Lib.rs

Authentication
#openid-connect-client #oidc-client #ones #http-request #private-key #access-token #initiated

bin+lib ones-oidc

ONES OpenID Connect client for Rust

Owned by Franz Geffke.

9 releases

0.3.2 Aug 9, 2025
0.2.6 Mar 12, 2025
0.2.5 Feb 12, 2025
0.1.11 Jan 31, 2025

#389 in Authentication


Used in bcms

MIT license

86KB
2K SLoC

ONES OIDC Rust Authentication Library

Package to authenticate with ONES using OpenID Connect (OIDC) and Client Initiated Backchannel Authentication (CIBA).

Usage

1.0 Device Authentication

use ones_oidc::{OpenIdconnectClient, load_device_config, read_private_key, OnesOidcConfig};
use openidconnect::{ClientId, IssuerUrl, core::CoreProviderMetadata, reqwest::async_http_client};

let device_config = load_device_config("./device.yml").expect("Failed to load device config");
let private_key = read_private_key("./device.key").expect("Failed to load private key");

let client_id = device_config.client_id.clone();
let issuer_url = device_config.get_issuer_url().expect("Failed to get issuer URL");

let provider_metadata = CoreProviderMetadata::discover_async(
    issuer_url.clone(),
    async_http_client,
)
.await
.expect("Failed to discover OIDC metadata");

// Create client with default configuration
let openid_client = OpenIdconnectClient::new(
    client_id,
    issuer_url,
    provider_metadata,
    private_key,
);

// Or create client with custom configuration
let config = OnesOidcConfig::default();
let openid_client = OpenIdconnectClient::with_config(
    client_id,
    issuer_url,
    provider_metadata,
    private_key,
    config,
);

1.1 Get Device Access Token

// Reuse the `openid_client` from the previous example
let device_access_token = openid_client.device_access_token().await
    .expect("Failed to get device access token");

// Or use the non-cached version
let device_access_token = openid_client.request_device_access_token().await
    .expect("Failed to request device access token");

2.0 CIBA

Authenticate with user username (OnesID).

2.1 Make CIBA Request

use ones_oidc::{LoginHint, LoginHintKind};

// Reuse the `openid_client` from the previous example
let login_hint = LoginHint {
    kind: LoginHintKind::LoginHint,
    value: "user@example.com".to_string(),
};

let result = openid_client.make_ciba_request(
    &login_hint,
    "openid offline_access profile",
    "Authorize login to Example.com?",
    Some("https://example.com".to_string()),
    None, // qr_session_id
).await;

match result {
    Ok(ciba_response) => {
        println!("CIBA request successful: {:?}", ciba_response);
        // Use ciba_response.auth_req_id for status polling
    }
    Err(e) => {
        eprintln!("CIBA request failed: {}", e);
    }
}

2.2 Check CIBA Status

use ones_oidc::OidcError;

// Reuse the `openid_client` from the previous example
// Use the auth_req_id from the previous CIBA request
let auth_request_id = "your-auth-request-id";

match openid_client.check_ciba_status(auth_request_id).await {
    Ok(ciba_status) => {
        println!("CIBA Status: {:?}", ciba_status);
        // Process the successful response
        if let Some(access_token) = &ciba_status.access_token {
            println!("Access token received: {}", access_token.secret());
        }
    }
    Err(OidcError::CibaAuthenticationPending) => {
        println!("Authorization pending - user hasn't approved yet");
        // Continue polling
    }
    Err(e) => {
        eprintln!("CIBA status check failed: {}", e);
    }
}

3.0 Token Validation

// Reuse the `openid_client` from the previous example
let token = "your-jwt-or-opaque-token";

match openid_client.validate_token(&token, None).await {
    Ok(auth_result) => {
        println!("Token is valid!");
        println!("Subject: {}", auth_result.sub);
        println!("Issuer: {}", auth_result.iss);
        if let Some(username) = &auth_result.username {
            println!("Username: {}", username);
        }
    }
    Err(e) => {
        eprintln!("Token validation failed: {}", e);
    }
}

CLI Tool

The library includes a CLI tool for common operations:

Installation

Build the CLI tool:

cargo build --release --bin cli

Usage

Get Device Access Token

./target/release/cli device access-token

Show Device Configuration

./target/release/cli device config

Query Well-Known Application

./target/release/cli well-known <client-identifier>

Custom Configuration Paths

./target/release/cli --device-config /path/to/device.yml --device-private-key /path/to/key.pem device access-token

Help

./target/release/cli help
./target/release/cli device help

Dependencies

~28–46MB
~854K SLoC