pub struct ClientMetadata {Show 38 fields
pub redirect_uris: Option<Vec<Url>>,
pub response_types: Option<Vec<ResponseType>>,
pub grant_types: Option<Vec<GrantType>>,
pub application_type: Option<ApplicationType>,
pub contacts: Option<Vec<String>>,
pub client_name: Option<Localized<String>>,
pub logo_uri: Option<Localized<Url>>,
pub client_uri: Option<Localized<Url>>,
pub policy_uri: Option<Localized<Url>>,
pub tos_uri: Option<Localized<Url>>,
pub jwks_uri: Option<Url>,
pub jwks: Option<PublicJsonWebKeySet>,
pub software_id: Option<String>,
pub software_version: Option<String>,
pub sector_identifier_uri: Option<Url>,
pub subject_type: Option<SubjectType>,
pub token_endpoint_auth_method: Option<OAuthClientAuthenticationMethod>,
pub token_endpoint_auth_signing_alg: Option<JsonWebSignatureAlg>,
pub id_token_signed_response_alg: Option<JsonWebSignatureAlg>,
pub id_token_encrypted_response_alg: Option<JsonWebEncryptionAlg>,
pub id_token_encrypted_response_enc: Option<JsonWebEncryptionEnc>,
pub userinfo_signed_response_alg: Option<JsonWebSignatureAlg>,
pub userinfo_encrypted_response_alg: Option<JsonWebEncryptionAlg>,
pub userinfo_encrypted_response_enc: Option<JsonWebEncryptionEnc>,
pub request_object_signing_alg: Option<JsonWebSignatureAlg>,
pub request_object_encryption_alg: Option<JsonWebEncryptionAlg>,
pub request_object_encryption_enc: Option<JsonWebEncryptionEnc>,
pub default_max_age: Option<Duration>,
pub require_auth_time: Option<bool>,
pub default_acr_values: Option<Vec<String>>,
pub initiate_login_uri: Option<Url>,
pub request_uris: Option<Vec<Url>>,
pub require_signed_request_object: Option<bool>,
pub require_pushed_authorization_requests: Option<bool>,
pub introspection_signed_response_alg: Option<JsonWebSignatureAlg>,
pub introspection_encrypted_response_alg: Option<JsonWebEncryptionAlg>,
pub introspection_encrypted_response_enc: Option<JsonWebEncryptionEnc>,
pub post_logout_redirect_uris: Option<Vec<Url>>,
}
Expand description
Client metadata, as described by the IANA registry.
All the fields with a default value are accessible via methods.
Fields§
§redirect_uris: Option<Vec<Url>>
Array of redirection URIs for use in redirect-based flows such as the authorization code flow.
All the URIs used by the client in an authorization request’s
redirect_uri
field must appear in this list.
This field is required and the URIs must not contain a fragment.
response_types: Option<Vec<ResponseType>>
Array of the OAuth 2.0 response_type
values that the client can use
at the authorization endpoint.
All the types used by the client in an authorization request’s
response_type
field must appear in this list.
Defaults to DEFAULT_RESPONSE_TYPES
.
grant_types: Option<Vec<GrantType>>
Array of OAuth 2.0 grant_type
values that the client can use at the
token endpoint.
The possible grant types depend on the response types. Declaring support for a grant type that is not compatible with the supported response types will trigger an error during validation.
All the types used by the client in a token request’s grant_type
field
must appear in this list.
Defaults to DEFAULT_GRANT_TYPES
.
application_type: Option<ApplicationType>
The kind of the application.
Defaults to DEFAULT_APPLICATION_TYPE
.
contacts: Option<Vec<String>>
Array of e-mail addresses of people responsible for this client.
client_name: Option<Localized<String>>
Name of the client to be presented to the end-user during authorization.
logo_uri: Option<Localized<Url>>
URL that references a logo for the client application.
client_uri: Option<Localized<Url>>
URL of the home page of the client.
policy_uri: Option<Localized<Url>>
URL that the client provides to the end-user to read about the how the profile data will be used.
tos_uri: Option<Localized<Url>>
URL that the client provides to the end-user to read about the client’s terms of service.
jwks_uri: Option<Url>
URL for the client’s JWK Set document.
If the client signs requests to the server, it contains the signing key(s) the server uses to validate signatures from the client. The JWK Set may also contain the client’s encryption keys(s), which are used by the server to encrypt responses to the client.
This field is mutually exclusive with jwks
.
jwks: Option<PublicJsonWebKeySet>
Client’s JWK Set document, passed by value.
The semantics of this field are the same as jwks_uri
, other than that
the JWK Set is passed by value, rather than by reference.
This field is mutually exclusive with jwks_uri
.
software_id: Option<String>
A unique identifier string assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.
It should remain the same for all instances and versions of the client software.
software_version: Option<String>
A version identifier string for the client software identified by
software_id
.
sector_identifier_uri: Option<Url>
URL to be used in calculating pseudonymous identifiers by the OpenID Connect provider when pairwise subject identifiers are used.
If present, this must use the https
scheme.
subject_type: Option<SubjectType>
Subject type requested for responses to this client.
This field must match one of the supported types by the provider.
token_endpoint_auth_method: Option<OAuthClientAuthenticationMethod>
Requested client authentication method for the token endpoint.
If this is set to [OAuthClientAuthenticationMethod::PrivateKeyJwt
],
one of the jwks_uri
or jwks
fields is required.
Defaults to DEFAULT_TOKEN_AUTH_METHOD
.
token_endpoint_auth_signing_alg: Option<JsonWebSignatureAlg>
JWS alg
algorithm that must be used for signing the JWT used to
authenticate the client at the token endpoint.
If this field is present, it must not be
[JsonWebSignatureAlg::None
]. This field is required if
token_endpoint_auth_method
is one of
[OAuthClientAuthenticationMethod::PrivateKeyJwt
] or
[OAuthClientAuthenticationMethod::ClientSecretJwt
].
id_token_signed_response_alg: Option<JsonWebSignatureAlg>
JWS alg
algorithm required for signing the ID Token issued to this
client.
If this field is present, it must not be
[JsonWebSignatureAlg::None
], unless the client uses only response
types that return no ID Token from the authorization endpoint.
Defaults to DEFAULT_SIGNING_ALGORITHM
.
id_token_encrypted_response_alg: Option<JsonWebEncryptionAlg>
JWE alg
algorithm required for encrypting the ID Token issued to
this client.
This field is required if id_token_encrypted_response_enc
is provided.
id_token_encrypted_response_enc: Option<JsonWebEncryptionEnc>
JWE enc
algorithm required for encrypting the ID Token issued to
this client.
Defaults to DEFAULT_ENCRYPTION_ENC_ALGORITHM
if
id_token_encrypted_response_alg
is provided.
userinfo_signed_response_alg: Option<JsonWebSignatureAlg>
JWS alg
algorithm required for signing user info responses.
userinfo_encrypted_response_alg: Option<JsonWebEncryptionAlg>
JWE alg
algorithm required for encrypting user info responses.
If userinfo_signed_response_alg
is not provided, this field has no
effect.
This field is required if userinfo_encrypted_response_enc
is provided.
userinfo_encrypted_response_enc: Option<JsonWebEncryptionEnc>
JWE enc
algorithm required for encrypting user info responses.
If userinfo_signed_response_alg
is not provided, this field has no
effect.
Defaults to DEFAULT_ENCRYPTION_ENC_ALGORITHM
if
userinfo_encrypted_response_alg
is provided.
request_object_signing_alg: Option<JsonWebSignatureAlg>
JWS alg
algorithm that must be used for signing Request Objects sent
to the provider.
Defaults to any algorithm supported by the client and the provider.
request_object_encryption_alg: Option<JsonWebEncryptionAlg>
JWE alg
algorithm the client is declaring that it may use for
encrypting Request Objects sent to the provider.
This field is required if request_object_encryption_enc
is provided.
request_object_encryption_enc: Option<JsonWebEncryptionEnc>
JWE enc
algorithm the client is declaring that it may use for
encrypting Request Objects sent to the provider.
Defaults to DEFAULT_ENCRYPTION_ENC_ALGORITHM
if
request_object_encryption_alg
is provided.
default_max_age: Option<Duration>
Default maximum authentication age.
Specifies that the End-User must be actively authenticated if the end-user was authenticated longer ago than the specified number of seconds.
The max_age
request parameter overrides this default value.
require_auth_time: Option<bool>
Whether the auth_time
Claim in the ID Token is required.
Defaults to false
.
default_acr_values: Option<Vec<String>>
Default requested Authentication Context Class Reference values.
initiate_login_uri: Option<Url>
URI that a third party can use to initiate a login by the client.
If present, this must use the https
scheme.
request_uris: Option<Vec<Url>>
request_uri
values that are pre-registered by the client for use at
the provider.
Providers can require that request_uri
values used be pre-registered
with the require_request_uri_registration
discovery parameter.
Servers MAY cache the contents of the files referenced by these URIs and not retrieve them at the time they are used in a request. If the contents of the request file could ever change, these URI values should include the base64url encoded SHA-256 hash value of the file contents referenced by the URI as the value of the URI fragment. If the fragment value used for a URI changes, that signals the server that its cached value for that URI with the old fragment value is no longer valid.
require_signed_request_object: Option<bool>
Whether the client will only send authorization requests as [Request Objects].
Defaults to false
.
Whether the client will only send authorization requests via the pushed authorization request endpoint.
Defaults to false
.
introspection_signed_response_alg: Option<JsonWebSignatureAlg>
JWS alg
algorithm for signing responses of the introspection
endpoint.
introspection_encrypted_response_alg: Option<JsonWebEncryptionAlg>
JWE alg
algorithm for encrypting responses of the introspection
endpoint.
If introspection_signed_response_alg
is not provided, this field has
no effect.
This field is required if introspection_encrypted_response_enc
is
provided.
introspection_encrypted_response_enc: Option<JsonWebEncryptionEnc>
JWE enc
algorithm for encrypting responses of the introspection
endpoint.
If introspection_signed_response_alg
is not provided, this field has
no effect.
Defaults to DEFAULT_ENCRYPTION_ENC_ALGORITHM
if
introspection_encrypted_response_alg
is provided.
post_logout_redirect_uris: Option<Vec<Url>>
post_logout_redirect_uri
values that are pre-registered by the client
for use at the provider’s RP-Initiated Logout endpoint.
Implementations§
source§impl ClientMetadata
impl ClientMetadata
sourcepub fn validate(
self,
) -> Result<VerifiedClientMetadata, ClientMetadataVerificationError>
pub fn validate( self, ) -> Result<VerifiedClientMetadata, ClientMetadataVerificationError>
Validate this ClientMetadata
according to the OpenID Connect Dynamic
Client Registration Spec 1.0.
§Errors
Will return Err
if validation fails.
sourcepub fn response_types(&self) -> Vec<ResponseType>
pub fn response_types(&self) -> Vec<ResponseType>
Array of the OAuth 2.0 response_type
values that the client can use
at the authorization endpoint.
All the types used by the client in an authorization request’s
response_type
field must appear in this list.
Defaults to DEFAULT_RESPONSE_TYPES
.
sourcepub fn grant_types(&self) -> &[GrantType]
pub fn grant_types(&self) -> &[GrantType]
Array of OAuth 2.0 grant_type
values that the client can use at the
token endpoint.
Note that the possible grant types depend on the response types.
All the types used by the client in a token request’s grant_type
field
must appear in this list.
Defaults to DEFAULT_GRANT_TYPES
.
sourcepub fn application_type(&self) -> ApplicationType
pub fn application_type(&self) -> ApplicationType
The kind of the application.
Defaults to DEFAULT_APPLICATION_TYPE
.
sourcepub fn token_endpoint_auth_method(&self) -> &OAuthClientAuthenticationMethod
pub fn token_endpoint_auth_method(&self) -> &OAuthClientAuthenticationMethod
Requested client authentication method for the token endpoint.
Defaults to DEFAULT_TOKEN_AUTH_METHOD
.
sourcepub fn id_token_signed_response_alg(&self) -> &JsonWebSignatureAlg
pub fn id_token_signed_response_alg(&self) -> &JsonWebSignatureAlg
JWS alg
algorithm required for signing the ID Token issued to this
client.
If this field is present, it must not be
[JsonWebSignatureAlg::None
], unless the client uses only response
types that return no ID Token from the authorization endpoint.
Defaults to DEFAULT_SIGNING_ALGORITHM
.
sourcepub fn id_token_encrypted_response(
&self,
) -> Option<(&JsonWebEncryptionAlg, &JsonWebEncryptionEnc)>
pub fn id_token_encrypted_response( &self, ) -> Option<(&JsonWebEncryptionAlg, &JsonWebEncryptionEnc)>
JWE alg
and enc
algorithms required for encrypting the ID Token
issued to this client.
Always returns Some
if id_token_encrypted_response_alg
is provided,
using the default of DEFAULT_ENCRYPTION_ENC_ALGORITHM
for the enc
value if needed.
sourcepub fn userinfo_encrypted_response(
&self,
) -> Option<(&JsonWebEncryptionAlg, &JsonWebEncryptionEnc)>
pub fn userinfo_encrypted_response( &self, ) -> Option<(&JsonWebEncryptionAlg, &JsonWebEncryptionEnc)>
JWE alg
and enc
algorithms required for encrypting user info
responses.
Always returns Some
if userinfo_encrypted_response_alg
is provided,
using the default of DEFAULT_ENCRYPTION_ENC_ALGORITHM
for the enc
value if needed.
sourcepub fn request_object_encryption(
&self,
) -> Option<(&JsonWebEncryptionAlg, &JsonWebEncryptionEnc)>
pub fn request_object_encryption( &self, ) -> Option<(&JsonWebEncryptionAlg, &JsonWebEncryptionEnc)>
JWE alg
and enc
algorithms the client is declaring that it may use
for encrypting Request Objects sent to the provider.
Always returns Some
if request_object_encryption_alg
is provided,
using the default of DEFAULT_ENCRYPTION_ENC_ALGORITHM
for the enc
value if needed.
sourcepub fn require_auth_time(&self) -> bool
pub fn require_auth_time(&self) -> bool
Whether the auth_time
Claim in the ID Token is required.
Defaults to false
.
sourcepub fn require_signed_request_object(&self) -> bool
pub fn require_signed_request_object(&self) -> bool
Whether the client will only send authorization requests as [Request Objects].
Defaults to false
.
Whether the client will only send authorization requests via the pushed authorization request endpoint.
Defaults to false
.
sourcepub fn introspection_encrypted_response(
&self,
) -> Option<(&JsonWebEncryptionAlg, &JsonWebEncryptionEnc)>
pub fn introspection_encrypted_response( &self, ) -> Option<(&JsonWebEncryptionAlg, &JsonWebEncryptionEnc)>
JWE alg
and enc
algorithms for encrypting responses of the
introspection endpoint.
Always returns Some
if introspection_encrypted_response_alg
is
provided, using the default of DEFAULT_ENCRYPTION_ENC_ALGORITHM
for
the enc
value if needed.
Trait Implementations§
source§impl Clone for ClientMetadata
impl Clone for ClientMetadata
source§fn clone(&self) -> ClientMetadata
fn clone(&self) -> ClientMetadata
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source
. Read moresource§impl Debug for ClientMetadata
impl Debug for ClientMetadata
source§impl Default for ClientMetadata
impl Default for ClientMetadata
source§fn default() -> ClientMetadata
fn default() -> ClientMetadata
source§impl<'de> Deserialize<'de> for ClientMetadata
impl<'de> Deserialize<'de> for ClientMetadata
source§fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
source§impl PartialEq for ClientMetadata
impl PartialEq for ClientMetadata
impl Eq for ClientMetadata
impl StructuralPartialEq for ClientMetadata
Auto Trait Implementations§
impl Freeze for ClientMetadata
impl RefUnwindSafe for ClientMetadata
impl Send for ClientMetadata
impl Sync for ClientMetadata
impl Unpin for ClientMetadata
impl UnwindSafe for ClientMetadata
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
source§unsafe fn clone_to_uninit(&self, dst: *mut T)
unsafe fn clone_to_uninit(&self, dst: *mut T)
clone_to_uninit
)source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
source§fn equivalent(&self, key: &K) -> bool
fn equivalent(&self, key: &K) -> bool
key
and return true
if they are equal.source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
source§fn equivalent(&self, key: &K) -> bool
fn equivalent(&self, key: &K) -> bool
key
and return true
if they are equal.source§impl<T> IntoEither for T
impl<T> IntoEither for T
source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left
is true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read moresource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left(&self)
returns true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read more