3 releases (breaking)
0.3.0 | Sep 22, 2019 |
---|---|
0.2.0 | Dec 6, 2018 |
0.1.0 | Oct 30, 2018 |
#7 in #openid-connect
23 downloads per month
42KB
806 lines
OpenID Connect Client & Discovery
Built on inth-oauth2. Using reqwest for the HTTP client and biscuit for Javascript Object Signing and Encryption (JOSE).
Implements OpenID Connect Core 1.0 and OpenID Connect Discovery 1.0.
Documentation
License
lib.rs
:
OpenID Connect Client
There are two ways to interact with this library - the batteries included magic methods, and the slightly more boilerplate fine grained ones. For most users the former is what you want:
use oidc;
use reqwest;
use std::default::Default;
let id = "my client".to_string();
let secret = "a secret to everybody".to_string();
let redirect = reqwest::Url::parse("https://my-redirect.foo/dest")?;
let issuer = oidc::issuer::google();
let client = oidc::Client::discover(id, secret, redirect, issuer)?;
let auth_url = client.auth_url(&Default::default());
// ... send your user to auth_url, get an auth_code back at your redirect url handler
let token = client.authenticate(auth_code, None, None)?;
That example leaves you with a decoded Token
that has been validated. Your user is
authenticated!
You can also take a more nuanced approach that gives you more fine grained control:
use oidc;
use reqwest;
use std::default::Default;
let id = "my client".to_string();
let secret = "a secret to everybody".to_string();
let redirect = reqwest::Url::parse("https://my-redirect.foo/dest")?;
let issuer = oidc::issuer::google();
let http = reqwest::Client::new();
let config = oidc::discovery::discover(&http, issuer)?;
let jwks = oidc::discovery::jwks(&http, config.jwks_uri.clone())?;
let provider = oidc::discovery::Discovered(config);
let client = oidc::new(id, secret, redirect, provider, jwks);
let auth_url = client.auth_url(Default::default());
// ... send your user to auth_url, get an auth_code back at your redirect url handler
let mut token = client.request_token(&http, auth_code)?;
client.decode_token(&mut token)?;
client.validate_token(&token, None, None)?;
let userinfo = client.request_userinfo(&http, &token)?;
This more complicated version uses the discovery module directly. Important distinctions to make between the two:
- The complex pattern avoids constructing a new reqwest client every time an outbound method is called. Especially for token decoding having to rebuild reqwest every time can be a large performance penalty.
- Tokens don't come decoded or validated. You need to do both manually.
- This version demonstrates userinfo. It is not required by spec, so make sure its available! (you get an Error::Userinfo::Nourl if it is not)
Dependencies
~32MB
~751K SLoC