#openid #openid-connect #client #web #http-client

oidc

OpenID Connect client library using Reqwest, Biscuit, and inth-oauth2

3 releases (breaking)

0.3.0 Sep 22, 2019
0.2.0 Dec 6, 2018
0.1.0 Oct 30, 2018

#7 in #openid-connect

23 downloads per month

Apache-2.0

42KB
806 lines

OpenID Connect Client & Discovery

Built on inth-oauth2. Using reqwest for the HTTP client and biscuit for Javascript Object Signing and Encryption (JOSE).

Implements OpenID Connect Core 1.0 and OpenID Connect Discovery 1.0.

Documentation

License

Apache License, Version 2.0


lib.rs:

OpenID Connect Client

There are two ways to interact with this library - the batteries included magic methods, and the slightly more boilerplate fine grained ones. For most users the former is what you want:

use oidc;
use reqwest;
use std::default::Default;

let id = "my client".to_string();
let secret = "a secret to everybody".to_string();
let redirect = reqwest::Url::parse("https://my-redirect.foo/dest")?;
let issuer = oidc::issuer::google();
let client = oidc::Client::discover(id, secret, redirect, issuer)?;
let auth_url = client.auth_url(&Default::default());

// ... send your user to auth_url, get an auth_code back at your redirect url handler

let token = client.authenticate(auth_code, None, None)?;

That example leaves you with a decoded Token that has been validated. Your user is authenticated!

You can also take a more nuanced approach that gives you more fine grained control:

use oidc;
use reqwest;
use std::default::Default;

let id = "my client".to_string();
let secret = "a secret to everybody".to_string();
let redirect = reqwest::Url::parse("https://my-redirect.foo/dest")?;
let issuer = oidc::issuer::google();
let http = reqwest::Client::new();

let config = oidc::discovery::discover(&http, issuer)?;
let jwks = oidc::discovery::jwks(&http, config.jwks_uri.clone())?;
let provider = oidc::discovery::Discovered(config);

let client = oidc::new(id, secret, redirect, provider, jwks);
let auth_url = client.auth_url(Default::default());

// ... send your user to auth_url, get an auth_code back at your redirect url handler

let mut token = client.request_token(&http, auth_code)?;
client.decode_token(&mut token)?;
client.validate_token(&token, None, None)?;
let userinfo = client.request_userinfo(&http, &token)?;

This more complicated version uses the discovery module directly. Important distinctions to make between the two:

  • The complex pattern avoids constructing a new reqwest client every time an outbound method is called. Especially for token decoding having to rebuild reqwest every time can be a large performance penalty.
  • Tokens don't come decoded or validated. You need to do both manually.
  • This version demonstrates userinfo. It is not required by spec, so make sure its available! (you get an Error::Userinfo::Nourl if it is not)

Dependencies

~32MB
~751K SLoC