DeterministicESPAsyncWebServer v6.28.0
Zero-allocation, bounded-execution async HTTP server for ESP32
Loading...
Searching...
No Matches
oidc.h File Reference

OpenID Connect ID-token verification, RS256 (DETWS_ENABLE_OIDC). More...

#include "ServerConfig.h"
#include <stddef.h>
#include <stdint.h>

Go to the source code of this file.

Detailed Description

OpenID Connect ID-token verification, RS256 (DETWS_ENABLE_OIDC).

A relying-party verifier for OIDC ID tokens (RFC 7519 JWT, OpenID Connect Core 3.1.3.7). Given an ID token and the issuer's JWKS, it:

  1. parses the JWT header and requires alg == RS256,
  2. selects the signing key by kid (or the sole key if the token has none),
  3. verifies the RSASSA-PKCS1-v1.5 SHA-256 signature (via ssh_rsa_verify - real modular exponentiation; mbedTLS-accelerated on ESP32),
  4. checks iss, aud (string or array), exp, and nbf against the caller's expectations and clock,
  5. extracts sub / email and the times into ::DetwsOidcClaims.

Zero-heap (fixed stack/BSS buffers) and host-tested against real openssl-signed RS256 vectors. The verifier is pure: it does NOT fetch anything. Fetching the discovery document / JWKS over HTTPS and caching keys is the caller's job (do it off the request hot path with the HTTP client, then pass the JWKS JSON here) - which keeps key rotation, caching policy, and TLS trust in the application's hands and the verifier deterministic.

Only RS256 (the OIDC default and by far the most common) is supported; HS256 shared-secret tokens are the JWT module's job (services/jwt), ES256 is out of scope.

Author
Douglas Quigg (dstroy0)
Date
2026

Definition in file oidc.h.