Make the OIDC issuer a string instead of a URL

2025-07-29 22:01:14 +03:00 · 2022-12-02 15:38:53 +01:00
parent 68b477cae1
commit 95a879585b
9 changed files with 80 additions and 65 deletions
--- a/crates/oidc-client/src/requests/discovery.rs
+++ b/crates/oidc-client/src/requests/discovery.rs
@ -31,11 +31,11 @@ use crate::{
 /// Fetch the provider metadata.
 async fn discover_inner(
    http_service: &HttpService,
-    issuer: &Url,
+    issuer: Url,
 ) -> Result<ProviderMetadata, DiscoveryError> {
    tracing::debug!("Fetching provider metadata...");

-    let mut config_url = issuer.clone();
+    let mut config_url = issuer;

    // If the path doesn't end with a slash, the last segment is removed when
    // using `join`.
@ -69,9 +69,9 @@ async fn discover_inner(
 #[tracing::instrument(skip_all, fields(issuer))]
 pub async fn discover(
    http_service: &HttpService,
-    issuer: &Url,
+    issuer: &str,
 ) -> Result<VerifiedProviderMetadata, DiscoveryError> {
-    let provider_metadata = discover_inner(http_service, issuer).await?;
+    let provider_metadata = discover_inner(http_service, issuer.parse()?).await?;

    Ok(provider_metadata.validate(issuer)?)
 }
@ -101,9 +101,9 @@ pub async fn discover(
 #[tracing::instrument(skip_all, fields(issuer))]
 pub async fn insecure_discover(
    http_service: &HttpService,
-    issuer: &Url,
+    issuer: &str,
 ) -> Result<VerifiedProviderMetadata, DiscoveryError> {
-    let provider_metadata = discover_inner(http_service, issuer).await?;
+    let provider_metadata = discover_inner(http_service, issuer.parse()?).await?;

    Ok(provider_metadata.insecure_verify_metadata()?)
 }
--- a/crates/oidc-client/src/requests/jose.rs
+++ b/crates/oidc-client/src/requests/jose.rs
@ -66,7 +66,7 @@ pub async fn fetch_jwks(
 #[derive(Clone, Copy)]
 pub struct JwtVerificationData<'a> {
    /// The URL of the issuer that generated the ID Token.
-    pub issuer: &'a Url,
+    pub issuer: &'a str,

    /// The issuer's JWKS.
    pub jwks: &'a PublicJsonWebKeySet,
@ -127,7 +127,7 @@ pub fn verify_signed_jwt<'a>(
    let (header, mut claims) = jwt.clone().into_parts();

    // Must have the proper issuer.
-    claims::ISS.extract_required_with_options(&mut claims, issuer.as_str())?;
+    claims::ISS.extract_required_with_options(&mut claims, issuer)?;

    // Must have the proper audience.
    claims::AUD.extract_required_with_options(&mut claims, client_id)?;