Closed ctron closed 3 years ago
kilork
commented
3 years ago I think you can take a look at the microsoft.rs. We already had once the case, there we do not need all of validations. You can just follow the same approach, but exclude nonce validation if you do not need it.
ctron
commented
3 years ago hm ok … I will check that. thanks.
Maybe it would be nice then to have "general purpose" validation method, providing e.g. a [Validate], with:
pub enum Validate {
Nonce,
Subject,
…
}So I just tried to follow your advice, however it looks like the validate methods are in a private module (client) only. So there is no way to access them from an external crate.
My proposal would be to move them into a new module crate::validation and then publicly declare this module. You people could use openid::validation::validate_foo.
kilork
commented
3 years ago upps... yes, it is really difficult to use private package, sorry for unchecked suggestion. I would correct it soon, stay tuned!
ctron
commented
3 years ago No worries :) and thanks for the help!
kilork
commented
3 years ago @ctron I released the new version, checked already by myself, seems this works. Thank you for pointing out that issue!
ctron
commented
3 years ago Thanks for the quick fix and release … I will try it out immediately.
I have an issue with using nonces.
To my understanding, nonces should be validated between the browser and the SSO server.
When validating a token on the application (backend) side using
openid::client::Client::validate_token, it requires a nonce, if the claims contain a nonce.To my understanding, that shouldn't be enforced. Or is there a different way to validate a token in a backend system?