OpenID Connect (OIDC)

OpenID Connect layers identity on top of OAuth 2.0. The Tessera edge engine plays both OIDC roles. As a Relying Party it consumes Okta and Entra using the Authorization Code flow with PKCE: it generates a fresh code_verifier, sends the S256 challenge explicitly, and on the callback verifies state, exchanges the code, and validates the ID token against the provider’s registered signing key — checking iss, aud, exp, and the nonce it issued.

Because the engine consumes two authorization servers at once, it is the textbook mix-up scenario, so it implements the RFC 9207 iss response parameter: it confirms the response came from the AS it actually redirected the user to before trusting any token.

As an OIDC Provider, the engine publishes /.well-known/openid-configuration and a jwks_uri over public HTTPS with a CA-signed certificate and a byte-identical issuer value, so AWS, Azure and GCP can establish trust against it (see Workload Identity Federation).

// Edge RP: Authorization Code + PKCE with EXPLICIT S256 (defaults to
// `plain` if omitted — the top RP bug). state + nonce always sent.
use openidconnect::{PkceCodeChallenge, CsrfToken, Nonce, Scope};

let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();

let (auth_url, csrf_state, nonce) = client
    .authorize_url(CsrfToken::new_random, Nonce::new_random)
    .add_scope(Scope::new("openid".into()))
    .add_scope(Scope::new("email".into()))
    .set_pkce_challenge(pkce_challenge) // method = S256, explicit
    .url();

// On callback: verify `iss` (RFC 9207) matches the AS we redirected to,
// verify `state` == csrf_state, exchange code with pkce_verifier, then
// validate the ID token: iss exact, aud contains client_id, signature
// against the REGISTERED alg (never the token's self-declared `alg`),
// exp in the future, and nonce == the nonce we sent.