Expand description
OIDC validation: discovery URL → JWKS → signature + claim checks.
On the first request that arrives in OIDC mode, OidcValidator:
- Decodes the JWT header (no signature check) to extract
alg + kid. - Looks up the signing key in its in-memory JWKS cache. On cache
miss (cold or unknown
kid— key rotation), fetches the provider’s discovery document, followsjwks_uri, and rebuilds the cache. The cache TTL respectsCache-Control: max-age=Nfrom the discovery response, falling back to 1 hour if absent. - Validates the signature +
aud+expvia thejsonwebtokencrate. - Extracts the configured tenant claim (default
solo_tenant), validates it throughTenantId::new, and packages everything into anAuthenticatedPrincipal.
Failure modes (mapped to HTTP status in middleware.rs):
- Missing/malformed Authorization header → 401 (
AuthError::MissingAuthHeader/AuthError::MalformedAuthHeader). - Token rejected (bad signature, expired, wrong audience, unknown kid post-refetch)
→ 401 (
AuthError::InvalidOidcToken). - Token valid but tenant claim missing/invalid → 403
(
AuthError::MissingTenantClaim/AuthError::InvalidTenantClaim). - Upstream IdP unreachable → 500 (
AuthError::Discovery/AuthError::Jwks).
Structs§
- Oidc
Config - Per-instance configuration for an OIDC validator. Mirrors the
AuthConfig::Oidc { ... }variant inauth/mod.rs. - Oidc
Validator - OIDC validator. Cheap-to-clone (one
Arc<RwLock<…>>for the JWKS cache; everything else is small).