Add equality claim validator

crates/oidc-client/src/error.rs

@@ -335,10 +335,6 @@ where
 /// All possible errors when exchanging a code for an access token.
 #[derive(Debug, Error)]
 pub enum TokenAuthorizationCodeError {
-    /// The nonce doesn't match the one that was sent.
-    #[error("wrong nonce")]
-    WrongNonce,
-
     /// An error occurred requesting the access token.
     #[error(transparent)]
     Token(#[from] TokenRequestError),
@@ -606,10 +602,6 @@ pub enum JwtVerificationError {
     #[error(transparent)]
     Claim(#[from] ClaimError),
 
-    /// The issuer is not the one that sent the JWT.
-    #[error("wrong issuer claim")]
-    WrongIssuer,
-
     /// The audience of the JWT is not this client.
     #[error("wrong aud claim")]
     WrongAudience,

crates/oidc-client/src/requests/authorization_code.rs

@@ -444,12 +444,9 @@ pub async fn access_token_with_authorization_code(
             .map_err(IdTokenError::from)?;
 
         // Nonce must match.
-        let token_nonce = claims::NONCE
-            .extract_required(&mut claims)
+        claims::NONCE
+            .extract_required_with_options(&mut claims, validation_data.nonce.as_str())
             .map_err(IdTokenError::from)?;
-        if token_nonce != validation_data.nonce {
-            return Err(TokenAuthorizationCodeError::WrongNonce);
-        }
 
         Some(id_token.into_owned())
     } else {

crates/oidc-client/src/requests/jose.rs

@@ -127,10 +127,7 @@ pub fn verify_signed_jwt<'a>(
     let (header, mut claims) = jwt.clone().into_parts();
 
     // Must have the proper issuer.
-    let iss = claims::ISS.extract_required(&mut claims)?;
-    if iss != issuer.as_str() {
-        return Err(JwtVerificationError::WrongIssuer);
-    }
+    claims::ISS.extract_required_with_options(&mut claims, issuer.as_str())?;
 
     // Must have the proper audience.
     let aud = claims::AUD.extract_required(&mut claims)?;