Add equality claim validator

crates/oidc-client/src/error.rs

@@ -335,10 +335,6 @@ where
 /// All possible errors when exchanging a code for an access token.
 #[derive(Debug, Error)]
 pub enum TokenAuthorizationCodeError {
-    /// The nonce doesn't match the one that was sent.
-    #[error("wrong nonce")]
-    WrongNonce,
-
     /// An error occurred requesting the access token.
     #[error(transparent)]
     Token(#[from] TokenRequestError),
@@ -606,10 +602,6 @@ pub enum JwtVerificationError {
     #[error(transparent)]
     Claim(#[from] ClaimError),
 
-    /// The issuer is not the one that sent the JWT.
-    #[error("wrong issuer claim")]
-    WrongIssuer,
-
     /// The audience of the JWT is not this client.
     #[error("wrong aud claim")]
     WrongAudience,

crates/oidc-client/src/requests/authorization_code.rs

@@ -444,12 +444,9 @@ pub async fn access_token_with_authorization_code(
             .map_err(IdTokenError::from)?;
 
         // Nonce must match.
-        let token_nonce = claims::NONCE
-            .extract_required(&mut claims)
+        claims::NONCE
+            .extract_required_with_options(&mut claims, validation_data.nonce.as_str())
             .map_err(IdTokenError::from)?;
-        if token_nonce != validation_data.nonce {
-            return Err(TokenAuthorizationCodeError::WrongNonce);
-        }
 
         Some(id_token.into_owned())
     } else {

crates/oidc-client/src/requests/jose.rs

@@ -127,10 +127,7 @@ pub fn verify_signed_jwt<'a>(
     let (header, mut claims) = jwt.clone().into_parts();
 
     // Must have the proper issuer.
-    let iss = claims::ISS.extract_required(&mut claims)?;
-    if iss != issuer.as_str() {
-        return Err(JwtVerificationError::WrongIssuer);
-    }
+    claims::ISS.extract_required_with_options(&mut claims, issuer.as_str())?;
 
     // Must have the proper audience.
     let aud = claims::AUD.extract_required(&mut claims)?;

crates/oidc-client/tests/it/requests/authorization_code.rs

@@ -22,7 +22,7 @@ use chrono::Duration;
 use mas_iana::oauth::{
     OAuthAccessTokenType, OAuthClientAuthenticationMethod, PkceCodeChallengeMethod,
 };
-use mas_jose::jwk::PublicJsonWebKeySet;
+use mas_jose::{claims::ClaimError, jwk::PublicJsonWebKeySet};
 use mas_oidc_client::{
     error::{
         AuthorizationError, IdTokenError, PushedAuthorizationError, TokenAuthorizationCodeError,
@@ -358,7 +358,13 @@ async fn fail_access_token_with_authorization_code_wrong_nonce() {
     .await
     .unwrap_err();
 
-    assert_matches!(error, TokenAuthorizationCodeError::WrongNonce);
+    assert_matches!(
+        error,
+        TokenAuthorizationCodeError::IdToken(IdTokenError::Claim(ClaimError::ValidationError {
+            claim: "nonce",
+            ..
+        }))
+    );
 }
 
 #[tokio::test]

crates/oidc-client/tests/it/requests/jose.rs

@@ -18,7 +18,7 @@ use assert_matches::assert_matches;
 use chrono::{DateTime, Duration, Utc};
 use mas_iana::jose::JsonWebSignatureAlg;
 use mas_jose::{
-    claims,
+    claims::{self, ClaimError},
     constraints::Constrainable,
     jwk::PublicJsonWebKeySet,
     jwt::{JsonWebSignatureHeader, Jwt},
@@ -128,7 +128,13 @@ async fn fail_verify_id_token_wrong_issuer() {
 
     let error = verify_id_token(id_token.as_str(), verification_data, None, now).unwrap_err();
 
-    assert_matches!(error, IdTokenError::Jwt(JwtVerificationError::WrongIssuer));
+    assert_matches!(
+        error,
+        IdTokenError::Jwt(JwtVerificationError::Claim(ClaimError::ValidationError {
+            claim: "iss",
+            ..
+        }))
+    );
 }
 
 #[tokio::test]

crates/oidc-client/tests/it/types/client_credentials.rs

@@ -467,10 +467,7 @@ fn verify_client_jwt(
     claims: &mut HashMap<String, Value>,
     token_endpoint: &String,
 ) -> Result<(), BoxError> {
-    let iss = claims::ISS.extract_required(claims)?;
-    if iss != CLIENT_ID {
-        return Err("Wrong iss".into());
-    }
+    claims::ISS.extract_required_with_options(claims, CLIENT_ID)?;
 
     let sub = claims::SUB.extract_required(claims)?;
     if sub != CLIENT_ID {