OpenID Client

Async, runtime-agnostic OpenID Connect / OAuth 2.0 client helpers for Rust. Currently being refactored, so the public API is still evolving.

Usage

• Documentation: https://docs.rs/openid-client
• Examples: https://github.com/sathyajithps/openid-client-examples

What Is Currently Implemented

The current tree includes helpers for:

• discovery: OIDC discovery, OAuth authorization server discovery, WebFinger lookup, and JWKS fetch
• authorization requests: authorization URLs, HTML form-post requests, PAR, request objects, and RP-initiated logout URLs
• callback and token flows: authorization code, implicit, hybrid, JARM, refresh token, and client credentials
• protected endpoints: UserInfo, generic resource requests, introspection, and revocation
• extension flows: device authorization, CIBA, token exchange, DPoP, and mTLS endpoint aliases
• dynamic client registration: registration plus registration_client_uri fetch

Supporting modules expose request builders, metadata types, JOSE helpers, JWK utilities, token helpers, and a custom async HTTP client trait.

Specs And Features

• OpenID Connect Core 1.0
  • authorization code, implicit, and hybrid response validation
  • UserInfo requests, including JWT responses when configured
  • refresh token and client credentials grants
  • client authentication via none, client_secret_basic, client_secret_post, client_secret_jwt, and private_key_jwt
• OpenID Connect Discovery 1.0 and RFC 8414
  • issuer discovery
  • WebFinger-based issuer discovery
  • JWKS fetch from jwks_uri
• OpenID Connect Dynamic Client Registration 1.0
  • dynamic registration requests and responses
  • registration_client_uri fetch
• RFC 7009 token revocation
• RFC 7662 token introspection
• RFC 8628 device authorization and device code grant
• RFC 8693 generic token exchange helper with required response-field validation
• RFC 8705
  • mTLS endpoint aliases
  • certificate-bound access tokens
  • tls_client_auth and self_signed_tls_client_auth
• OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0
  • backchannel authentication requests
  • CIBA polling grant
• RFC 9101 signed request objects
• RFC 9126 pushed authorization requests
• RFC 9207 authorization response issuer validation
• JWT Secured Authorization Response Mode for OAuth 2.0
• RFC 9449
  • DPoP proof generation
  • nonce extraction and caching
  • DPoP-bound token and resource requests
• OpenID Connect RP-Initiated Logout 1.0
• FAPI-oriented helpers such as fapi request object shaping and hybrid s_hash checks

Crypto And HTTP Backend Notes

This crate is transport-agnostic. Implement the custom HTTP client trait if you want to bring your own async HTTP stack, or enable the bundled reqwest client with the http_client feature.

Two optional crypto backends exist:

• jws_only_crypto: JWS signing and verification only, no JWE support
• openssl_crypto: JWS and JWE support via Josekit

Important: the current default feature set enables both backends, and the crate selects jws_only_crypto whenever it is present. If you need encrypted ID tokens, encrypted UserInfo or JARM responses, or other JWE-dependent flows, use openssl_crypto without default features:

Current Limitations

• Request object encryption is not implemented yet; Client::request_object only creates signed or unsigned request objects.
• JWE-dependent flows require an OpenSSL/Josekit-backed build and configured decryption keys.

Support

Issues and pull requests are welcome: https://github.com/sathyajithps/openid-client

Alternatives

• openidconnect
• openid