refactor: tidy auth token validation and scope handling#764
Conversation
✅ Docs preview has no changesThe preview was not built because there were no changes. Build ID: 4c25b167fe8a540f1aee5c93 ✅ AI Style Review — No Changes DetectedNo MDX files were changed in this pull request. Review Log: View detailed log
|
DaleSeo
changed the title
|
⏭️ Changeset check skipped via label |
DaleSeo
added
the
skip-changeset
| /// back to alternate discovery URLs on failure; real providers advertise | ||
| /// the same `jwks_uri` from every well-known path. | ||
| async fn resolve_key(&self, server: &Url, key_id: &str) -> Option<VerificationKey> { | ||
| async fn resolve_key(&self, server: &Url, key_id: &str) -> Option<(Jwk, String)> { |
There was a problem hiding this comment.
Naive question, but what does the tuple approach provide thats superior to the VerificationKey struct approach? Is it just easier destructuring?
There was a problem hiding this comment.
I went with a tuple because VerificationKey felt like an incomplete name for a struct containing both the JWK and the issuer. I couldn't come up with a better name that wasn't overly wordy, so I thought I'd just opt for the tuple instead. :)
2 participants
On the validation side, we're moving the
Claimstype and the algorithm mapping out of the longvalidatemethod. Now, the function reads more clearly as a "try each server, resolve key, decode, check claims" loop, and we can unit-test the claim logic directly. We’re also replacing theVerificationKeystruct with a simple(Jwk, String)tuple returned fromKeyResolver::resolve_key.On the scope side, we're pulling the scope-sufficiency check into a new
ScopeMode::is_satisfied_bymethod. This way, the scope tests will use the actual logic instead of a copied version. We’re also rendering thescope_modeheader throughScopeMode::as_strinstead of going through a JSON round-trip.