Struct Validator 

pub struct Validator { /* private fields */ }

A helper type for validating JSON Web Tokens (JWTs) against multiple issuers and algorithms.

Validator manages a collection of public keys and associated validation rules (wrapped in Endpoint structs) that can be used to decode and verify tokens. It supports loading keys dynamically from JWKS endpoints or inserting them manually.

Typically used when your application needs to accept tokens from multiple providers (e.g., multiple OpenID Connect issuers) or support multiple signing algorithms.

Implementations

impl Validator

pub fn from_pubkey( url: String, audiance: String, algorithm: String, public_key: DecodingKey, ) -> Result<Self, Box<dyn Error>>

Creates a new Validator from a single public key.

This is useful when you already have a known key (for example, configured statically) and want to build a validator around it.

• url - Issuer URL.
• audiance - Expected audience claim (usually your client ID).
• algorithm - Signing algorithm (e.g., “RS256”).
• public_key - Decoding key used to verify signatures.

pub fn from_rsa_pem( url: String, audiance: String, algorithm: String, pem: &str, ) -> Result<Self, Box<dyn Error>>

Creates a new Validator from an RSA PEM encoded public key.

This is a convenience wrapper around from_pubkey that accepts a PEM string (PKCS#1 / PKCS#8 public key) and builds the DecodingKey for you.

• url - Issuer URL (used to construct the KeyID).
• audiance - Expected audience claim.
• algorithm - Signing algorithm (e.g., “RS256”).
• pem - RSA public key in PEM format.

pub fn get_supported_algorithms_for_issuer( &self, issuer: &str, ) -> Option<Vec<String>>

Returns a sorted list of unique algorithms supported for the given issuer, based on the pubkeys map.

pub fn empty() -> Self

pub async fn new( validation: Validation, provider_metadata: &CoreProviderMetadata, issuer_url: String, ) -> Result<Self, Box<dyn Error>>

Loads public keys dynamically from a JWKS endpoint discovered from provider metadata.

Fetches the JWKS, parses it, and builds validation rules for each key.

• validation - Template validation rules to apply for each key.
• provider_metadata - OpenID Connect provider metadata (must include JWKS URI).
• issuer_url - The expected issuer URL.

pub async fn extend_from_oidc( &mut self, issuer_url: &str, audiance: &str, default_algorithm: &str, ) -> Result<(), Box<dyn Error>>

Extends the validator by dynamically discovering and importing public keys (JWKS) from the OpenID Connect (OIDC) discovery endpoint of the given issuer.

This method performs the following steps:

1. Initializes an HTTP client with redirect-following disabled for security reasons.
2. Fetches the OpenID Connect provider metadata from the issuer’s well-known discovery endpoint.
3. Retrieves the JWKS (JSON Web Key Set) URI from the provider metadata.
4. Downloads the JWKS document and parses the keys.
5. Inserts the discovered keys into the validator’s pubkeys map, associating them with the issuer.

Parameters

• issuer_url: The base URL of the OIDC issuer (e.g., https://accounts.example.com).
• validation: The validation params used for this endpoint (make sure iss, aud, alg are set correctly)

Returns

• Ok(()) if the keys were successfully fetched and added.
• Err(Box<dyn std::error::Error>) if any network, parsing, or validation step fails.

Errors

Returns an error if:

• The HTTP client could not be created.
• The issuer URL is invalid.
• The provider metadata discovery fails.
• The JWKS document cannot be fetched or parsed.

Security

• Redirects are explicitly disabled to prevent SSRF attacks when contacting the discovery endpoint.

Example

use rocket_oidc::client::Validator;
let mut validator = Validator::empty();
validator.extend_from_oidc("https://accounts.example.com").await?;

pub fn extend_from_jwks( &mut self, issuer_url: &str, jwks_json: &str, validation: Validation, ) -> Result<(), Box<dyn Error>>

Extends the validator by parsing and adding public keys from a JWKS JSON document associated with the given issuer.

Parameters

• issuer_url: The base URL of the OIDC issuer (e.g., https://accounts.example.com).
• jwks_json: The raw JWKS JSON string.

Returns

• Ok(()) if the keys were successfully parsed and added.
• Err(crate::Error) if parsing fails.

Example

let mut validator = Validator::empty();
let jwks_json = std::fs::read_to_string("keys.json")?;
validator.extend_from_jwks("https://accounts.example.com", &jwks_json)?;

pub fn insert_endpoint(&mut self, keyid: KeyID, endpoint: Endpoint)

Inserts a new validation endpoint directly by its KeyID.

Useful when you already constructed an Endpoint yourself.

pub fn insert_pubkey( &mut self, url: String, audiance: String, algorithm: String, public_key: DecodingKey, ) -> Result<(), Box<dyn Error>>

Inserts a new public key and automatically builds its validation rules.

• url - Issuer URL.
• audiance - Expected audience claim.
• algorithm - Signing algorithm.
• public_key - Decoding key.

pub fn decode_with_iss_alg<T: Serialize + Debug + DeserializeOwned + Send + CoreClaims + Clone>( &self, issuer: &str, algorithm: &str, access_token: &str, ) -> Result<TokenData<T>, Error>

Decodes and validates an access token for a specific issuer and algorithm.

• issuer - Issuer URL.
• algorithm - Signing algorithm (e.g., “RS256”).
• access_token - The JWT string to decode.

Returns the token’s claims if valid, or an error otherwise.

pub fn decode<T: Serialize + Debug + DeserializeOwned + Send + CoreClaims + Clone>( &self, access_token: &str, ) -> Result<TokenData<T>, Error>

👎Deprecated

Decodes and validates an access token using the default issuer and a default algorithm (“RS256”).

⚠️ Deprecated: May not be correct if you handle multiple issuers or algorithms.

Trait Implementations

impl Clone for Validator

fn clone(&self) -> Validator

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Validator

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.