kanidm/proto/src/oauth2.rs

use std::collections::{BTreeMap, BTreeSet};

use base64urlsafedata::Base64UrlSafeData;
use serde::{Deserialize, Serialize};
use url::Url;

#[derive(Serialize, Deserialize, Debug, PartialEq, Eq, Clone, Copy)]
pub enum CodeChallengeMethod {
    // default to plain if not requested as S256. Reject the auth?
    // plain
    // BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
    S256,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct PkceRequest {
    pub code_challenge: Base64UrlSafeData,
    pub code_challenge_method: CodeChallengeMethod,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct AuthorisationRequest {
    // Must be "code". (or token, see 4.2.1)
    pub response_type: String,
    pub client_id: String,
    pub state: String,
    #[serde(flatten, skip_serializing_if = "Option::is_none")]
    pub pkce_request: Option<PkceRequest>,
    pub redirect_uri: Url,
    pub scope: String,
    // OIDC adds a nonce parameter that is optional.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub nonce: Option<String>,
    // OIDC also allows other optional params
    #[serde(flatten)]
    pub oidc_ext: AuthorisationRequestOidc,
    #[serde(flatten)]
    pub unknown_keys: BTreeMap<String, serde_json::value::Value>,
}

#[derive(Serialize, Deserialize, Debug, Clone, Default)]
pub struct AuthorisationRequestOidc {
    #[serde(skip_serializing_if = "Option::is_none")]
    pub display: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub prompt: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub max_age: Option<i64>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ui_locales: Option<()>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub claims_locales: Option<()>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub id_token_hint: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub login_hint: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub acr: Option<String>,
}

/// When we request to authorise, it can either prompt us for consent,
/// or it can immediately be granted due the past grant.
#[derive(Serialize, Deserialize, Debug, Clone)]
pub enum AuthorisationResponse {
    ConsentRequested {
        // A pretty-name of the client
        client_name: String,
        // A list of scopes requested / to be issued.
        scopes: BTreeSet<String>,
        // Extra PII that may be requested
        pii_scopes: BTreeSet<String>,
        // The users displayname (?)
        // pub display_name: String,
        // The token we need to be given back to allow this to proceed
        consent_token: String,
    },
    Permitted,
}

#[derive(Serialize, Deserialize, Debug)]
#[serde(tag = "grant_type", rename_all = "snake_case")]
pub enum GrantTypeReq {
    AuthorizationCode {
        // As sent by the authorisationCode
        code: String,
        // Must be the same as the original redirect uri.
        redirect_uri: Url,
        #[serde(skip_serializing_if = "Option::is_none")]
        code_verifier: Option<String>,
    },
    RefreshToken {
        refresh_token: String,
        #[serde(skip_serializing_if = "Option::is_none")]
        scope: Option<BTreeSet<String>>,
    },
}

#[derive(Serialize, Deserialize, Debug)]
pub struct AccessTokenRequest {
    #[serde(flatten)]
    pub grant_type: GrantTypeReq,
    // REQUIRED, if the client is not authenticating with the
    //  authorization server as described in Section 3.2.1.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub client_id: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub client_secret: Option<String>,
}

impl From<GrantTypeReq> for AccessTokenRequest {
    fn from(req: GrantTypeReq) -> AccessTokenRequest {
        AccessTokenRequest {
            grant_type: req,
            client_id: None,
            client_secret: None,
        }
    }
}

#[derive(Serialize, Deserialize, Debug)]
pub struct TokenRevokeRequest {
    pub token: String,
    /// Generally not needed. See:
    /// <https://datatracker.ietf.org/doc/html/rfc7009#section-4.1.2>
    #[serde(skip_serializing_if = "Option::is_none")]
    pub token_type_hint: Option<String>,
}

// The corresponding Response to a revoke request is empty body with 200.

#[derive(Serialize, Deserialize, Debug)]
pub struct AccessTokenResponse {
    // Could be  Base64UrlSafeData
    pub access_token: String,
    // Enum?
    pub token_type: String,
    // seconds.
    pub expires_in: u32,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub refresh_token: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    /// Space separated list of scopes that were approved, if this differs from the
    /// original request.
    pub scope: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    /// Oidc puts the token here.
    pub id_token: Option<String>,
}

#[derive(Serialize, Deserialize, Debug)]
pub struct AccessTokenIntrospectRequest {
    pub token: String,
    /// Generally not needed. See:
    /// <https://datatracker.ietf.org/doc/html/rfc7009#section-4.1.2>
    #[serde(skip_serializing_if = "Option::is_none")]
    pub token_type_hint: Option<String>,
}

#[derive(Serialize, Deserialize, Debug)]
pub struct AccessTokenIntrospectResponse {
    pub active: bool,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scope: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub client_id: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub username: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub token_type: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub exp: Option<i64>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub iat: Option<i64>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub nbf: Option<i64>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sub: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub aud: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub iss: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub jti: Option<String>,
}

impl AccessTokenIntrospectResponse {
    pub fn inactive() -> Self {
        AccessTokenIntrospectResponse {
            active: false,
            scope: None,
            client_id: None,
            username: None,
            token_type: None,
            exp: None,
            iat: None,
            nbf: None,
            sub: None,
            aud: None,
            iss: None,
            jti: None,
        }
    }
}

#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
pub enum ResponseType {
    Code,
    Token,
    IdToken,
}

#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
pub enum ResponseMode {
    Query,
    Fragment,
}

fn response_modes_supported_default() -> Vec<ResponseMode> {
    vec![ResponseMode::Query, ResponseMode::Fragment]
}

#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
pub enum GrantType {
    #[serde(rename = "authorization_code")]
    AuthorisationCode,
    Implicit,
}

fn grant_types_supported_default() -> Vec<GrantType> {
    vec![GrantType::AuthorisationCode, GrantType::Implicit]
}

#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
pub enum SubjectType {
    Pairwise,
    Public,
}

#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]
#[serde(rename_all = "UPPERCASE")]
// WE REFUSE TO SUPPORT NONE. DONT EVEN ASK. IT WON'T HAPPEN.
pub enum IdTokenSignAlg {
    ES256,
    RS256,
}

#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
pub enum TokenEndpointAuthMethod {
    ClientSecretPost,
    ClientSecretBasic,
    ClientSecretJwt,
    PrivateKeyJwt,
}

fn token_endpoint_auth_methods_supported_default() -> Vec<TokenEndpointAuthMethod> {
    vec![TokenEndpointAuthMethod::ClientSecretBasic]
}

#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
pub enum DisplayValue {
    Page,
    Popup,
    Touch,
    Wap,
}

#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
// https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes
pub enum ClaimType {
    Normal,
    Aggregated,
    Distributed,
}

fn claim_types_supported_default() -> Vec<ClaimType> {
    vec![ClaimType::Normal]
}

fn claims_parameter_supported_default() -> bool {
    false
}

fn request_parameter_supported_default() -> bool {
    false
}

fn request_uri_parameter_supported_default() -> bool {
    true
}

fn require_request_uri_parameter_supported_default() -> bool {
    false
}

#[derive(Serialize, Deserialize, Debug)]
// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
pub struct OidcDiscoveryResponse {
    pub issuer: Url,
    pub authorization_endpoint: Url,
    pub token_endpoint: Url,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub userinfo_endpoint: Option<Url>,
    pub jwks_uri: Url,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub registration_endpoint: Option<Url>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scopes_supported: Option<Vec<String>>,
    // https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.1
    pub response_types_supported: Vec<ResponseType>,
    // https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes
    #[serde(default = "response_modes_supported_default")]
    pub response_modes_supported: Vec<ResponseMode>,
    // Need to fill in as authorization_code only else a default is assumed.
    #[serde(default = "grant_types_supported_default")]
    pub grant_types_supported: Vec<GrantType>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub acr_values_supported: Option<Vec<String>>,
    // https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
    pub subject_types_supported: Vec<SubjectType>,
    pub id_token_signing_alg_values_supported: Vec<IdTokenSignAlg>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub id_token_encryption_alg_values_supported: Option<Vec<String>>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub id_token_encryption_enc_values_supported: Option<Vec<String>>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub userinfo_signing_alg_values_supported: Option<Vec<String>>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub userinfo_encryption_alg_values_supported: Option<Vec<String>>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub userinfo_encryption_enc_values_supported: Option<Vec<String>>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub request_object_signing_alg_values_supported: Option<Vec<String>>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub request_object_encryption_alg_values_supported: Option<Vec<String>>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub request_object_encryption_enc_values_supported: Option<Vec<String>>,
    // Defaults to client_secret_basic
    #[serde(default = "token_endpoint_auth_methods_supported_default")]
    pub token_endpoint_auth_methods_supported: Vec<TokenEndpointAuthMethod>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub token_endpoint_auth_signing_alg_values_supported: Option<Vec<String>>,
    // https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
    #[serde(skip_serializing_if = "Option::is_none")]
    pub display_values_supported: Option<Vec<DisplayValue>>,
    // Default to normal.
    #[serde(default = "claim_types_supported_default")]
    pub claim_types_supported: Vec<ClaimType>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub claims_supported: Option<Vec<String>>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_documentation: Option<Url>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub claims_locales_supported: Option<Vec<String>>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ui_locales_supported: Option<Vec<String>>,
    // Default false.
    #[serde(default = "claims_parameter_supported_default")]
    pub claims_parameter_supported: bool,
    #[serde(default = "request_parameter_supported_default")]
    pub request_parameter_supported: bool,
    #[serde(default = "request_uri_parameter_supported_default")]
    pub request_uri_parameter_supported: bool,
    #[serde(default = "require_request_uri_parameter_supported_default")]
    pub require_request_uri_registration: bool,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub op_policy_uri: Option<Url>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub op_tos_uri: Option<Url>,
}

#[derive(Serialize, Deserialize, Debug)]
pub struct ErrorResponse {
    pub error: String,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub error_description: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub error_uri: Option<Url>,
}

#[cfg(test)]
mod tests {
    use super::{AccessTokenRequest, GrantTypeReq};
    use url::Url;

    #[test]
    fn test_oauth2_access_token_req() {
        let atr: AccessTokenRequest = GrantTypeReq::AuthorizationCode {
            code: "demo code".to_string(),
            redirect_uri: Url::parse("http://[::1]").unwrap(),
            code_verifier: None,
        }
        .into();

        println!("{:?}", serde_json::to_string(&atr).expect("JSON failure"));
    }
}
20230330 oauth2 refresh tokens (#1502) 2023-04-20 00:34:21 +02:00			`use std::collections::{BTreeMap, BTreeSet};`
Rework deps (#1079) 2022-10-01 08:08:51 +02:00
383 164 authentication updates 9 (#956) * implementation of passkeys as an auth mech * listing the current passkeys when asking to remove one * tweaking insecure dev server config so passkeys will work * Fix domain rename Co-authored-by: James Hodgkinson <james@terminaloutcomes.com> 2022-07-30 14:10:24 +02:00			`use base64urlsafedata::Base64UrlSafeData;`
Pre-release update and cleanup (#631) 2021-12-31 00:11:20 +01:00			`use serde::{Deserialize, Serialize};`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`use url::Url;`

20220817 ldap service tokens (#1002) 2022-09-02 06:21:20 +02:00			`#[derive(Serialize, Deserialize, Debug, PartialEq, Eq, Clone, Copy)]`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`pub enum CodeChallengeMethod {`
			`// default to plain if not requested as S256. Reject the auth?`
			`// plain`
			`// BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))`
			`S256,`
			`}`

278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`#[derive(Serialize, Deserialize, Debug, Clone)]`
			`pub struct PkceRequest {`
			`pub code_challenge: Base64UrlSafeData,`
			`pub code_challenge_method: CodeChallengeMethod,`
			`}`

Pre-release update and cleanup (#631) 2021-12-31 00:11:20 +01:00			`#[derive(Serialize, Deserialize, Debug, Clone)]`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`pub struct AuthorisationRequest {`
			`// Must be "code". (or token, see 4.2.1)`
			`pub response_type: String,`
			`pub client_id: String,`
Fix state parameter to be string (#602) 2021-10-20 06:00:14 +02:00			`pub state: String,`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`#[serde(flatten, skip_serializing_if = "Option::is_none")]`
			`pub pkce_request: Option<PkceRequest>,`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`pub redirect_uri: Url,`
			`pub scope: String,`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`// OIDC adds a nonce parameter that is optional.`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub nonce: Option<String>,`
			`// OIDC also allows other optional params`
			`#[serde(flatten)]`
			`pub oidc_ext: AuthorisationRequestOidc,`
			`#[serde(flatten)]`
			`pub unknown_keys: BTreeMap<String, serde_json::value::Value>,`
			`}`

Pre-release update and cleanup (#631) 2021-12-31 00:11:20 +01:00			`#[derive(Serialize, Deserialize, Debug, Clone, Default)]`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`pub struct AuthorisationRequestOidc {`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub display: Option<String>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub prompt: Option<String>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub max_age: Option<i64>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub ui_locales: Option<()>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub claims_locales: Option<()>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub id_token_hint: Option<String>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub login_hint: Option<String>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub acr: Option<String>,`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`}`

636 consent remembering in oauth2 (#824) 2022-06-20 03:37:39 +02:00			`/// When we request to authorise, it can either prompt us for consent,`
			`/// or it can immediately be granted due the past grant.`
Pre-release update and cleanup (#631) 2021-12-31 00:11:20 +01:00			`#[derive(Serialize, Deserialize, Debug, Clone)]`
636 consent remembering in oauth2 (#824) 2022-06-20 03:37:39 +02:00			`pub enum AuthorisationResponse {`
			`ConsentRequested {`
			`// A pretty-name of the client`
			`client_name: String,`
			`// A list of scopes requested / to be issued.`
20230330 oauth2 refresh tokens (#1502) 2023-04-20 00:34:21 +02:00			`scopes: BTreeSet<String>,`
636 consent remembering in oauth2 (#824) 2022-06-20 03:37:39 +02:00			`// Extra PII that may be requested`
20230330 oauth2 refresh tokens (#1502) 2023-04-20 00:34:21 +02:00			`pii_scopes: BTreeSet<String>,`
636 consent remembering in oauth2 (#824) 2022-06-20 03:37:39 +02:00			`// The users displayname (?)`
			`// pub display_name: String,`
			`// The token we need to be given back to allow this to proceed`
			`consent_token: String,`
			`},`
			`Permitted,`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`}`

20230330 oauth2 refresh tokens (#1502) 2023-04-20 00:34:21 +02:00			`#[derive(Serialize, Deserialize, Debug)]`
			`#[serde(tag = "grant_type", rename_all = "snake_case")]`
			`pub enum GrantTypeReq {`
			`AuthorizationCode {`
			`// As sent by the authorisationCode`
			`code: String,`
			`// Must be the same as the original redirect uri.`
			`redirect_uri: Url,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`code_verifier: Option<String>,`
			`},`
			`RefreshToken {`
			`refresh_token: String,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`scope: Option<BTreeSet<String>>,`
			`},`
			`}`

Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`#[derive(Serialize, Deserialize, Debug)]`
			`pub struct AccessTokenRequest {`
20230330 oauth2 refresh tokens (#1502) 2023-04-20 00:34:21 +02:00			`#[serde(flatten)]`
			`pub grant_type: GrantTypeReq,`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`// REQUIRED, if the client is not authenticating with the`
			`// authorization server as described in Section 3.2.1.`
20230330 oauth2 refresh tokens (#1502) 2023-04-20 00:34:21 +02:00			`#[serde(skip_serializing_if = "Option::is_none")]`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`pub client_id: Option<String>,`
20230330 oauth2 refresh tokens (#1502) 2023-04-20 00:34:21 +02:00			`#[serde(skip_serializing_if = "Option::is_none")]`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`pub client_secret: Option<String>,`
20230330 oauth2 refresh tokens (#1502) 2023-04-20 00:34:21 +02:00			`}`

			`impl From<GrantTypeReq> for AccessTokenRequest {`
			`fn from(req: GrantTypeReq) -> AccessTokenRequest {`
			`AccessTokenRequest {`
			`grant_type: req,`
			`client_id: None,`
			`client_secret: None,`
			`}`
			`}`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`}`

613 oauth2 logout (#1184) * Oauth2 sessions * Start to add session consistency * Add tests for session consistency. * Session refint works! * Add support for oauth2 session removal 2022-11-13 05:10:45 +01:00			`#[derive(Serialize, Deserialize, Debug)]`
			`pub struct TokenRevokeRequest {`
			`pub token: String,`
			`/// Generally not needed. See:`
			`/// <https://datatracker.ietf.org/doc/html/rfc7009#section-4.1.2>`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub token_type_hint: Option<String>,`
			`}`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00
613 oauth2 logout (#1184) * Oauth2 sessions * Start to add session consistency * Add tests for session consistency. * Session refint works! * Add support for oauth2 session removal 2022-11-13 05:10:45 +01:00			`// The corresponding Response to a revoke request is empty body with 200.`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00
			`#[derive(Serialize, Deserialize, Debug)]`
			`pub struct AccessTokenResponse {`
			`// Could be Base64UrlSafeData`
			`pub access_token: String,`
			`// Enum?`
			`pub token_type: String,`
			`// seconds.`
Customized `tracing` for `tide::Middleware` logging (#544) 2021-08-19 03:04:24 +02:00			`pub expires_in: u32,`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub refresh_token: Option<String>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
Spell checking and stuff (#1314) * codespell run and spelling fixes * some clippying * minor fmt fix * making yamllint happy * adding codespell github action 2023-01-10 04:50:53 +01:00			`/// Space separated list of scopes that were approved, if this differs from the`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`/// original request.`
			`pub scope: Option<String>,`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`#[serde(skip_serializing_if = "Option::is_none")]`
			`/// Oidc puts the token here.`
			`pub id_token: Option<String>,`
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`}`

20211010 rfc7662 token introspect (#607) 2021-10-26 05:00:02 +02:00			`#[derive(Serialize, Deserialize, Debug)]`
			`pub struct AccessTokenIntrospectRequest {`
			`pub token: String,`
Resolve docs error 2021-10-26 05:12:46 +02:00			`/// Generally not needed. See:`
			`/// <https://datatracker.ietf.org/doc/html/rfc7009#section-4.1.2>`
20211010 rfc7662 token introspect (#607) 2021-10-26 05:00:02 +02:00			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub token_type_hint: Option<String>,`
			`}`

			`#[derive(Serialize, Deserialize, Debug)]`
			`pub struct AccessTokenIntrospectResponse {`
			`pub active: bool,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub scope: Option<String>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub client_id: Option<String>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub username: Option<String>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub token_type: Option<String>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub exp: Option<i64>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub iat: Option<i64>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub nbf: Option<i64>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub sub: Option<String>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub aud: Option<String>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub iss: Option<String>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub jti: Option<String>,`
			`}`

			`impl AccessTokenIntrospectResponse {`
			`pub fn inactive() -> Self {`
			`AccessTokenIntrospectResponse {`
			`active: false,`
			`scope: None,`
			`client_id: None,`
			`username: None,`
			`token_type: None,`
			`exp: None,`
			`iat: None,`
			`nbf: None,`
			`sub: None,`
			`aud: None,`
			`iss: None,`
			`jti: None,`
			`}`
			`}`
			`}`

20220817 ldap service tokens (#1002) 2022-09-02 06:21:20 +02:00			`#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`#[serde(rename_all = "snake_case")]`
			`pub enum ResponseType {`
			`Code,`
			`Token,`
			`IdToken,`
			`}`

20220817 ldap service tokens (#1002) 2022-09-02 06:21:20 +02:00			`#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`#[serde(rename_all = "snake_case")]`
			`pub enum ResponseMode {`
			`Query,`
			`Fragment,`
			`}`

			`fn response_modes_supported_default() -> Vec<ResponseMode> {`
			`vec![ResponseMode::Query, ResponseMode::Fragment]`
			`}`

20220817 ldap service tokens (#1002) 2022-09-02 06:21:20 +02:00			`#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`#[serde(rename_all = "snake_case")]`
			`pub enum GrantType {`
			`#[serde(rename = "authorization_code")]`
			`AuthorisationCode,`
			`Implicit,`
			`}`

			`fn grant_types_supported_default() -> Vec<GrantType> {`
			`vec![GrantType::AuthorisationCode, GrantType::Implicit]`
			`}`

20220817 ldap service tokens (#1002) 2022-09-02 06:21:20 +02:00			`#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`#[serde(rename_all = "snake_case")]`
			`pub enum SubjectType {`
			`Pairwise,`
			`Public,`
			`}`

20220817 ldap service tokens (#1002) 2022-09-02 06:21:20 +02:00			`#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`#[serde(rename_all = "UPPERCASE")]`
Spell checking and stuff (#1314) * codespell run and spelling fixes * some clippying * minor fmt fix * making yamllint happy * adding codespell github action 2023-01-10 04:50:53 +01:00			`// WE REFUSE TO SUPPORT NONE. DONT EVEN ASK. IT WON'T HAPPEN.`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`pub enum IdTokenSignAlg {`
			`ES256,`
			`RS256,`
			`}`

20220817 ldap service tokens (#1002) 2022-09-02 06:21:20 +02:00			`#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`#[serde(rename_all = "snake_case")]`
			`pub enum TokenEndpointAuthMethod {`
			`ClientSecretPost,`
			`ClientSecretBasic,`
			`ClientSecretJwt,`
			`PrivateKeyJwt,`
			`}`

			`fn token_endpoint_auth_methods_supported_default() -> Vec<TokenEndpointAuthMethod> {`
			`vec![TokenEndpointAuthMethod::ClientSecretBasic]`
			`}`

20220817 ldap service tokens (#1002) 2022-09-02 06:21:20 +02:00			`#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`#[serde(rename_all = "snake_case")]`
			`pub enum DisplayValue {`
			`Page,`
			`Popup,`
			`Touch,`
			`Wap,`
			`}`

20220817 ldap service tokens (#1002) 2022-09-02 06:21:20 +02:00			`#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]`
278 603 OIDC implementation (#608) 2021-11-21 07:41:49 +01:00			`#[serde(rename_all = "snake_case")]`
			`// https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes`
			`pub enum ClaimType {`
			`Normal,`
			`Aggregated,`
			`Distributed,`
			`}`

			`fn claim_types_supported_default() -> Vec<ClaimType> {`
			`vec![ClaimType::Normal]`
			`}`

			`fn claims_parameter_supported_default() -> bool {`
			`false`
			`}`

			`fn request_parameter_supported_default() -> bool {`
			`false`
			`}`

			`fn request_uri_parameter_supported_default() -> bool {`
			`true`
			`}`

			`fn require_request_uri_parameter_supported_default() -> bool {`
			`false`
			`}`

			`#[derive(Serialize, Deserialize, Debug)]`
			`// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata`
			`pub struct OidcDiscoveryResponse {`
			`pub issuer: Url,`
			`pub authorization_endpoint: Url,`
			`pub token_endpoint: Url,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub userinfo_endpoint: Option<Url>,`
			`pub jwks_uri: Url,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub registration_endpoint: Option<Url>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub scopes_supported: Option<Vec<String>>,`
			`// https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.1`
			`pub response_types_supported: Vec<ResponseType>,`
			`// https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes`
			`#[serde(default = "response_modes_supported_default")]`
			`pub response_modes_supported: Vec<ResponseMode>,`
			`// Need to fill in as authorization_code only else a default is assumed.`
			`#[serde(default = "grant_types_supported_default")]`
			`pub grant_types_supported: Vec<GrantType>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub acr_values_supported: Option<Vec<String>>,`
			`// https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg`
			`pub subject_types_supported: Vec<SubjectType>,`
			`pub id_token_signing_alg_values_supported: Vec<IdTokenSignAlg>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub id_token_encryption_alg_values_supported: Option<Vec<String>>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub id_token_encryption_enc_values_supported: Option<Vec<String>>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub userinfo_signing_alg_values_supported: Option<Vec<String>>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub userinfo_encryption_alg_values_supported: Option<Vec<String>>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub userinfo_encryption_enc_values_supported: Option<Vec<String>>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub request_object_signing_alg_values_supported: Option<Vec<String>>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub request_object_encryption_alg_values_supported: Option<Vec<String>>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub request_object_encryption_enc_values_supported: Option<Vec<String>>,`
			`// Defaults to client_secret_basic`
			`#[serde(default = "token_endpoint_auth_methods_supported_default")]`
			`pub token_endpoint_auth_methods_supported: Vec<TokenEndpointAuthMethod>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub token_endpoint_auth_signing_alg_values_supported: Option<Vec<String>>,`
			`// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub display_values_supported: Option<Vec<DisplayValue>>,`
			`// Default to normal.`
			`#[serde(default = "claim_types_supported_default")]`
			`pub claim_types_supported: Vec<ClaimType>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub claims_supported: Option<Vec<String>>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub service_documentation: Option<Url>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub claims_locales_supported: Option<Vec<String>>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub ui_locales_supported: Option<Vec<String>>,`
			`// Default false.`
			`#[serde(default = "claims_parameter_supported_default")]`
			`pub claims_parameter_supported: bool,`
			`#[serde(default = "request_parameter_supported_default")]`
			`pub request_parameter_supported: bool,`
			`#[serde(default = "request_uri_parameter_supported_default")]`
			`pub request_uri_parameter_supported: bool,`
			`#[serde(default = "require_request_uri_parameter_supported_default")]`
			`pub require_request_uri_registration: bool,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub op_policy_uri: Option<Url>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub op_tos_uri: Option<Url>,`
			`}`

Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 06:23:39 +02:00			`#[derive(Serialize, Deserialize, Debug)]`
			`pub struct ErrorResponse {`
			`pub error: String,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub error_description: Option<String>,`
			`#[serde(skip_serializing_if = "Option::is_none")]`
			`pub error_uri: Option<Url>,`
			`}`
20230330 oauth2 refresh tokens (#1502) 2023-04-20 00:34:21 +02:00
			`#[cfg(test)]`
			`mod tests {`
			`use super::{AccessTokenRequest, GrantTypeReq};`
			`use url::Url;`

			`#[test]`
			`fn test_oauth2_access_token_req() {`
			`let atr: AccessTokenRequest = GrantTypeReq::AuthorizationCode {`
			`code: "demo code".to_string(),`
			`redirect_uri: Url::parse("http://[::1]").unwrap(),`
			`code_verifier: None,`
			`}`
			`.into();`

			`println!("{:?}", serde_json::to_string(&atr).expect("JSON failure"));`
			`}`
			`}`