Add Optional Support for Rocket-Okapi in IntrospectedUser

Cargo.toml

@@ -54,6 +54,8 @@ oidc = ["credentials", "dep:base64-compat"]
 ## Refer to the rocket module for more information.
 rocket = ["credentials", "oidc", "dep:rocket"]
 
+rocket_okapi = ["rocket", "dep:rocket_okapi"]
+
 [dependencies]
 actix-web = { version = "4.5.1", optional = true }
 async-trait = { version = "0.1.80", optional = true }
@@ -83,6 +85,7 @@ tonic = { version = "0.11", features = [
   "tls-roots-common",
 ], optional = true }
 tonic-types = { version = "0.11", optional = true }
+rocket_okapi = { version = "0.8.0", optional = true, default-features = false }
 
 [dev-dependencies]
 chrono = "0.4.38"

src/rocket/introspection/guard.rs

@@ -3,6 +3,14 @@ use openidconnect::TokenIntrospectionResponse;
 use rocket::http::Status;
 use rocket::request::{FromRequest, Outcome};
 use rocket::{async_trait, Request};
+#[cfg(feature = "rocket_okapi")]
+use rocket_okapi::gen::OpenApiGenerator;
+#[cfg(feature = "rocket_okapi")]
+use rocket_okapi::okapi::openapi3::{Responses, SecurityRequirement, SecurityScheme};
+#[cfg(feature = "rocket_okapi")]
+use rocket_okapi::okapi::Map;
+#[cfg(feature = "rocket_okapi")]
+use rocket_okapi::request::{OpenApiFromRequest, RequestHeaderInput};
 
 use crate::oidc::introspection::{introspect, IntrospectionError, ZitadelIntrospectionResponse};
 use crate::rocket::introspection::IntrospectionConfig;
@@ -142,6 +150,39 @@ impl<'request> FromRequest<'request> for &'request IntrospectedUser {
     }
 }
 
+#[cfg(feature = "rocket_okapi")]
+impl<'a> OpenApiFromRequest<'a> for &'a IntrospectedUser {
+    fn from_request_input(
+        _gen: &mut OpenApiGenerator,
+        _name: String,
+        _required: bool,
+        request: &Request,
+    ) -> rocket_okapi::Result<RequestHeaderInput> {
+        // Setup global requirement for Security scheme
+        let security_scheme = SecurityScheme {
+            description: Some(
+                "Use OpenID Connect to authenticate. (does not work in RapiDoc at all)".to_owned(),
+            ),
+            data: SecuritySchemeData::OpenIdConnect {
+                open_id_connect_url: "https://auth.domain.com/.well-known/openid-configuration"
+                    .to_owned(),
+            },
+            extensions: Object::default(),
+        };
+        // Add the requirement for this route/endpoint
+        // This can change between routes.
+        let mut security_req = SecurityRequirement::new();
+        // Each security requirement needs to be met before access is allowed.
+        security_req.insert("OpenID".to_owned(), Vec::new());
+        // These vvvv-------^^^^^^^ values need to match exactly!
+        Ok(RequestHeaderInput::Security(
+            "OpenID".to_owned(),
+            security_scheme,
+            security_req,
+        ))
+    }
+}
+
 #[cfg(test)]
 mod tests {
     #![allow(clippy::all)]