zino_auth/
rauthy_client.rs

1use rauthy_client::{
2    oidc_config::{ClaimMapping, JwtClaim, JwtClaimTyp, RauthyConfig},
3    provider::OidcProvider,
4};
5use std::collections::HashSet;
6use zino_core::{
7    application::{Agent, Application, Plugin},
8    bail,
9    error::Error,
10    extension::TomlTableExt,
11};
12
13/// The Rauthy client.
14#[derive(Debug, Clone, Copy)]
15pub struct RauthyClient;
16
17impl RauthyClient {
18    /// Initializes the Rauthy client and setups the OIDC provider.
19    pub fn init() -> Plugin {
20        let loader = Box::pin(async {
21            let Some(config) = Agent::config().get_table("rauthy") else {
22                bail!("`rauthy` config should be specified");
23            };
24            let Some(client_id) = config.get_str("client-id") else {
25                bail!("`rauthy.client-id` should be specified");
26            };
27            let Some(redirect_uri) = config.get_str("redirect-uri") else {
28                bail!("`rauthy.redirect-uri` should be specified");
29            };
30            let Some(issuer_uri) = config.get_str("issuer-uri") else {
31                bail!("`rauthy.issuer-uri` should be specified");
32            };
33            let audiences = if let Some(audiences) = config.get_str_array("audiences") {
34                HashSet::from_iter(audiences.into_iter().map(|s| s.to_owned()))
35            } else {
36                HashSet::from([client_id.to_owned()])
37            };
38            let group_claim = if let Some(groups) = config.get_str_array("groups") {
39                let claims = groups
40                    .into_iter()
41                    .map(|group| JwtClaim {
42                        typ: JwtClaimTyp::Groups,
43                        value: group.to_owned(),
44                    })
45                    .collect();
46                ClaimMapping::Or(claims)
47            } else {
48                ClaimMapping::Any
49            };
50            let scopes = config
51                .get_str_array("scopes")
52                .unwrap_or_else(|| vec!["openid"]);
53            let rauthy_config = RauthyConfig {
54                admin_claim: ClaimMapping::Or(vec![JwtClaim {
55                    typ: JwtClaimTyp::Roles,
56                    value: "admin".to_owned(),
57                }]),
58                user_claim: group_claim,
59                allowed_audiences: audiences,
60                client_id: client_id.to_owned(),
61                email_verified: config.get_bool("email-verified").unwrap_or_default(),
62                iss: issuer_uri.to_owned(),
63                scope: scopes.into_iter().map(|s| s.to_owned()).collect(),
64                secret: config.get_str("secret").map(|s| s.to_owned()),
65            };
66            if let Err(err) = rauthy_client::init().await {
67                tracing::error!("fail to initialize the Rauthy client: {err}");
68            }
69            if let Err(err) =
70                OidcProvider::setup_from_config(rauthy_config, redirect_uri.to_owned()).await
71            {
72                tracing::error!("fail to setup the OIDC provider: {err}");
73            }
74            Ok(())
75        });
76        Plugin::with_loader("rauthy-client", loader)
77    }
78}