Module provider 

Table-driven OAuth/OIDC provider registry.

Replaces the per-provider match self.provider.as_str() arms in lib.rs::OAuthConfig with a single ProviderSpec struct that fully describes a provider’s endpoints and how to parse its userinfo response. Adding a new provider becomes a struct literal in builtin::all — no new branches anywhere else.

Two flavors of provider are supported:

• Static specs (Google, GitHub, Apple, Discord, Slack, etc.) — endpoints + userinfo shape are hard-coded in builtin::all. Adding a 51st provider that follows the standard OAuth2/OIDC shape is one struct literal.

• OIDC discovery (from_issuer) — pulls <issuer>/.well-known/openid-configuration and synthesizes a spec at runtime. Covers Auth0, Okta, Cognito, Keycloak, Logto, Authentik, Zitadel, and any compliant OIDC IdP without code changes. The runtime caches the discovery response so we don’t round-trip the IdP on every login.

Provider-specific quirks — Apple’s RS256-signed client_secret, GitHub’s “primary email lives at /user/emails”, Microsoft’s tenant-aware endpoints — are carried as enum variants on [ClientSecret] and [UserinfoSource] so the call sites stay data-driven.

Modules

builtin

oidc_cache

Process-wide cache of OIDC discovery documents. The cache is populated lazily on first use of an oidc_issuer-configured provider and never invalidated — the discovery doc is meant to be stable for the lifetime of the process. If the IdP changes endpoints (rare), restart the server.

Structs

AppleConfig

Apple-specific config. See https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens.

DiscoveredSpec

Owned spec produced by OIDC discovery — same fields as ProviderSpec but with String instead of &'static str since the URLs come from the network, not the binary.

OidcDiscoveryDoc

Fields we extract from an OIDC provider’s /.well-known/openid-configuration document. Everything else is ignored — pylon’s auth flow only uses these.

ProviderConfig

Runtime config layered on top of a static ProviderSpec: the developer’s client_id/client_secret/redirect_uri, plus any per-provider extras (Microsoft tenant id, Apple key material, scopes override).

ProviderSpec

Static description of one OAuth/OIDC provider. Endpoint URLs are formatted with {tenant} etc. placeholders that the spec resolves when given a runtime config (e.g. Microsoft swaps {tenant} for the configured Azure tenant id).

Enums

ResolvedSpec

Either a compile-time builtin spec or a runtime-discovered OIDC spec. The two cases share read accessors via this enum so call sites don’t care where the URLs came from.

TokenExchangeShape

Provider-specific token exchange request shape.

UserinfoMethod

Userinfo fetch HTTP verb. Dropbox uses POST with an empty body; every other supported provider uses GET.

UserinfoParser

Where + how to read identity fields out of a userinfo response.

Functions

find_spec

Look up a static provider spec by id. Returns None for unknown ids OR for OIDC issuer-config providers (those need oidc_cache::resolve to materialize a runtime spec).

resolve_endpoint

Resolve {tenant} placeholders in an endpoint URL using the runtime config. Today only Microsoft uses this, but the substitution is generic so future tenant-aware providers don’t need new code.