Skip to main content

typesec_integrations/jwt/
config.rs

1//! OIDC validation settings.
2
3use std::time::Duration;
4
5use jsonwebtoken::Algorithm;
6
7/// OIDC validation settings.
8#[derive(Debug, Clone)]
9pub struct OidcConfig {
10    /// Expected issuer claim.
11    pub issuer: String,
12    /// Expected audience claim.
13    pub audience: String,
14    /// JWKS endpoint used to resolve signing keys.
15    pub jwks_url: String,
16    /// Accepted signing algorithms.
17    pub algorithms: Vec<Algorithm>,
18    /// How long fetched JWKS keys are cached before re-fetching.
19    ///
20    /// The cache is also refreshed eagerly when a token references an unknown
21    /// `kid`, so key rotation at the IdP is picked up without a restart.
22    pub jwks_ttl: Duration,
23}
24
25impl OidcConfig {
26    /// Create a config using RS256, the common AuthKit/OIDC default.
27    pub fn new(
28        issuer: impl Into<String>,
29        audience: impl Into<String>,
30        jwks_url: impl Into<String>,
31    ) -> Self {
32        Self {
33            issuer: issuer.into(),
34            audience: audience.into(),
35            jwks_url: jwks_url.into(),
36            algorithms: vec![Algorithm::RS256],
37            jwks_ttl: Duration::from_secs(300),
38        }
39    }
40}