1 use std::fmt::Debug; 2 use std::future::Future; 3 use std::marker::PhantomData; 4 5 use http::header::{HeaderValue, ACCEPT}; 6 use http::method::Method; 7 use http::status::StatusCode; 8 use oauth2::{AuthUrl, Scope, TokenUrl}; 9 use serde::de::DeserializeOwned; 10 use serde::Serialize; 11 use thiserror::Error; 12 13 use super::http_utils::{check_content_type, MIME_TYPE_JSON}; 14 use super::types::{ 15 AuthDisplay, AuthenticationContextClass, ClaimName, ClaimType, ClientAuthMethod, GrantType, 16 IssuerUrl, JsonWebKey, JsonWebKeySet, JsonWebKeySetUrl, JsonWebKeyType, JsonWebKeyUse, 17 JweContentEncryptionAlgorithm, JweKeyManagementAlgorithm, JwsSigningAlgorithm, LanguageTag, 18 OpPolicyUrl, OpTosUrl, RegistrationUrl, ResponseMode, ResponseType, ResponseTypes, 19 ServiceDocUrl, SubjectIdentifierType, 20 }; 21 use super::{HttpRequest, HttpResponse, UserInfoUrl, CONFIG_URL_SUFFIX}; 22 23 /// 24 /// Trait for adding extra fields to [`ProviderMetadata`]. 25 /// 26 pub trait AdditionalProviderMetadata: Clone + Debug + DeserializeOwned + Serialize {} 27 28 // In order to support serde flatten, this must be an empty struct rather than an empty 29 // tuple struct. 30 /// 31 /// Empty (default) extra [`ProviderMetadata`] fields. 32 /// 33 #[derive(Clone, Debug, Default, Deserialize, PartialEq, Serialize)] 34 pub struct EmptyAdditionalProviderMetadata {} 35 impl AdditionalProviderMetadata for EmptyAdditionalProviderMetadata {} 36 37 /// 38 /// Provider metadata returned by [OpenID Connect Discovery]( 39 /// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). 40 /// 41 #[derive(Clone, Debug, Deserialize, PartialEq, Serialize)] 42 #[allow(clippy::type_complexity)] 43 pub struct ProviderMetadata<A, AD, CA, CN, CT, G, JE, JK, JS, JT, JU, K, RM, RT, S> 44 where 45 A: AdditionalProviderMetadata, 46 AD: AuthDisplay, 47 CA: ClientAuthMethod, 48 CN: ClaimName, 49 CT: ClaimType, 50 G: GrantType, 51 JE: JweContentEncryptionAlgorithm<JT>, 52 JK: JweKeyManagementAlgorithm, 53 JS: JwsSigningAlgorithm<JT>, 54 JT: JsonWebKeyType, 55 JU: JsonWebKeyUse, 56 K: JsonWebKey<JS, JT, JU>, 57 RM: ResponseMode, 58 RT: ResponseType, 59 S: SubjectIdentifierType, 60 { 61 issuer: IssuerUrl, 62 authorization_endpoint: AuthUrl, 63 #[serde(skip_serializing_if = "Option::is_none")] 64 token_endpoint: Option<TokenUrl>, 65 #[serde(skip_serializing_if = "Option::is_none")] 66 userinfo_endpoint: Option<UserInfoUrl>, 67 jwks_uri: JsonWebKeySetUrl, 68 #[serde(default = "JsonWebKeySet::default", skip)] 69 jwks: JsonWebKeySet<JS, JT, JU, K>, 70 #[serde(skip_serializing_if = "Option::is_none")] 71 registration_endpoint: Option<RegistrationUrl>, 72 #[serde(skip_serializing_if = "Option::is_none")] 73 scopes_supported: Option<Vec<Scope>>, 74 #[serde(bound(deserialize = "RT: ResponseType"))] 75 response_types_supported: Vec<ResponseTypes<RT>>, 76 #[serde( 77 bound(deserialize = "RM: ResponseMode"), 78 skip_serializing_if = "Option::is_none" 79 )] 80 response_modes_supported: Option<Vec<RM>>, 81 #[serde( 82 bound(deserialize = "G: GrantType"), 83 skip_serializing_if = "Option::is_none" 84 )] 85 grant_types_supported: Option<Vec<G>>, 86 #[serde(skip_serializing_if = "Option::is_none")] 87 acr_values_supported: Option<Vec<AuthenticationContextClass>>, 88 #[serde(bound(deserialize = "S: SubjectIdentifierType"))] 89 subject_types_supported: Vec<S>, 90 #[serde(bound(deserialize = "JS: JwsSigningAlgorithm<JT>"))] 91 id_token_signing_alg_values_supported: Vec<JS>, 92 #[serde( 93 bound(deserialize = "JK: JweKeyManagementAlgorithm"), 94 skip_serializing_if = "Option::is_none" 95 )] 96 id_token_encryption_alg_values_supported: Option<Vec<JK>>, 97 #[serde( 98 bound(deserialize = "JE: JweContentEncryptionAlgorithm<JT>"), 99 skip_serializing_if = "Option::is_none" 100 )] 101 id_token_encryption_enc_values_supported: Option<Vec<JE>>, 102 #[serde( 103 bound(deserialize = "JS: JwsSigningAlgorithm<JT>"), 104 skip_serializing_if = "Option::is_none" 105 )] 106 userinfo_signing_alg_values_supported: Option<Vec<JS>>, 107 #[serde( 108 bound(deserialize = "JK: JweKeyManagementAlgorithm"), 109 skip_serializing_if = "Option::is_none" 110 )] 111 userinfo_encryption_alg_values_supported: Option<Vec<JK>>, 112 #[serde( 113 bound(deserialize = "JE: JweContentEncryptionAlgorithm<JT>"), 114 skip_serializing_if = "Option::is_none" 115 )] 116 userinfo_encryption_enc_values_supported: Option<Vec<JE>>, 117 #[serde( 118 bound(deserialize = "JS: JwsSigningAlgorithm<JT>"), 119 skip_serializing_if = "Option::is_none" 120 )] 121 request_object_signing_alg_values_supported: Option<Vec<JS>>, 122 #[serde( 123 bound(deserialize = "JK: JweKeyManagementAlgorithm"), 124 skip_serializing_if = "Option::is_none" 125 )] 126 request_object_encryption_alg_values_supported: Option<Vec<JK>>, 127 #[serde( 128 bound(deserialize = "JE: JweContentEncryptionAlgorithm<JT>"), 129 skip_serializing_if = "Option::is_none" 130 )] 131 request_object_encryption_enc_values_supported: Option<Vec<JE>>, 132 #[serde( 133 bound(deserialize = "CA: ClientAuthMethod"), 134 skip_serializing_if = "Option::is_none" 135 )] 136 token_endpoint_auth_methods_supported: Option<Vec<CA>>, 137 #[serde( 138 bound(deserialize = "JS: JwsSigningAlgorithm<JT>"), 139 skip_serializing_if = "Option::is_none" 140 )] 141 token_endpoint_auth_signing_alg_values_supported: Option<Vec<JS>>, 142 #[serde( 143 bound(deserialize = "AD: AuthDisplay"), 144 skip_serializing_if = "Option::is_none" 145 )] 146 display_values_supported: Option<Vec<AD>>, 147 #[serde( 148 bound(deserialize = "CT: ClaimType"), 149 skip_serializing_if = "Option::is_none" 150 )] 151 claim_types_supported: Option<Vec<CT>>, 152 #[serde( 153 bound(deserialize = "CN: ClaimName"), 154 skip_serializing_if = "Option::is_none" 155 )] 156 claims_supported: Option<Vec<CN>>, 157 #[serde(skip_serializing_if = "Option::is_none")] 158 service_documentation: Option<ServiceDocUrl>, 159 #[serde(skip_serializing_if = "Option::is_none")] 160 claims_locales_supported: Option<Vec<LanguageTag>>, 161 #[serde(skip_serializing_if = "Option::is_none")] 162 ui_locales_supported: Option<Vec<LanguageTag>>, 163 #[serde(skip_serializing_if = "Option::is_none")] 164 claims_parameter_supported: Option<bool>, 165 #[serde(skip_serializing_if = "Option::is_none")] 166 request_parameter_supported: Option<bool>, 167 #[serde(skip_serializing_if = "Option::is_none")] 168 request_uri_parameter_supported: Option<bool>, 169 #[serde(skip_serializing_if = "Option::is_none")] 170 require_request_uri_registration: Option<bool>, 171 #[serde(skip_serializing_if = "Option::is_none")] 172 op_policy_uri: Option<OpPolicyUrl>, 173 #[serde(skip_serializing_if = "Option::is_none")] 174 op_tos_uri: Option<OpTosUrl>, 175 176 #[serde(bound(deserialize = "A: AdditionalProviderMetadata"), flatten)] 177 additional_metadata: A, 178 179 #[serde(skip)] 180 _phantom_jt: PhantomData<JT>, 181 } 182 impl<A, AD, CA, CN, CT, G, JE, JK, JS, JT, JU, K, RM, RT, S> 183 ProviderMetadata<A, AD, CA, CN, CT, G, JE, JK, JS, JT, JU, K, RM, RT, S> 184 where 185 A: AdditionalProviderMetadata, 186 AD: AuthDisplay, 187 CA: ClientAuthMethod, 188 CN: ClaimName, 189 CT: ClaimType, 190 G: GrantType, 191 JE: JweContentEncryptionAlgorithm<JT>, 192 JK: JweKeyManagementAlgorithm, 193 JS: JwsSigningAlgorithm<JT>, 194 JT: JsonWebKeyType, 195 JU: JsonWebKeyUse, 196 K: JsonWebKey<JS, JT, JU>, 197 RM: ResponseMode, 198 RT: ResponseType, 199 S: SubjectIdentifierType, 200 { 201 /// 202 /// Instantiates new provider metadata. 203 /// new( issuer: IssuerUrl, authorization_endpoint: AuthUrl, jwks_uri: JsonWebKeySetUrl, response_types_supported: Vec<ResponseTypes<RT>>, subject_types_supported: Vec<S>, id_token_signing_alg_values_supported: Vec<JS>, additional_metadata: A, ) -> Self204 pub fn new( 205 issuer: IssuerUrl, 206 authorization_endpoint: AuthUrl, 207 jwks_uri: JsonWebKeySetUrl, 208 response_types_supported: Vec<ResponseTypes<RT>>, 209 subject_types_supported: Vec<S>, 210 id_token_signing_alg_values_supported: Vec<JS>, 211 additional_metadata: A, 212 ) -> Self { 213 Self { 214 issuer, 215 authorization_endpoint, 216 token_endpoint: None, 217 userinfo_endpoint: None, 218 jwks_uri, 219 jwks: JsonWebKeySet::new(Vec::new()), 220 registration_endpoint: None, 221 scopes_supported: None, 222 response_types_supported, 223 response_modes_supported: None, 224 grant_types_supported: None, 225 acr_values_supported: None, 226 subject_types_supported, 227 id_token_signing_alg_values_supported, 228 id_token_encryption_alg_values_supported: None, 229 id_token_encryption_enc_values_supported: None, 230 userinfo_signing_alg_values_supported: None, 231 userinfo_encryption_alg_values_supported: None, 232 userinfo_encryption_enc_values_supported: None, 233 request_object_signing_alg_values_supported: None, 234 request_object_encryption_alg_values_supported: None, 235 request_object_encryption_enc_values_supported: None, 236 token_endpoint_auth_methods_supported: None, 237 token_endpoint_auth_signing_alg_values_supported: None, 238 display_values_supported: None, 239 claim_types_supported: None, 240 claims_supported: None, 241 service_documentation: None, 242 claims_locales_supported: None, 243 ui_locales_supported: None, 244 claims_parameter_supported: None, 245 request_parameter_supported: None, 246 request_uri_parameter_supported: None, 247 require_request_uri_registration: None, 248 op_policy_uri: None, 249 op_tos_uri: None, 250 additional_metadata, 251 _phantom_jt: PhantomData, 252 } 253 } 254 255 field_getters_setters![ 256 pub self [self] ["provider metadata value"] { 257 set_issuer -> issuer[IssuerUrl], 258 set_authorization_endpoint -> authorization_endpoint[AuthUrl], 259 set_token_endpoint -> token_endpoint[Option<TokenUrl>], 260 set_userinfo_endpoint -> userinfo_endpoint[Option<UserInfoUrl>], 261 set_jwks_uri -> jwks_uri[JsonWebKeySetUrl], 262 set_jwks -> jwks[JsonWebKeySet<JS, JT, JU, K>], 263 set_registration_endpoint -> registration_endpoint[Option<RegistrationUrl>], 264 set_scopes_supported -> scopes_supported[Option<Vec<Scope>>], 265 set_response_types_supported -> response_types_supported[Vec<ResponseTypes<RT>>], 266 set_response_modes_supported -> response_modes_supported[Option<Vec<RM>>], 267 set_grant_types_supported -> grant_types_supported[Option<Vec<G>>], 268 set_acr_values_supported 269 -> acr_values_supported[Option<Vec<AuthenticationContextClass>>], 270 set_subject_types_supported -> subject_types_supported[Vec<S>], 271 set_id_token_signing_alg_values_supported 272 -> id_token_signing_alg_values_supported[Vec<JS>], 273 set_id_token_encryption_alg_values_supported 274 -> id_token_encryption_alg_values_supported[Option<Vec<JK>>], 275 set_id_token_encryption_enc_values_supported 276 -> id_token_encryption_enc_values_supported[Option<Vec<JE>>], 277 set_userinfo_signing_alg_values_supported 278 -> userinfo_signing_alg_values_supported[Option<Vec<JS>>], 279 set_userinfo_encryption_alg_values_supported 280 -> userinfo_encryption_alg_values_supported[Option<Vec<JK>>], 281 set_userinfo_encryption_enc_values_supported 282 -> userinfo_encryption_enc_values_supported[Option<Vec<JE>>], 283 set_request_object_signing_alg_values_supported 284 -> request_object_signing_alg_values_supported[Option<Vec<JS>>], 285 set_request_object_encryption_alg_values_supported 286 -> request_object_encryption_alg_values_supported[Option<Vec<JK>>], 287 set_request_object_encryption_enc_values_supported 288 -> request_object_encryption_enc_values_supported[Option<Vec<JE>>], 289 set_token_endpoint_auth_methods_supported 290 -> token_endpoint_auth_methods_supported[Option<Vec<CA>>], 291 set_token_endpoint_auth_signing_alg_values_supported 292 -> token_endpoint_auth_signing_alg_values_supported[Option<Vec<JS>>], 293 set_display_values_supported -> display_values_supported[Option<Vec<AD>>], 294 set_claim_types_supported -> claim_types_supported[Option<Vec<CT>>], 295 set_claims_supported -> claims_supported[Option<Vec<CN>>], 296 set_service_documentation -> service_documentation[Option<ServiceDocUrl>], 297 set_claims_locales_supported -> claims_locales_supported[Option<Vec<LanguageTag>>], 298 set_ui_locales_supported -> ui_locales_supported[Option<Vec<LanguageTag>>], 299 set_claims_parameter_supported -> claims_parameter_supported[Option<bool>], 300 set_request_parameter_supported -> request_parameter_supported[Option<bool>], 301 set_request_uri_parameter_supported -> request_uri_parameter_supported[Option<bool>], 302 set_require_request_uri_registration -> require_request_uri_registration[Option<bool>], 303 set_op_policy_uri -> op_policy_uri[Option<OpPolicyUrl>], 304 set_op_tos_uri -> op_tos_uri[Option<OpTosUrl>], 305 } 306 ]; 307 308 /// 309 /// Fetches the OpenID Connect Discovery document and associated JSON Web Key Set from the 310 /// OpenID Connect Provider. 311 /// discover<HC, RE>( issuer_url: &IssuerUrl, http_client: HC, ) -> Result<Self, DiscoveryError<RE>> where HC: Fn(HttpRequest) -> Result<HttpResponse, RE>, RE: std::error::Error + 'static,312 pub fn discover<HC, RE>( 313 issuer_url: &IssuerUrl, 314 http_client: HC, 315 ) -> Result<Self, DiscoveryError<RE>> 316 where 317 HC: Fn(HttpRequest) -> Result<HttpResponse, RE>, 318 RE: std::error::Error + 'static, 319 { 320 let discovery_url = issuer_url 321 .join(CONFIG_URL_SUFFIX) 322 .map_err(DiscoveryError::UrlParse)?; 323 324 http_client(Self::discovery_request(discovery_url)) 325 .map_err(DiscoveryError::Request) 326 .and_then(|http_response| Self::discovery_response(issuer_url, http_response)) 327 .and_then(|provider_metadata| { 328 JsonWebKeySet::fetch(provider_metadata.jwks_uri(), http_client).map(|jwks| Self { 329 jwks, 330 ..provider_metadata 331 }) 332 }) 333 } 334 335 /// 336 /// Asynchronously fetches the OpenID Connect Discovery document and associated JSON Web Key Set 337 /// from the OpenID Connect Provider. 338 /// discover_async<F, HC, RE>( issuer_url: IssuerUrl, http_client: HC, ) -> Result<Self, DiscoveryError<RE>> where F: Future<Output = Result<HttpResponse, RE>>, HC: Fn(HttpRequest) -> F + 'static, RE: std::error::Error + 'static,339 pub async fn discover_async<F, HC, RE>( 340 issuer_url: IssuerUrl, 341 http_client: HC, 342 ) -> Result<Self, DiscoveryError<RE>> 343 where 344 F: Future<Output = Result<HttpResponse, RE>>, 345 HC: Fn(HttpRequest) -> F + 'static, 346 RE: std::error::Error + 'static, 347 { 348 let discovery_url = issuer_url 349 .join(CONFIG_URL_SUFFIX) 350 .map_err(DiscoveryError::UrlParse)?; 351 352 let provider_metadata = http_client(Self::discovery_request(discovery_url)) 353 .await 354 .map_err(DiscoveryError::Request) 355 .and_then(|http_response| Self::discovery_response(&issuer_url, http_response))?; 356 357 JsonWebKeySet::fetch_async(provider_metadata.jwks_uri(), http_client) 358 .await 359 .map(|jwks| Self { 360 jwks, 361 ..provider_metadata 362 }) 363 } 364 discovery_request(discovery_url: url::Url) -> HttpRequest365 fn discovery_request(discovery_url: url::Url) -> HttpRequest { 366 HttpRequest { 367 url: discovery_url, 368 method: Method::GET, 369 headers: vec![(ACCEPT, HeaderValue::from_static(MIME_TYPE_JSON))] 370 .into_iter() 371 .collect(), 372 body: Vec::new(), 373 } 374 } 375 discovery_response<RE>( issuer_url: &IssuerUrl, discovery_response: HttpResponse, ) -> Result<Self, DiscoveryError<RE>> where RE: std::error::Error + 'static,376 fn discovery_response<RE>( 377 issuer_url: &IssuerUrl, 378 discovery_response: HttpResponse, 379 ) -> Result<Self, DiscoveryError<RE>> 380 where 381 RE: std::error::Error + 'static, 382 { 383 if discovery_response.status_code != StatusCode::OK { 384 return Err(DiscoveryError::Response( 385 discovery_response.status_code, 386 discovery_response.body, 387 format!("HTTP status code {}", discovery_response.status_code), 388 )); 389 } 390 391 check_content_type(&discovery_response.headers, MIME_TYPE_JSON).map_err(|err_msg| { 392 DiscoveryError::Response( 393 discovery_response.status_code, 394 discovery_response.body.clone(), 395 err_msg, 396 ) 397 })?; 398 399 let provider_metadata = serde_path_to_error::deserialize::<_, Self>( 400 &mut serde_json::Deserializer::from_slice(&discovery_response.body), 401 ) 402 .map_err(DiscoveryError::Parse)?; 403 404 if provider_metadata.issuer() != issuer_url { 405 Err(DiscoveryError::Validation(format!( 406 "unexpected issuer URI `{}` (expected `{}`)", 407 provider_metadata.issuer().url(), 408 issuer_url.url() 409 ))) 410 } else { 411 Ok(provider_metadata) 412 } 413 } 414 415 /// 416 /// Returns additional provider metadata fields. 417 /// additional_metadata(&self) -> &A418 pub fn additional_metadata(&self) -> &A { 419 &self.additional_metadata 420 } 421 /// 422 /// Returns mutable additional provider metadata fields. 423 /// additional_metadata_mut(&mut self) -> &mut A424 pub fn additional_metadata_mut(&mut self) -> &mut A { 425 &mut self.additional_metadata 426 } 427 } 428 429 /// 430 /// Error retrieving provider metadata. 431 /// 432 #[derive(Debug, Error)] 433 #[non_exhaustive] 434 pub enum DiscoveryError<RE> 435 where 436 RE: std::error::Error + 'static, 437 { 438 /// 439 /// An unexpected error occurred. 440 /// 441 #[error("Other error: {0}")] 442 Other(String), 443 /// 444 /// Failed to parse server response. 445 /// 446 #[error("Failed to parse server response")] 447 Parse(#[source] serde_path_to_error::Error<serde_json::Error>), 448 /// 449 /// An error occurred while sending the request or receiving the response (e.g., network 450 /// connectivity failed). 451 /// 452 #[error("Request failed")] 453 Request(#[source] RE), 454 /// 455 /// Server returned an invalid response. 456 /// 457 #[error("Server returned invalid response: {2}")] 458 Response(StatusCode, Vec<u8>, String), 459 /// 460 /// Failed to parse discovery URL from issuer URL. 461 /// 462 #[error("Failed to parse URL")] 463 UrlParse(#[source] url::ParseError), 464 /// 465 /// Failed to validate provider metadata. 466 /// 467 #[error("Validation error: {0}")] 468 Validation(String), 469 } 470 471 #[cfg(test)] 472 mod tests { 473 use oauth2::{AuthUrl, Scope, TokenUrl}; 474 475 use crate::core::{ 476 CoreAuthDisplay, CoreClaimName, CoreClaimType, CoreClientAuthMethod, CoreGrantType, 477 CoreJweContentEncryptionAlgorithm, CoreJweKeyManagementAlgorithm, CoreJwsSigningAlgorithm, 478 CoreProviderMetadata, CoreResponseMode, CoreResponseType, CoreSubjectIdentifierType, 479 }; 480 481 use super::{ 482 AuthenticationContextClass, IssuerUrl, JsonWebKeySetUrl, LanguageTag, OpPolicyUrl, 483 OpTosUrl, RegistrationUrl, ResponseTypes, ServiceDocUrl, UserInfoUrl, 484 }; 485 486 #[test] test_discovery_deserialization()487 fn test_discovery_deserialization() { 488 // Fetched from: https://rp.certification.openid.net:8080/openidconnect-rs/ 489 // rp-response_type-code/.well-known/openid-configuration 490 let json_response_standard = "\ 491 \"issuer\":\"https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code\",\ 492 \"authorization_endpoint\":\"https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code/authorization\",\ 493 \"token_endpoint\":\"https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code/token\",\ 494 \"userinfo_endpoint\":\"https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code/userinfo\",\ 495 \"jwks_uri\":\"https://rp.certification.openid.net:8080/static/jwks_3INbZl52IrrPCp2j.json\",\ 496 \"registration_endpoint\":\"https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code/registration\",\ 497 \"scopes_supported\":[\ 498 \"email\",\ 499 \"phone\",\ 500 \"profile\",\ 501 \"openid\",\ 502 \"address\",\ 503 \"offline_access\",\ 504 \"openid\"\ 505 ],\ 506 \"response_types_supported\":[\ 507 \"code\"\ 508 ],\ 509 \"response_modes_supported\":[\ 510 \"query\",\ 511 \"fragment\",\ 512 \"form_post\"\ 513 ],\ 514 \"grant_types_supported\":[\ 515 \"authorization_code\",\ 516 \"implicit\",\ 517 \"urn:ietf:params:oauth:grant-type:jwt-bearer\",\ 518 \"refresh_token\"\ 519 ],\ 520 \"acr_values_supported\":[\ 521 \"PASSWORD\"\ 522 ],\ 523 \"subject_types_supported\":[\ 524 \"public\",\ 525 \"pairwise\"\ 526 ],\ 527 \"id_token_signing_alg_values_supported\":[\ 528 \"RS256\",\ 529 \"RS384\",\ 530 \"RS512\",\ 531 \"ES256\",\ 532 \"ES384\",\ 533 \"ES512\",\ 534 \"HS256\",\ 535 \"HS384\",\ 536 \"HS512\",\ 537 \"PS256\",\ 538 \"PS384\",\ 539 \"PS512\",\ 540 \"none\"\ 541 ],\ 542 \"id_token_encryption_alg_values_supported\":[\ 543 \"RSA1_5\",\ 544 \"RSA-OAEP\",\ 545 \"RSA-OAEP-256\",\ 546 \"A128KW\",\ 547 \"A192KW\",\ 548 \"A256KW\",\ 549 \"ECDH-ES\",\ 550 \"ECDH-ES+A128KW\",\ 551 \"ECDH-ES+A192KW\",\ 552 \"ECDH-ES+A256KW\"\ 553 ],\ 554 \"id_token_encryption_enc_values_supported\":[\ 555 \"A128CBC-HS256\",\ 556 \"A192CBC-HS384\",\ 557 \"A256CBC-HS512\",\ 558 \"A128GCM\",\ 559 \"A192GCM\",\ 560 \"A256GCM\"\ 561 ],\ 562 \"userinfo_signing_alg_values_supported\":[\ 563 \"RS256\",\ 564 \"RS384\",\ 565 \"RS512\",\ 566 \"ES256\",\ 567 \"ES384\",\ 568 \"ES512\",\ 569 \"HS256\",\ 570 \"HS384\",\ 571 \"HS512\",\ 572 \"PS256\",\ 573 \"PS384\",\ 574 \"PS512\",\ 575 \"none\"\ 576 ],\ 577 \"userinfo_encryption_alg_values_supported\":[\ 578 \"RSA1_5\",\ 579 \"RSA-OAEP\",\ 580 \"RSA-OAEP-256\",\ 581 \"A128KW\",\ 582 \"A192KW\",\ 583 \"A256KW\",\ 584 \"ECDH-ES\",\ 585 \"ECDH-ES+A128KW\",\ 586 \"ECDH-ES+A192KW\",\ 587 \"ECDH-ES+A256KW\"\ 588 ],\ 589 \"userinfo_encryption_enc_values_supported\":[\ 590 \"A128CBC-HS256\",\ 591 \"A192CBC-HS384\",\ 592 \"A256CBC-HS512\",\ 593 \"A128GCM\",\ 594 \"A192GCM\",\ 595 \"A256GCM\"\ 596 ],\ 597 \"request_object_signing_alg_values_supported\":[\ 598 \"RS256\",\ 599 \"RS384\",\ 600 \"RS512\",\ 601 \"ES256\",\ 602 \"ES384\",\ 603 \"ES512\",\ 604 \"HS256\",\ 605 \"HS384\",\ 606 \"HS512\",\ 607 \"PS256\",\ 608 \"PS384\",\ 609 \"PS512\",\ 610 \"none\"\ 611 ],\ 612 \"request_object_encryption_alg_values_supported\":[\ 613 \"RSA1_5\",\ 614 \"RSA-OAEP\",\ 615 \"RSA-OAEP-256\",\ 616 \"A128KW\",\ 617 \"A192KW\",\ 618 \"A256KW\",\ 619 \"ECDH-ES\",\ 620 \"ECDH-ES+A128KW\",\ 621 \"ECDH-ES+A192KW\",\ 622 \"ECDH-ES+A256KW\"\ 623 ],\ 624 \"request_object_encryption_enc_values_supported\":[\ 625 \"A128CBC-HS256\",\ 626 \"A192CBC-HS384\",\ 627 \"A256CBC-HS512\",\ 628 \"A128GCM\",\ 629 \"A192GCM\",\ 630 \"A256GCM\"\ 631 ],\ 632 \"token_endpoint_auth_methods_supported\":[\ 633 \"client_secret_post\",\ 634 \"client_secret_basic\",\ 635 \"client_secret_jwt\",\ 636 \"private_key_jwt\"\ 637 ],\ 638 \"token_endpoint_auth_signing_alg_values_supported\":[\ 639 \"RS256\",\ 640 \"RS384\",\ 641 \"RS512\",\ 642 \"ES256\",\ 643 \"ES384\",\ 644 \"ES512\",\ 645 \"HS256\",\ 646 \"HS384\",\ 647 \"HS512\",\ 648 \"PS256\",\ 649 \"PS384\",\ 650 \"PS512\"\ 651 ],\ 652 \"claim_types_supported\":[\ 653 \"normal\",\ 654 \"aggregated\",\ 655 \"distributed\"\ 656 ],\ 657 \"claims_supported\":[\ 658 \"name\",\ 659 \"given_name\",\ 660 \"middle_name\",\ 661 \"picture\",\ 662 \"email_verified\",\ 663 \"birthdate\",\ 664 \"sub\",\ 665 \"address\",\ 666 \"zoneinfo\",\ 667 \"email\",\ 668 \"gender\",\ 669 \"preferred_username\",\ 670 \"family_name\",\ 671 \"website\",\ 672 \"profile\",\ 673 \"phone_number_verified\",\ 674 \"nickname\",\ 675 \"updated_at\",\ 676 \"phone_number\",\ 677 \"locale\"\ 678 ],\ 679 \"claims_parameter_supported\":true,\ 680 \"request_parameter_supported\":true,\ 681 \"request_uri_parameter_supported\":true,\ 682 \"require_request_uri_registration\":true"; 683 684 let json_response = format!( 685 "{{{},{}}}", 686 json_response_standard, 687 "\"end_session_endpoint\":\"https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code/end_session\",\ 688 \"version\":\"3.0\"" 689 ); 690 dbg!(&json_response); 691 692 let all_signing_algs = vec![ 693 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha256, 694 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha384, 695 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha512, 696 CoreJwsSigningAlgorithm::EcdsaP256Sha256, 697 CoreJwsSigningAlgorithm::EcdsaP384Sha384, 698 CoreJwsSigningAlgorithm::EcdsaP521Sha512, 699 CoreJwsSigningAlgorithm::HmacSha256, 700 CoreJwsSigningAlgorithm::HmacSha384, 701 CoreJwsSigningAlgorithm::HmacSha512, 702 CoreJwsSigningAlgorithm::RsaSsaPssSha256, 703 CoreJwsSigningAlgorithm::RsaSsaPssSha384, 704 CoreJwsSigningAlgorithm::RsaSsaPssSha512, 705 CoreJwsSigningAlgorithm::None, 706 ]; 707 let all_encryption_algs = vec![ 708 CoreJweKeyManagementAlgorithm::RsaPkcs1V15, 709 CoreJweKeyManagementAlgorithm::RsaOaep, 710 CoreJweKeyManagementAlgorithm::RsaOaepSha256, 711 CoreJweKeyManagementAlgorithm::AesKeyWrap128, 712 CoreJweKeyManagementAlgorithm::AesKeyWrap192, 713 CoreJweKeyManagementAlgorithm::AesKeyWrap256, 714 CoreJweKeyManagementAlgorithm::EcdhEs, 715 CoreJweKeyManagementAlgorithm::EcdhEsAesKeyWrap128, 716 CoreJweKeyManagementAlgorithm::EcdhEsAesKeyWrap192, 717 CoreJweKeyManagementAlgorithm::EcdhEsAesKeyWrap256, 718 ]; 719 let new_provider_metadata = CoreProviderMetadata::new( 720 IssuerUrl::new( 721 "https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code" 722 .to_string(), 723 ) 724 .unwrap(), 725 AuthUrl::new( 726 "https://rp.certification.openid.net:8080/openidconnect-rs/\ 727 rp-response_type-code/authorization" 728 .to_string(), 729 ) 730 .unwrap(), 731 JsonWebKeySetUrl::new( 732 "https://rp.certification.openid.net:8080/static/jwks_3INbZl52IrrPCp2j.json" 733 .to_string(), 734 ) 735 .unwrap(), 736 vec![ResponseTypes::new(vec![CoreResponseType::Code])], 737 vec![ 738 CoreSubjectIdentifierType::Public, 739 CoreSubjectIdentifierType::Pairwise, 740 ], 741 all_signing_algs.clone(), 742 Default::default(), 743 ) 744 .set_request_object_signing_alg_values_supported(Some(all_signing_algs.clone())) 745 .set_token_endpoint_auth_signing_alg_values_supported(Some(vec![ 746 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha256, 747 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha384, 748 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha512, 749 CoreJwsSigningAlgorithm::EcdsaP256Sha256, 750 CoreJwsSigningAlgorithm::EcdsaP384Sha384, 751 CoreJwsSigningAlgorithm::EcdsaP521Sha512, 752 CoreJwsSigningAlgorithm::HmacSha256, 753 CoreJwsSigningAlgorithm::HmacSha384, 754 CoreJwsSigningAlgorithm::HmacSha512, 755 CoreJwsSigningAlgorithm::RsaSsaPssSha256, 756 CoreJwsSigningAlgorithm::RsaSsaPssSha384, 757 CoreJwsSigningAlgorithm::RsaSsaPssSha512, 758 ])) 759 .set_scopes_supported(Some(vec![ 760 Scope::new("email".to_string()), 761 Scope::new("phone".to_string()), 762 Scope::new("profile".to_string()), 763 Scope::new("openid".to_string()), 764 Scope::new("address".to_string()), 765 Scope::new("offline_access".to_string()), 766 Scope::new("openid".to_string()), 767 ])) 768 .set_userinfo_signing_alg_values_supported(Some(all_signing_algs)) 769 .set_id_token_encryption_enc_values_supported(Some(vec![ 770 CoreJweContentEncryptionAlgorithm::Aes128CbcHmacSha256, 771 CoreJweContentEncryptionAlgorithm::Aes192CbcHmacSha384, 772 CoreJweContentEncryptionAlgorithm::Aes256CbcHmacSha512, 773 CoreJweContentEncryptionAlgorithm::Aes128Gcm, 774 CoreJweContentEncryptionAlgorithm::Aes192Gcm, 775 CoreJweContentEncryptionAlgorithm::Aes256Gcm, 776 ])) 777 .set_grant_types_supported(Some(vec![ 778 CoreGrantType::AuthorizationCode, 779 CoreGrantType::Implicit, 780 CoreGrantType::JwtBearer, 781 CoreGrantType::RefreshToken, 782 ])) 783 .set_response_modes_supported(Some(vec![ 784 CoreResponseMode::Query, 785 CoreResponseMode::Fragment, 786 CoreResponseMode::FormPost, 787 ])) 788 .set_require_request_uri_registration(Some(true)) 789 .set_registration_endpoint(Some( 790 RegistrationUrl::new( 791 "https://rp.certification.openid.net:8080/openidconnect-rs/\ 792 rp-response_type-code/registration" 793 .to_string(), 794 ) 795 .unwrap(), 796 )) 797 .set_claims_parameter_supported(Some(true)) 798 .set_request_object_encryption_enc_values_supported(Some(vec![ 799 CoreJweContentEncryptionAlgorithm::Aes128CbcHmacSha256, 800 CoreJweContentEncryptionAlgorithm::Aes192CbcHmacSha384, 801 CoreJweContentEncryptionAlgorithm::Aes256CbcHmacSha512, 802 CoreJweContentEncryptionAlgorithm::Aes128Gcm, 803 CoreJweContentEncryptionAlgorithm::Aes192Gcm, 804 CoreJweContentEncryptionAlgorithm::Aes256Gcm, 805 ])) 806 .set_userinfo_endpoint(Some( 807 UserInfoUrl::new( 808 "https://rp.certification.openid.net:8080/openidconnect-rs/\ 809 rp-response_type-code/userinfo" 810 .to_string(), 811 ) 812 .unwrap(), 813 )) 814 .set_token_endpoint_auth_methods_supported(Some(vec![ 815 CoreClientAuthMethod::ClientSecretPost, 816 CoreClientAuthMethod::ClientSecretBasic, 817 CoreClientAuthMethod::ClientSecretJwt, 818 CoreClientAuthMethod::PrivateKeyJwt, 819 ])) 820 .set_claims_supported(Some( 821 vec![ 822 "name", 823 "given_name", 824 "middle_name", 825 "picture", 826 "email_verified", 827 "birthdate", 828 "sub", 829 "address", 830 "zoneinfo", 831 "email", 832 "gender", 833 "preferred_username", 834 "family_name", 835 "website", 836 "profile", 837 "phone_number_verified", 838 "nickname", 839 "updated_at", 840 "phone_number", 841 "locale", 842 ] 843 .iter() 844 .map(|claim| CoreClaimName::new((*claim).to_string())) 845 .collect(), 846 )) 847 .set_request_object_encryption_alg_values_supported(Some(all_encryption_algs.clone())) 848 .set_claim_types_supported(Some(vec![ 849 CoreClaimType::Normal, 850 CoreClaimType::Aggregated, 851 CoreClaimType::Distributed, 852 ])) 853 .set_request_uri_parameter_supported(Some(true)) 854 .set_request_parameter_supported(Some(true)) 855 .set_token_endpoint(Some( 856 TokenUrl::new( 857 "https://rp.certification.openid.net:8080/openidconnect-rs/\ 858 rp-response_type-code/token" 859 .to_string(), 860 ) 861 .unwrap(), 862 )) 863 .set_id_token_encryption_alg_values_supported(Some(all_encryption_algs.clone())) 864 .set_userinfo_encryption_alg_values_supported(Some(all_encryption_algs)) 865 .set_userinfo_encryption_enc_values_supported(Some(vec![ 866 CoreJweContentEncryptionAlgorithm::Aes128CbcHmacSha256, 867 CoreJweContentEncryptionAlgorithm::Aes192CbcHmacSha384, 868 CoreJweContentEncryptionAlgorithm::Aes256CbcHmacSha512, 869 CoreJweContentEncryptionAlgorithm::Aes128Gcm, 870 CoreJweContentEncryptionAlgorithm::Aes192Gcm, 871 CoreJweContentEncryptionAlgorithm::Aes256Gcm, 872 ])) 873 .set_acr_values_supported(Some(vec![AuthenticationContextClass::new( 874 "PASSWORD".to_string(), 875 )])); 876 877 let provider_metadata: CoreProviderMetadata = serde_json::from_str(&json_response).unwrap(); 878 assert_eq!(provider_metadata, new_provider_metadata); 879 880 let serialized = serde_json::to_string(&provider_metadata).unwrap(); 881 assert_eq!(serialized, format!("{{{}}}", json_response_standard)); 882 883 assert_eq!( 884 IssuerUrl::new( 885 "https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code" 886 .to_string() 887 ) 888 .unwrap(), 889 *provider_metadata.issuer() 890 ); 891 assert_eq!( 892 AuthUrl::new( 893 "https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code\ 894 /authorization" 895 .to_string() 896 ) 897 .unwrap(), 898 *provider_metadata.authorization_endpoint() 899 ); 900 assert_eq!( 901 Some( 902 &TokenUrl::new( 903 "https://rp.certification.openid.net:8080/openidconnect-rs\ 904 /rp-response_type-code/token" 905 .to_string() 906 ) 907 .unwrap() 908 ), 909 provider_metadata.token_endpoint() 910 ); 911 assert_eq!( 912 Some( 913 &UserInfoUrl::new( 914 "https://rp.certification.openid.net:8080/openidconnect-rs\ 915 /rp-response_type-code/userinfo" 916 .to_string() 917 ) 918 .unwrap() 919 ), 920 provider_metadata.userinfo_endpoint() 921 ); 922 assert_eq!( 923 &JsonWebKeySetUrl::new( 924 "https://rp.certification.openid.net:8080/static/jwks_3INbZl52IrrPCp2j.json" 925 .to_string() 926 ) 927 .unwrap(), 928 provider_metadata.jwks_uri() 929 ); 930 assert_eq!( 931 Some( 932 &RegistrationUrl::new( 933 "https://rp.certification.openid.net:8080/openidconnect-rs\ 934 /rp-response_type-code/registration" 935 .to_string() 936 ) 937 .unwrap() 938 ), 939 provider_metadata.registration_endpoint() 940 ); 941 assert_eq!( 942 Some( 943 &vec![ 944 "email", 945 "phone", 946 "profile", 947 "openid", 948 "address", 949 "offline_access", 950 "openid", 951 ] 952 .iter() 953 .map(|s| (*s).to_string()) 954 .map(Scope::new) 955 .collect::<Vec<_>>() 956 ), 957 provider_metadata.scopes_supported() 958 ); 959 assert_eq!( 960 vec![ResponseTypes::new(vec![CoreResponseType::Code])], 961 *provider_metadata.response_types_supported() 962 ); 963 assert_eq!( 964 Some(&vec![ 965 CoreResponseMode::Query, 966 CoreResponseMode::Fragment, 967 CoreResponseMode::FormPost, 968 ]), 969 provider_metadata.response_modes_supported() 970 ); 971 assert_eq!( 972 Some( 973 &vec![ 974 CoreGrantType::AuthorizationCode, 975 CoreGrantType::Implicit, 976 CoreGrantType::JwtBearer, 977 CoreGrantType::RefreshToken, 978 ] 979 .into_iter() 980 .collect::<Vec<_>>() 981 ), 982 provider_metadata.grant_types_supported() 983 ); 984 assert_eq!( 985 Some(&vec![AuthenticationContextClass::new( 986 "PASSWORD".to_string(), 987 )]), 988 provider_metadata.acr_values_supported() 989 ); 990 assert_eq!( 991 vec![ 992 CoreSubjectIdentifierType::Public, 993 CoreSubjectIdentifierType::Pairwise, 994 ], 995 *provider_metadata.subject_types_supported() 996 ); 997 assert_eq!( 998 vec![ 999 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha256, 1000 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha384, 1001 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha512, 1002 CoreJwsSigningAlgorithm::EcdsaP256Sha256, 1003 CoreJwsSigningAlgorithm::EcdsaP384Sha384, 1004 CoreJwsSigningAlgorithm::EcdsaP521Sha512, 1005 CoreJwsSigningAlgorithm::HmacSha256, 1006 CoreJwsSigningAlgorithm::HmacSha384, 1007 CoreJwsSigningAlgorithm::HmacSha512, 1008 CoreJwsSigningAlgorithm::RsaSsaPssSha256, 1009 CoreJwsSigningAlgorithm::RsaSsaPssSha384, 1010 CoreJwsSigningAlgorithm::RsaSsaPssSha512, 1011 CoreJwsSigningAlgorithm::None, 1012 ], 1013 *provider_metadata.id_token_signing_alg_values_supported() 1014 ); 1015 assert_eq!( 1016 Some(&vec![ 1017 CoreJweKeyManagementAlgorithm::RsaPkcs1V15, 1018 CoreJweKeyManagementAlgorithm::RsaOaep, 1019 CoreJweKeyManagementAlgorithm::RsaOaepSha256, 1020 CoreJweKeyManagementAlgorithm::AesKeyWrap128, 1021 CoreJweKeyManagementAlgorithm::AesKeyWrap192, 1022 CoreJweKeyManagementAlgorithm::AesKeyWrap256, 1023 CoreJweKeyManagementAlgorithm::EcdhEs, 1024 CoreJweKeyManagementAlgorithm::EcdhEsAesKeyWrap128, 1025 CoreJweKeyManagementAlgorithm::EcdhEsAesKeyWrap192, 1026 CoreJweKeyManagementAlgorithm::EcdhEsAesKeyWrap256, 1027 ]), 1028 provider_metadata.id_token_encryption_alg_values_supported() 1029 ); 1030 assert_eq!( 1031 Some(&vec![ 1032 CoreJweContentEncryptionAlgorithm::Aes128CbcHmacSha256, 1033 CoreJweContentEncryptionAlgorithm::Aes192CbcHmacSha384, 1034 CoreJweContentEncryptionAlgorithm::Aes256CbcHmacSha512, 1035 CoreJweContentEncryptionAlgorithm::Aes128Gcm, 1036 CoreJweContentEncryptionAlgorithm::Aes192Gcm, 1037 CoreJweContentEncryptionAlgorithm::Aes256Gcm, 1038 ]), 1039 provider_metadata.id_token_encryption_enc_values_supported() 1040 ); 1041 assert_eq!( 1042 Some(&vec![ 1043 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha256, 1044 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha384, 1045 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha512, 1046 CoreJwsSigningAlgorithm::EcdsaP256Sha256, 1047 CoreJwsSigningAlgorithm::EcdsaP384Sha384, 1048 CoreJwsSigningAlgorithm::EcdsaP521Sha512, 1049 CoreJwsSigningAlgorithm::HmacSha256, 1050 CoreJwsSigningAlgorithm::HmacSha384, 1051 CoreJwsSigningAlgorithm::HmacSha512, 1052 CoreJwsSigningAlgorithm::RsaSsaPssSha256, 1053 CoreJwsSigningAlgorithm::RsaSsaPssSha384, 1054 CoreJwsSigningAlgorithm::RsaSsaPssSha512, 1055 CoreJwsSigningAlgorithm::None, 1056 ]), 1057 provider_metadata.userinfo_signing_alg_values_supported() 1058 ); 1059 assert_eq!( 1060 Some(&vec![ 1061 CoreJweKeyManagementAlgorithm::RsaPkcs1V15, 1062 CoreJweKeyManagementAlgorithm::RsaOaep, 1063 CoreJweKeyManagementAlgorithm::RsaOaepSha256, 1064 CoreJweKeyManagementAlgorithm::AesKeyWrap128, 1065 CoreJweKeyManagementAlgorithm::AesKeyWrap192, 1066 CoreJweKeyManagementAlgorithm::AesKeyWrap256, 1067 CoreJweKeyManagementAlgorithm::EcdhEs, 1068 CoreJweKeyManagementAlgorithm::EcdhEsAesKeyWrap128, 1069 CoreJweKeyManagementAlgorithm::EcdhEsAesKeyWrap192, 1070 CoreJweKeyManagementAlgorithm::EcdhEsAesKeyWrap256, 1071 ]), 1072 provider_metadata.userinfo_encryption_alg_values_supported() 1073 ); 1074 assert_eq!( 1075 Some(&vec![ 1076 CoreJweContentEncryptionAlgorithm::Aes128CbcHmacSha256, 1077 CoreJweContentEncryptionAlgorithm::Aes192CbcHmacSha384, 1078 CoreJweContentEncryptionAlgorithm::Aes256CbcHmacSha512, 1079 CoreJweContentEncryptionAlgorithm::Aes128Gcm, 1080 CoreJweContentEncryptionAlgorithm::Aes192Gcm, 1081 CoreJweContentEncryptionAlgorithm::Aes256Gcm, 1082 ]), 1083 provider_metadata.userinfo_encryption_enc_values_supported() 1084 ); 1085 assert_eq!( 1086 Some(&vec![ 1087 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha256, 1088 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha384, 1089 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha512, 1090 CoreJwsSigningAlgorithm::EcdsaP256Sha256, 1091 CoreJwsSigningAlgorithm::EcdsaP384Sha384, 1092 CoreJwsSigningAlgorithm::EcdsaP521Sha512, 1093 CoreJwsSigningAlgorithm::HmacSha256, 1094 CoreJwsSigningAlgorithm::HmacSha384, 1095 CoreJwsSigningAlgorithm::HmacSha512, 1096 CoreJwsSigningAlgorithm::RsaSsaPssSha256, 1097 CoreJwsSigningAlgorithm::RsaSsaPssSha384, 1098 CoreJwsSigningAlgorithm::RsaSsaPssSha512, 1099 CoreJwsSigningAlgorithm::None, 1100 ]), 1101 provider_metadata.request_object_signing_alg_values_supported() 1102 ); 1103 assert_eq!( 1104 Some(&vec![ 1105 CoreJweKeyManagementAlgorithm::RsaPkcs1V15, 1106 CoreJweKeyManagementAlgorithm::RsaOaep, 1107 CoreJweKeyManagementAlgorithm::RsaOaepSha256, 1108 CoreJweKeyManagementAlgorithm::AesKeyWrap128, 1109 CoreJweKeyManagementAlgorithm::AesKeyWrap192, 1110 CoreJweKeyManagementAlgorithm::AesKeyWrap256, 1111 CoreJweKeyManagementAlgorithm::EcdhEs, 1112 CoreJweKeyManagementAlgorithm::EcdhEsAesKeyWrap128, 1113 CoreJweKeyManagementAlgorithm::EcdhEsAesKeyWrap192, 1114 CoreJweKeyManagementAlgorithm::EcdhEsAesKeyWrap256, 1115 ]), 1116 provider_metadata.request_object_encryption_alg_values_supported() 1117 ); 1118 assert_eq!( 1119 Some(&vec![ 1120 CoreJweContentEncryptionAlgorithm::Aes128CbcHmacSha256, 1121 CoreJweContentEncryptionAlgorithm::Aes192CbcHmacSha384, 1122 CoreJweContentEncryptionAlgorithm::Aes256CbcHmacSha512, 1123 CoreJweContentEncryptionAlgorithm::Aes128Gcm, 1124 CoreJweContentEncryptionAlgorithm::Aes192Gcm, 1125 CoreJweContentEncryptionAlgorithm::Aes256Gcm, 1126 ]), 1127 provider_metadata.request_object_encryption_enc_values_supported() 1128 ); 1129 assert_eq!( 1130 Some(&vec![ 1131 CoreClientAuthMethod::ClientSecretPost, 1132 CoreClientAuthMethod::ClientSecretBasic, 1133 CoreClientAuthMethod::ClientSecretJwt, 1134 CoreClientAuthMethod::PrivateKeyJwt, 1135 ]), 1136 provider_metadata.token_endpoint_auth_methods_supported() 1137 ); 1138 assert_eq!( 1139 Some(&vec![ 1140 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha256, 1141 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha384, 1142 CoreJwsSigningAlgorithm::RsaSsaPkcs1V15Sha512, 1143 CoreJwsSigningAlgorithm::EcdsaP256Sha256, 1144 CoreJwsSigningAlgorithm::EcdsaP384Sha384, 1145 CoreJwsSigningAlgorithm::EcdsaP521Sha512, 1146 CoreJwsSigningAlgorithm::HmacSha256, 1147 CoreJwsSigningAlgorithm::HmacSha384, 1148 CoreJwsSigningAlgorithm::HmacSha512, 1149 CoreJwsSigningAlgorithm::RsaSsaPssSha256, 1150 CoreJwsSigningAlgorithm::RsaSsaPssSha384, 1151 CoreJwsSigningAlgorithm::RsaSsaPssSha512, 1152 ]), 1153 provider_metadata.token_endpoint_auth_signing_alg_values_supported() 1154 ); 1155 assert_eq!(None, provider_metadata.display_values_supported()); 1156 assert_eq!( 1157 Some(&vec![ 1158 CoreClaimType::Normal, 1159 CoreClaimType::Aggregated, 1160 CoreClaimType::Distributed, 1161 ]), 1162 provider_metadata.claim_types_supported() 1163 ); 1164 assert_eq!( 1165 Some(&vec![ 1166 CoreClaimName::new("name".to_string()), 1167 CoreClaimName::new("given_name".to_string()), 1168 CoreClaimName::new("middle_name".to_string()), 1169 CoreClaimName::new("picture".to_string()), 1170 CoreClaimName::new("email_verified".to_string()), 1171 CoreClaimName::new("birthdate".to_string()), 1172 CoreClaimName::new("sub".to_string()), 1173 CoreClaimName::new("address".to_string()), 1174 CoreClaimName::new("zoneinfo".to_string()), 1175 CoreClaimName::new("email".to_string()), 1176 CoreClaimName::new("gender".to_string()), 1177 CoreClaimName::new("preferred_username".to_string()), 1178 CoreClaimName::new("family_name".to_string()), 1179 CoreClaimName::new("website".to_string()), 1180 CoreClaimName::new("profile".to_string()), 1181 CoreClaimName::new("phone_number_verified".to_string()), 1182 CoreClaimName::new("nickname".to_string()), 1183 CoreClaimName::new("updated_at".to_string()), 1184 CoreClaimName::new("phone_number".to_string()), 1185 CoreClaimName::new("locale".to_string()), 1186 ]), 1187 provider_metadata.claims_supported() 1188 ); 1189 assert_eq!(None, provider_metadata.service_documentation()); 1190 assert_eq!(None, provider_metadata.claims_locales_supported()); 1191 assert_eq!(None, provider_metadata.ui_locales_supported()); 1192 assert_eq!(Some(true), provider_metadata.claims_parameter_supported()); 1193 assert_eq!(Some(true), provider_metadata.request_parameter_supported()); 1194 assert_eq!( 1195 Some(true), 1196 provider_metadata.request_uri_parameter_supported() 1197 ); 1198 assert_eq!( 1199 Some(true), 1200 provider_metadata.require_request_uri_registration() 1201 ); 1202 assert_eq!(None, provider_metadata.op_policy_uri()); 1203 assert_eq!(None, provider_metadata.op_tos_uri()); 1204 1205 // Note: the following fields provided by the response above are not part of the OpenID 1206 // Connect Discovery 1.0 spec: 1207 // - end_session_endpoint 1208 // - version 1209 1210 let serialized_json = serde_json::to_string(&provider_metadata).unwrap(); 1211 1212 let redeserialized_metadata: CoreProviderMetadata = 1213 serde_json::from_str(&serialized_json).unwrap(); 1214 assert_eq!(provider_metadata, redeserialized_metadata); 1215 } 1216 1217 // Tests the fields missing from the example response in test_discovery_deserialization(). 1218 #[test] test_discovery_deserialization_other_fields()1219 fn test_discovery_deserialization_other_fields() { 1220 let json_response = "{ 1221 \"issuer\" : \"https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code\", 1222 \"authorization_endpoint\" : \"https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code/authorization\", 1223 \"jwks_uri\" : \"https://rp.certification.openid.net:8080/static/jwks_oMXD5waO08Q1GEnv.json\", 1224 \"response_types_supported\" : [ 1225 \"code\", 1226 \"code token\", 1227 \"code id_token\", 1228 \"id_token token\", 1229 \"code id_token token\", 1230 \"token id_token\", 1231 \"token id_token code\", 1232 \"id_token\", 1233 \"token\" 1234 ], 1235 \"subject_types_supported\" : [ 1236 \"public\", 1237 \"pairwise\" 1238 ], 1239 \"id_token_signing_alg_values_supported\" : [ 1240 \"HS256\", 1241 \"HS384\", 1242 \"HS512\" 1243 ], 1244 \"display_values_supported\" : [ 1245 \"page\", 1246 \"popup\", 1247 \"touch\", 1248 \"wap\" 1249 ], 1250 \"service_documentation\" : \"https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code/documentation\", 1251 \"claims_locales_supported\" : [ 1252 \"de\", 1253 \"fr\", 1254 \"de-CH-1901\" 1255 ], 1256 \"ui_locales_supported\" : [ 1257 \"ja\", 1258 \"sr-Latn\", 1259 \"yue-HK\" 1260 ], 1261 \"op_policy_uri\" : \"https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code/op_policy\", 1262 \"op_tos_uri\" : \"https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code/op_tos\" 1263 }"; 1264 1265 let provider_metadata: CoreProviderMetadata = serde_json::from_str(json_response).unwrap(); 1266 1267 assert_eq!( 1268 IssuerUrl::new( 1269 "https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code" 1270 .to_string() 1271 ) 1272 .unwrap(), 1273 *provider_metadata.issuer() 1274 ); 1275 assert_eq!( 1276 AuthUrl::new( 1277 "https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code\ 1278 /authorization" 1279 .to_string() 1280 ) 1281 .unwrap(), 1282 *provider_metadata.authorization_endpoint() 1283 ); 1284 assert_eq!(None, provider_metadata.token_endpoint()); 1285 assert_eq!(None, provider_metadata.userinfo_endpoint()); 1286 assert_eq!( 1287 JsonWebKeySetUrl::new( 1288 "https://rp.certification.openid.net:8080/static/jwks_oMXD5waO08Q1GEnv.json" 1289 .to_string() 1290 ) 1291 .unwrap(), 1292 *provider_metadata.jwks_uri() 1293 ); 1294 assert_eq!(None, provider_metadata.registration_endpoint()); 1295 assert_eq!(None, provider_metadata.scopes_supported()); 1296 assert_eq!( 1297 vec![ 1298 ResponseTypes::new(vec![CoreResponseType::Code]), 1299 ResponseTypes::new(vec![CoreResponseType::Code, CoreResponseType::Token]), 1300 ResponseTypes::new(vec![CoreResponseType::Code, CoreResponseType::IdToken]), 1301 ResponseTypes::new(vec![CoreResponseType::IdToken, CoreResponseType::Token]), 1302 ResponseTypes::new(vec![ 1303 CoreResponseType::Code, 1304 CoreResponseType::IdToken, 1305 CoreResponseType::Token, 1306 ]), 1307 ResponseTypes::new(vec![CoreResponseType::Token, CoreResponseType::IdToken]), 1308 ResponseTypes::new(vec![ 1309 CoreResponseType::Token, 1310 CoreResponseType::IdToken, 1311 CoreResponseType::Code, 1312 ]), 1313 ResponseTypes::new(vec![CoreResponseType::IdToken]), 1314 ResponseTypes::new(vec![CoreResponseType::Token]), 1315 ], 1316 *provider_metadata.response_types_supported() 1317 ); 1318 assert_eq!(None, provider_metadata.response_modes_supported()); 1319 assert_eq!(None, provider_metadata.grant_types_supported()); 1320 assert_eq!(None, provider_metadata.acr_values_supported()); 1321 assert_eq!( 1322 vec![ 1323 CoreSubjectIdentifierType::Public, 1324 CoreSubjectIdentifierType::Pairwise, 1325 ], 1326 *provider_metadata.subject_types_supported() 1327 ); 1328 assert_eq!( 1329 vec![ 1330 CoreJwsSigningAlgorithm::HmacSha256, 1331 CoreJwsSigningAlgorithm::HmacSha384, 1332 CoreJwsSigningAlgorithm::HmacSha512, 1333 ], 1334 *provider_metadata.id_token_signing_alg_values_supported() 1335 ); 1336 assert_eq!( 1337 None, 1338 provider_metadata.id_token_encryption_alg_values_supported() 1339 ); 1340 assert_eq!( 1341 None, 1342 provider_metadata.id_token_encryption_enc_values_supported() 1343 ); 1344 assert_eq!( 1345 None, 1346 provider_metadata.userinfo_signing_alg_values_supported() 1347 ); 1348 assert_eq!( 1349 None, 1350 provider_metadata.userinfo_encryption_alg_values_supported() 1351 ); 1352 assert_eq!( 1353 None, 1354 provider_metadata.userinfo_encryption_enc_values_supported() 1355 ); 1356 assert_eq!( 1357 None, 1358 provider_metadata.request_object_signing_alg_values_supported() 1359 ); 1360 assert_eq!( 1361 None, 1362 provider_metadata.request_object_encryption_alg_values_supported() 1363 ); 1364 assert_eq!( 1365 None, 1366 provider_metadata.request_object_encryption_enc_values_supported() 1367 ); 1368 assert_eq!( 1369 None, 1370 provider_metadata.token_endpoint_auth_methods_supported() 1371 ); 1372 assert_eq!( 1373 None, 1374 provider_metadata.token_endpoint_auth_signing_alg_values_supported() 1375 ); 1376 assert_eq!( 1377 Some(&vec![ 1378 CoreAuthDisplay::Page, 1379 CoreAuthDisplay::Popup, 1380 CoreAuthDisplay::Touch, 1381 CoreAuthDisplay::Wap, 1382 ]), 1383 provider_metadata.display_values_supported() 1384 ); 1385 assert_eq!(None, provider_metadata.claim_types_supported()); 1386 assert_eq!(None, provider_metadata.claims_supported()); 1387 1388 assert_eq!( 1389 Some( 1390 &ServiceDocUrl::new( 1391 "https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code\ 1392 /documentation" 1393 .to_string() 1394 ) 1395 .unwrap() 1396 ), 1397 provider_metadata.service_documentation() 1398 ); 1399 assert_eq!( 1400 Some(&vec![ 1401 LanguageTag::new("de".to_string()), 1402 LanguageTag::new("fr".to_string()), 1403 LanguageTag::new("de-CH-1901".to_string()), 1404 ]), 1405 provider_metadata.claims_locales_supported() 1406 ); 1407 assert_eq!( 1408 Some(&vec![ 1409 LanguageTag::new("ja".to_string()), 1410 LanguageTag::new("sr-Latn".to_string()), 1411 LanguageTag::new("yue-HK".to_string()), 1412 ]), 1413 provider_metadata.ui_locales_supported() 1414 ); 1415 assert_eq!(None, provider_metadata.claims_parameter_supported()); 1416 assert_eq!(None, provider_metadata.request_parameter_supported()); 1417 assert_eq!(None, provider_metadata.request_uri_parameter_supported()); 1418 assert_eq!(None, provider_metadata.require_request_uri_registration()); 1419 assert_eq!( 1420 Some( 1421 &OpPolicyUrl::new( 1422 "https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code\ 1423 /op_policy" 1424 .to_string() 1425 ) 1426 .unwrap() 1427 ), 1428 provider_metadata.op_policy_uri() 1429 ); 1430 assert_eq!( 1431 Some( 1432 &OpTosUrl::new( 1433 "https://rp.certification.openid.net:8080/openidconnect-rs/rp-response_type-code\ 1434 /op_tos" 1435 .to_string() 1436 ) 1437 .unwrap() 1438 ), 1439 provider_metadata.op_tos_uri() 1440 ); 1441 1442 let serialized_json = serde_json::to_string(&provider_metadata).unwrap(); 1443 1444 let redeserialized_metadata: CoreProviderMetadata = 1445 serde_json::from_str(&serialized_json).unwrap(); 1446 assert_eq!(provider_metadata, redeserialized_metadata); 1447 } 1448 } 1449