` entry-point pair plus
4//! the supporting types (`Claims`, `VerifyConfig`, `IssueConfig`,
5//! `IssueRequest`, `AuthError`, `IssueError`, and the operational ports
6//! for replay/session/epoch revocation).
7//!
8//! ── Profile boundary ────────────────────────────────────────────────────
9//!
10//! Every type that is RFC 9068-coupled (sv epoch, jti replay, sid
11//! liveness, `cat`/`account_type`/`caps`/`scopes`/`admin`/`active_ppnum`/
12//! `delegator`/`dlg_depth` domain claims, `at+jwt` typ pin) lives here.
13//! The OIDC Core 1.0 id-token profile (Phase 10.1+) carries its own
14//! `Claims<S>` / `VerifyConfig` / `IssueConfig` shapes inside
15//! `crate::id_token::*` and never imports from this module.
16//!
17//! Shared JOSE primitives (`Algorithm`, `KeySet`, `SigningKey`, `Jwk`,
18//! `Jwks`) live at the crate root — neither profile owns them.
19//!
20//! Engine submodules (`crate::engine::*`) are `pub(crate)`; the
21//! `verify` / `issue` re-exports below are the only paths through which
22//! consumers reach the JWS check pipeline (M51/M52/M54 structural).
23
24pub(crate) mod claims;
25pub(crate) mod epoch_revocation;
26pub(crate) mod error;
27pub(crate) mod issue_config;
28pub(crate) mod issue_error;
29pub(crate) mod issue_request;
30pub(crate) mod replay_defense;
31pub(crate) mod session_revocation;
32pub(crate) mod verify_config;
33
34pub use self::claims::Claims;
35pub use self::epoch_revocation::{EpochRevocation, EpochRevocationError};
36pub use self::error::AuthError;
37pub use self::issue_config::IssueConfig;
38pub use self::issue_error::IssueError;
39pub use self::issue_request::IssueRequest;
40pub use self::replay_defense::{ReplayDefense, ReplayDefenseError};
41pub use self::session_revocation::{SessionRevocation, SessionRevocationError};
42pub use self::verify_config::VerifyConfig;
43
44pub use crate::engine::{issue, verify};