Skip to main content

solid_pod_rs_idp/
lib.rs

1//! # solid-pod-rs-idp
2//!
3//! Solid-OIDC identity provider for
4//! [`solid-pod-rs`](https://crates.io/crates/solid-pod-rs) --
5//! authorization-code flow, DPoP-bound tokens, JWKS publication,
6//! dynamic client registration, and credentials login.
7//!
8//! ## Feature flags
9//!
10//! | Flag           | Purpose                                               |
11//! |----------------|-------------------------------------------------------|
12//! | `axum-binder`  | Ready-made axum `Router` that wires all IdP endpoints.|
13//! | `passkey`      | WebAuthn/passkey authentication via `webauthn-rs`.    |
14//! | `schnorr-sso`  | NIP-07 Schnorr SSO (Nostr key login).                 |
15//!
16//! ## Modules
17//!
18//! - [`provider`]     — [`Provider`] orchestrator: `/auth`, `/token`, `/me` endpoints.
19//! - [`discovery`]    — OIDC discovery document builder (`/.well-known/openid-configuration`).
20//! - [`jwks`]         — JWKS key management and `/.well-known/jwks.json` publication.
21//! - [`credentials`]  — Email + password login flow with rate limiting.
22//! - [`registration`] — Dynamic Client Registration and Client Identifier Documents.
23//! - [`tokens`]       — DPoP-bound access-token issuance.
24//! - [`session`]      — Opaque-token session store.
25//! - [`user_store`]   — Pluggable [`UserStore`] trait with [`InMemoryUserStore`] for tests.
26//! - [`invites`]      — Invite-token minting, storage, and validation.
27//! - [`error`]        — [`ProviderError`] with RFC 6749 error codes.
28//! - [`passkey`]      — *(feature `passkey`)* WebAuthn registration and authentication.
29//! - [`schnorr`]      — *(feature `schnorr-sso`)* NIP-07 Schnorr challenge/response.
30//! - [`axum_binder`]  — *(feature `axum-binder`)* Pre-built axum router.
31//!
32//! ## Quick start
33//!
34//! ```rust,ignore
35//! use solid_pod_rs_idp::{Provider, ProviderConfig, Jwks, SessionStore,
36//!     registration::ClientStore, user_store::InMemoryUserStore};
37//! use std::sync::Arc;
38//!
39//! let user_store = Arc::new(InMemoryUserStore::new());
40//! let jwks = Jwks::generate_es256().unwrap();
41//! let provider = Provider::new(
42//!     ProviderConfig::new("https://pod.example/"),
43//!     ClientStore::new(), SessionStore::new(), user_store, jwks,
44//! );
45//! let _disco = provider.discovery_document();
46//! ```
47//!
48//! ## Design boundaries
49//!
50//! - This crate owns **protocol logic** only. Transport framing is the
51//!   consumer's job: plug [`Provider`] into your own router, or enable
52//!   the `axum-binder` feature for a ready-made `Router`.
53//! - Storage is pluggable via [`UserStore`]. The built-in
54//!   [`InMemoryUserStore`] exists for tests and single-user
55//!   development; production deployments should ship a persistent store.
56//! - DPoP verification delegates to `solid_pod_rs::oidc::verify_dpop_proof`.
57//! - SSRF protection on Client Identifier Document fetches delegates to
58//!   `solid_pod_rs::security::is_safe_url`.
59//! - Rate-limiting uses the core `RateLimiter` trait.
60
61#![doc = include_str!("../README.md")]
62#![warn(rust_2018_idioms)]
63#![forbid(unsafe_code)]
64
65pub mod credentials;
66pub mod discovery;
67pub mod error;
68pub mod invites;
69pub mod jwks;
70pub mod provider;
71pub mod registration;
72pub mod session;
73pub mod tokens;
74pub mod user_store;
75
76#[cfg(feature = "passkey")]
77pub mod passkey;
78
79#[cfg(feature = "schnorr-sso")]
80pub mod schnorr;
81
82#[cfg(feature = "axum-binder")]
83pub mod axum_binder;
84
85pub use credentials::{
86    login, validate_password_length, CredentialsResponse, LoginError, MIN_PASSWORD_LENGTH,
87};
88pub use discovery::{build_discovery, DiscoveryDocument};
89pub use error::ProviderError;
90pub use invites::{
91    mint_token as mint_invite_token, parse_duration as parse_invite_duration, InMemoryInviteStore,
92    Invite, InviteStore, InviteStoreError,
93};
94pub use jwks::{Jwks, JwksError, SigningKey};
95pub use provider::{
96    AuthorizeRequest, AuthorizeResponse, Provider, ProviderConfig, TokenRequest, TokenResponse,
97    UserInfo,
98};
99pub use registration::{
100    register_client, ClientDocument, ClientStore, RegError, RegistrationRequest,
101};
102pub use session::{SessionError, SessionId, SessionStore};
103pub use tokens::{issue_access_token, AccessToken, TokenError};
104pub use user_store::{InMemoryUserStore, User, UserStore, UserStoreError};