Docs/Add Hardware-Backed Sign-In to Your Application/ Axum (openidconnect-rs)
View as .md

Axum (openidconnect-rs)

See the Applications overview for prerequisites, configuration endpoints, and available scopes.

openidconnect-rs provides a type-safe OpenID Connect client for Rust. Key configuration:

  • Use CoreProviderMetadata::discover_async() for OIDC auto-discovery
  • PKCE is automatic with PkceCodeChallenge::new_random_sha256()
  • Define a custom claims struct implementing AdditionalClaims for type-safe access to Vouch-specific fields
  • Hardware attestation claims (hardware_verified, hardware_aaguid) are in the access token JWT — decode the payload after token exchange
  • Use tower-sessions for session management (use a persistent store in production)

Example

web/axum-openidconnect — Complete working example with type-safe claims, PKCE, and hardware claim extraction.