From 3acdd41a9ab4918d848908515aaaabfe5ac59070 Mon Sep 17 00:00:00 2001
From: JuliDi <20155974+JuliDi@users.noreply.github.com>
Date: Tue, 25 Nov 2025 13:44:39 +0100
Subject: [PATCH] Use AuthenticationContextClass, IssuerUrl and Scope instead
 of strings

---
 src/builder.rs    | 27 ++++++++++++++-------------
 src/lib.rs        | 10 +++++-----
 src/middleware.rs |  7 +++----
 3 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/src/builder.rs b/src/builder.rs
index be6c733..ef6c54f 100644
--- a/src/builder.rs
+++ b/src/builder.rs
@@ -1,7 +1,9 @@
 use std::marker::PhantomData;
 
 use http::Uri;
-use openidconnect::{Audience, ClientId, ClientSecret, IssuerUrl};
+use openidconnect::{
+    Audience, AuthenticationContextClass, ClientId, ClientSecret, IssuerUrl, Scope,
+};
 
 use crate::{error::Error, AdditionalClaims, Client, OidcClient, ProviderMetadata};
 
@@ -21,8 +23,8 @@ pub struct Builder<AC: AdditionalClaims, Credentials, Client, HttpClient, Redire
     http_client: HttpClient,
     redirect_url: RedirectUrl,
     end_session_endpoint: Option<Uri>,
-    scopes: Vec<Box<str>>,
-    auth_context_class: Option<Box<str>>,
+    scopes: Vec<Scope>,
+    auth_context_class: Option<AuthenticationContextClass>,
     untrusted_audiences: Vec<Audience>,
     _ac: PhantomData<AC>,
 }
@@ -41,7 +43,7 @@ impl<AC: AdditionalClaims> Builder<AC, (), (), (), ()> {
             http_client: (),
             redirect_url: (),
             end_session_endpoint: None,
-            scopes: vec![Box::from("openid")],
+            scopes: vec![Scope::new("openid".to_string())],
             auth_context_class: None,
             untrusted_audiences: Vec::new(),
             _ac: PhantomData,
@@ -58,20 +60,20 @@ impl<AC: AdditionalClaims> OidcClient<AC> {
 
 impl<AC: AdditionalClaims, CREDS, CLIENT, HTTP, RURL> Builder<AC, CREDS, CLIENT, HTTP, RURL> {
     /// add a scope to existing (default) scopes
-    pub fn add_scope(mut self, scope: impl Into<Box<str>>) -> Self {
-        self.scopes.push(scope.into());
+    pub fn add_scope(mut self, scope: Scope) -> Self {
+        self.scopes.push(scope);
         self
     }
 
     /// replace scopes (including default)
-    pub fn with_scopes(mut self, scopes: impl Iterator<Item = impl Into<Box<str>>>) -> Self {
-        self.scopes = scopes.map(|x| x.into()).collect::<Vec<_>>();
+    pub fn with_scopes(mut self, scopes: Vec<Scope>) -> Self {
+        self.scopes = scopes;
         self
     }
 
     /// authenticate with Authentication Context Class Reference
-    pub fn with_auth_context_class(mut self, acr: impl Into<Box<str>>) -> Self {
-        self.auth_context_class = Some(acr.into());
+    pub fn with_auth_context_class(mut self, acr: AuthenticationContextClass) -> Self {
+        self.auth_context_class = Some(acr);
         self
     }
 
@@ -212,14 +214,13 @@ impl<AC: AdditionalClaims> Builder<AC, ClientCredentials, (), HttpClient, Redire
     /// discover issuer details
     pub async fn discover(
         self,
-        issuer: String,
+        issuer: IssuerUrl,
     ) -> Result<
         Builder<AC, ClientCredentials, OpenidconnectClient<AC>, HttpClient, RedirectUrl>,
         Error,
     > {
-        let issuer_url = IssuerUrl::new(issuer)?;
         let http_client = self.http_client.0.clone();
-        let provider_metadata = ProviderMetadata::discover_async(issuer_url, &http_client);
+        let provider_metadata = ProviderMetadata::discover_async(issuer, &http_client);
 
         Self::manual(self, provider_metadata.await?)
     }
diff --git a/src/lib.rs b/src/lib.rs
index 4fc8881..bcf783f 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -12,9 +12,9 @@ use openidconnect::{
         CoreResponseMode, CoreResponseType, CoreRevocableToken, CoreRevocationErrorResponse,
         CoreSubjectIdentifierType, CoreTokenIntrospectionResponse, CoreTokenType,
     },
-    AccessToken, Audience, ClientId, CsrfToken, EmptyExtraTokenFields, EndpointMaybeSet,
-    EndpointNotSet, EndpointSet, IdTokenFields, Nonce, PkceCodeVerifier, RefreshToken,
-    StandardErrorResponse, StandardTokenResponse,
+    AccessToken, Audience, AuthenticationContextClass, ClientId, CsrfToken, EmptyExtraTokenFields,
+    EndpointMaybeSet, EndpointNotSet, EndpointSet, IdTokenFields, Nonce, PkceCodeVerifier,
+    RefreshToken, Scope, StandardErrorResponse, StandardTokenResponse,
 };
 use serde::{de::DeserializeOwned, Deserialize, Serialize};
 
@@ -102,12 +102,12 @@ pub type BoxError = Box<dyn std::error::Error + Send + Sync>;
 /// OpenID Connect Client
 #[derive(Clone)]
 pub struct OidcClient<AC: AdditionalClaims> {
-    scopes: Vec<Box<str>>,
+    scopes: Vec<Scope>,
     client_id: ClientId,
     client: Client<AC>,
     http_client: reqwest::Client,
     end_session_endpoint: Option<Uri>,
-    auth_context_class: Option<Box<str>>,
+    auth_context_class: Option<AuthenticationContextClass>,
     untrusted_audiences: Vec<Audience>,
 }
 
diff --git a/src/middleware.rs b/src/middleware.rs
index c7e0e7f..4b881b1 100644
--- a/src/middleware.rs
+++ b/src/middleware.rs
@@ -16,8 +16,8 @@ use tower_sessions::Session;
 
 use openidconnect::{
     core::{CoreAuthenticationFlow, CoreErrorResponseType, CoreGenderClaim, CoreJsonWebKey},
-    AccessToken, AccessTokenHash, AuthenticationContextClass, CsrfToken, IdTokenClaims,
-    IdTokenVerifier, Nonce, OAuth2TokenResponse, PkceCodeChallenge, RefreshToken,
+    AccessToken, AccessTokenHash, CsrfToken, IdTokenClaims, IdTokenVerifier, Nonce,
+    OAuth2TokenResponse, PkceCodeChallenge, RefreshToken,
     RequestTokenError::ServerResponse,
     Scope, TokenResponse, UserInfoClaims,
 };
@@ -143,8 +143,7 @@ where
                     }
 
                     if let Some(acr) = oidcclient.auth_context_class {
-                        auth = auth
-                            .add_auth_context_value(AuthenticationContextClass::new(acr.into()));
+                        auth = auth.add_auth_context_value(acr);
                     }
 
                     auth.set_pkce_challenge(pkce_challenge).url()