From 542fe66313d4ce9bbb284d9341478755253400ae Mon Sep 17 00:00:00 2001 From: JuliDi <20155974+JuliDi@users.noreply.github.com> Date: Tue, 25 Nov 2025 13:28:08 +0100 Subject: [PATCH 1/3] re-export openidconnect --- examples/basic/Cargo.toml | 1 - examples/basic/src/main.rs | 2 +- src/lib.rs | 8 ++++---- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/examples/basic/Cargo.toml b/examples/basic/Cargo.toml index 86467c3..833473d 100644 --- a/examples/basic/Cargo.toml +++ b/examples/basic/Cargo.toml @@ -7,7 +7,6 @@ version = "0.1.0" axum = { version = "0.8", features = ["macros"] } axum-oidc = { path = "./../.." } dotenvy = "0.15" -openidconnect = "4.0.1" tokio = { version = "1.48.0", features = ["macros", "net", "rt-multi-thread"] } tower = "0.5" tower-sessions = "0.14" diff --git a/examples/basic/src/main.rs b/examples/basic/src/main.rs index 8c76841..31d8eb0 100644 --- a/examples/basic/src/main.rs +++ b/examples/basic/src/main.rs @@ -6,7 +6,7 @@ use axum::{ Router, }; use axum_oidc::{ - error::MiddlewareError, handle_oidc_redirect, Audience, ClientId, ClientSecret, + error::MiddlewareError, handle_oidc_redirect, openidconnect::{Audience, ClientId, ClientSecret}, EmptyAdditionalClaims, OidcAuthLayer, OidcClaims, OidcClient, OidcLoginLayer, OidcRpInitiatedLogout, }; diff --git a/src/lib.rs b/src/lib.rs index fe6aac0..4fc8881 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -12,9 +12,9 @@ use openidconnect::{ CoreResponseMode, CoreResponseType, CoreRevocableToken, CoreRevocationErrorResponse, CoreSubjectIdentifierType, CoreTokenIntrospectionResponse, CoreTokenType, }, - AccessToken, CsrfToken, EmptyExtraTokenFields, EndpointMaybeSet, EndpointNotSet, EndpointSet, - IdTokenFields, Nonce, PkceCodeVerifier, RefreshToken, StandardErrorResponse, - StandardTokenResponse, + AccessToken, Audience, ClientId, CsrfToken, EmptyExtraTokenFields, EndpointMaybeSet, + EndpointNotSet, EndpointSet, IdTokenFields, Nonce, PkceCodeVerifier, RefreshToken, + StandardErrorResponse, StandardTokenResponse, }; use serde::{de::DeserializeOwned, Deserialize, Serialize}; @@ -27,7 +27,7 @@ mod middleware; pub use extractor::{OidcAccessToken, OidcClaims, OidcRpInitiatedLogout, OidcUserInfo}; pub use handler::handle_oidc_redirect; pub use middleware::{OidcAuthLayer, OidcAuthMiddleware, OidcLoginLayer, OidcLoginMiddleware}; -pub use openidconnect::{Audience, ClientId, ClientSecret}; +pub use openidconnect; const SESSION_KEY: &str = "axum-oidc"; From 3acdd41a9ab4918d848908515aaaabfe5ac59070 Mon Sep 17 00:00:00 2001 From: JuliDi <20155974+JuliDi@users.noreply.github.com> Date: Tue, 25 Nov 2025 13:44:39 +0100 Subject: [PATCH 2/3] Use AuthenticationContextClass, IssuerUrl and Scope instead of strings --- src/builder.rs | 27 ++++++++++++++------------- src/lib.rs | 10 +++++----- src/middleware.rs | 7 +++---- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/src/builder.rs b/src/builder.rs index be6c733..ef6c54f 100644 --- a/src/builder.rs +++ b/src/builder.rs @@ -1,7 +1,9 @@ use std::marker::PhantomData; use http::Uri; -use openidconnect::{Audience, ClientId, ClientSecret, IssuerUrl}; +use openidconnect::{ + Audience, AuthenticationContextClass, ClientId, ClientSecret, IssuerUrl, Scope, +}; use crate::{error::Error, AdditionalClaims, Client, OidcClient, ProviderMetadata}; @@ -21,8 +23,8 @@ pub struct Builder, - scopes: Vec>, - auth_context_class: Option>, + scopes: Vec, + auth_context_class: Option, untrusted_audiences: Vec, _ac: PhantomData, } @@ -41,7 +43,7 @@ impl Builder { http_client: (), redirect_url: (), end_session_endpoint: None, - scopes: vec![Box::from("openid")], + scopes: vec![Scope::new("openid".to_string())], auth_context_class: None, untrusted_audiences: Vec::new(), _ac: PhantomData, @@ -58,20 +60,20 @@ impl OidcClient { impl Builder { /// add a scope to existing (default) scopes - pub fn add_scope(mut self, scope: impl Into>) -> Self { - self.scopes.push(scope.into()); + pub fn add_scope(mut self, scope: Scope) -> Self { + self.scopes.push(scope); self } /// replace scopes (including default) - pub fn with_scopes(mut self, scopes: impl Iterator>>) -> Self { - self.scopes = scopes.map(|x| x.into()).collect::>(); + pub fn with_scopes(mut self, scopes: Vec) -> Self { + self.scopes = scopes; self } /// authenticate with Authentication Context Class Reference - pub fn with_auth_context_class(mut self, acr: impl Into>) -> Self { - self.auth_context_class = Some(acr.into()); + pub fn with_auth_context_class(mut self, acr: AuthenticationContextClass) -> Self { + self.auth_context_class = Some(acr); self } @@ -212,14 +214,13 @@ impl Builder Result< Builder, HttpClient, RedirectUrl>, Error, > { - let issuer_url = IssuerUrl::new(issuer)?; let http_client = self.http_client.0.clone(); - let provider_metadata = ProviderMetadata::discover_async(issuer_url, &http_client); + let provider_metadata = ProviderMetadata::discover_async(issuer, &http_client); Self::manual(self, provider_metadata.await?) } diff --git a/src/lib.rs b/src/lib.rs index 4fc8881..bcf783f 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -12,9 +12,9 @@ use openidconnect::{ CoreResponseMode, CoreResponseType, CoreRevocableToken, CoreRevocationErrorResponse, CoreSubjectIdentifierType, CoreTokenIntrospectionResponse, CoreTokenType, }, - AccessToken, Audience, ClientId, CsrfToken, EmptyExtraTokenFields, EndpointMaybeSet, - EndpointNotSet, EndpointSet, IdTokenFields, Nonce, PkceCodeVerifier, RefreshToken, - StandardErrorResponse, StandardTokenResponse, + AccessToken, Audience, AuthenticationContextClass, ClientId, CsrfToken, EmptyExtraTokenFields, + EndpointMaybeSet, EndpointNotSet, EndpointSet, IdTokenFields, Nonce, PkceCodeVerifier, + RefreshToken, Scope, StandardErrorResponse, StandardTokenResponse, }; use serde::{de::DeserializeOwned, Deserialize, Serialize}; @@ -102,12 +102,12 @@ pub type BoxError = Box; /// OpenID Connect Client #[derive(Clone)] pub struct OidcClient { - scopes: Vec>, + scopes: Vec, client_id: ClientId, client: Client, http_client: reqwest::Client, end_session_endpoint: Option, - auth_context_class: Option>, + auth_context_class: Option, untrusted_audiences: Vec, } diff --git a/src/middleware.rs b/src/middleware.rs index c7e0e7f..4b881b1 100644 --- a/src/middleware.rs +++ b/src/middleware.rs @@ -16,8 +16,8 @@ use tower_sessions::Session; use openidconnect::{ core::{CoreAuthenticationFlow, CoreErrorResponseType, CoreGenderClaim, CoreJsonWebKey}, - AccessToken, AccessTokenHash, AuthenticationContextClass, CsrfToken, IdTokenClaims, - IdTokenVerifier, Nonce, OAuth2TokenResponse, PkceCodeChallenge, RefreshToken, + AccessToken, AccessTokenHash, CsrfToken, IdTokenClaims, IdTokenVerifier, Nonce, + OAuth2TokenResponse, PkceCodeChallenge, RefreshToken, RequestTokenError::ServerResponse, Scope, TokenResponse, UserInfoClaims, }; @@ -143,8 +143,7 @@ where } if let Some(acr) = oidcclient.auth_context_class { - auth = auth - .add_auth_context_value(AuthenticationContextClass::new(acr.into())); + auth = auth.add_auth_context_value(acr); } auth.set_pkce_challenge(pkce_challenge).url() From a5e0bc705ef5280bb9e7daf3fe57af08a26e4e6a Mon Sep 17 00:00:00 2001 From: JuliDi <20155974+JuliDi@users.noreply.github.com> Date: Tue, 25 Nov 2025 13:55:27 +0100 Subject: [PATCH 3/3] update example to use exported types for Scope and IssuerUrl --- examples/basic/src/main.rs | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/examples/basic/src/main.rs b/examples/basic/src/main.rs index 31d8eb0..45d99c3 100644 --- a/examples/basic/src/main.rs +++ b/examples/basic/src/main.rs @@ -1,20 +1,22 @@ use axum::{ + Router, error_handling::HandleErrorLayer, http::Uri, response::IntoResponse, routing::{any, get}, - Router, }; use axum_oidc::{ - error::MiddlewareError, handle_oidc_redirect, openidconnect::{Audience, ClientId, ClientSecret}, EmptyAdditionalClaims, OidcAuthLayer, OidcClaims, OidcClient, OidcLoginLayer, OidcRpInitiatedLogout, + error::MiddlewareError, + handle_oidc_redirect, + openidconnect::{Audience, ClientId, ClientSecret, IssuerUrl, Scope}, }; use tokio::net::TcpListener; use tower::ServiceBuilder; use tower_sessions::{ - cookie::{time::Duration, SameSite}, Expiry, MemoryStore, SessionManagerLayer, + cookie::{SameSite, time::Duration}, }; use tracing::Level; @@ -47,15 +49,19 @@ async fn main() { .with_default_http_client() .with_redirect_url(Uri::from_static("http://localhost:8080/oidc")) .with_client_id(ClientId::new(client_id)) - .add_scope("profile") - .add_scope("email") + .add_scope(Scope::new("profile".into())) + .add_scope(Scope::new("email".into())) // Optional: add untrusted audiences. If the `aud` claim contains any of these audiences, the token is rejected. .add_untrusted_audience(Audience::new("123456789".to_string())); if let Some(client_secret) = client_secret { oidc_client = oidc_client.with_client_secret(ClientSecret::new(client_secret)); } - let oidc_client = oidc_client.discover(issuer).await.unwrap().build(); + let oidc_client = oidc_client + .discover(IssuerUrl::new(issuer.into()).expect("Invalid IssuerUrl")) + .await + .unwrap() + .build(); let oidc_auth_service = ServiceBuilder::new() .layer(HandleErrorLayer::new(|e: MiddlewareError| async {