add XH auth plugin intgeration

.github/workflows/ci.yaml

@@ -32,7 +32,7 @@ jobs:
 
         rust:
           - stable
-          - "1.88" # MSRV
+          - "1.95" # MSRV
 
         os:
           - ubuntu-latest

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "oidc-cli"
-version = "0.7.3"
+version = "0.8.0"
 edition = "2024"
 description = "A command line tool to work with OIDC tokens"
 
@@ -11,12 +11,16 @@ categories = ["command-line-utilities", "authentication"]
 keywords = ["oidc", "cli"]
 readme = "README.md"
 # based on comfy table, requiring more recent lang features
-rust-version = "1.88"
+rust-version = "1.95"
 
 [[bin]]
 name = "oidc"
 path = "src/main.rs"
 
+[[bin]]
+name = "xh-plugin-oidc"
+path = "src/bin/xh-plugin-oidc.rs"
+
 [package.metadata.binstall]
 pkg-url = "{ repo }/releases/download/v{ version }/oidc-{ target }{ binary-ext }"
 pkg-fmt = "bin"
@@ -43,6 +47,7 @@ serde_yaml = "0.9"
 simplelog = "0.12"
 time = { version = "0.3", features = ["serde-well-known", "formatting"] }
 tokio = { version = "1.36", features = ["full"] }
+toml = "1.1.2"
 url = "2"
 
 openssl = "0.10" # transient dependency, required for vendoring

README.md

@@ -79,6 +79,35 @@ This also works with `curl`:
 curl http://example.com/api -H $(oidc token -H my-client)
 ```
 
+## XH integration
+
+Use the `xh-plugin-oidc` binary with `xh` custom auth plugins:
+
+```bash
+xh --auth-type=plugin:oidc --auth=my-client https://example.com/api
+```
+
+The `xh-plugin-oidc` binary can also discover the client name from a local config file. Starting from
+the current directory, it walks up parent directories and searches for `.xh-auth-oidc.json`,
+`.xh-auth-oidc.yaml`, then `.xh-auth-oidc.toml`:
+
+```toml
+client_name = "my-client"
+
+[http]
+timeout = "60s"
+connect_timeout = "30s"
+min_tls_version = "1.2"
+disable_system_certificates = false
+additional_root_certificates = []
+```
+
+Then the client name does not need to be passed to `xh`:
+
+```bash
+xh --auth-type=plugin:oidc https://example.com/api
+```
+
 ## More examples
 
 Create a public client from an initial refresh token. This can be useful if you have a frontend application, but no

src/bin/xh-plugin-oidc.rs

@@ -0,0 +1,21 @@
+#![deny(clippy::unwrap_used)]
+#![deny(clippy::expect_used)]
+
+use std::{
+    io::{stdin, stdout},
+    process::ExitCode,
+};
+
+#[tokio::main]
+async fn main() -> ExitCode {
+    match oidc_cli::plugin::run(stdin().lock(), stdout().lock()).await {
+        Ok(()) => ExitCode::SUCCESS,
+        Err(err) => {
+            eprintln!("{err}");
+            for (n, cause) in err.chain().enumerate().skip(1) {
+                eprintln!("  {n}: {cause}");
+            }
+            ExitCode::FAILURE
+        }
+    }
+}

src/cmd/mod.rs

@@ -1,33 +1,5 @@
-mod completion;
-mod create;
-mod delete;
-mod inspect;
-mod list;
-mod token;
-
-use std::process::ExitCode;
-
-#[derive(Debug, clap::Subcommand)]
-#[allow(clippy::large_enum_variant)]
-pub enum Command {
-    Create(create::Create),
-    Delete(delete::Delete),
-    Token(token::GetToken),
-    List(list::List),
-    Inspect(inspect::Inspect),
-    Completion(completion::GetCompletion),
-}
-
-impl Command {
-    pub async fn run(self) -> anyhow::Result<ExitCode> {
-        match self {
-            Self::Create(cmd) => cmd.run().await,
-            Self::Delete(cmd) => cmd.run().await,
-            Self::Token(cmd) => cmd.run().await,
-            Self::List(cmd) => cmd.run().await,
-            Self::Inspect(cmd) => cmd.run().await,
-            Self::Completion(cmd) => cmd.run().await,
-        }
-        .map(|()| ExitCode::SUCCESS)
-    }
-}
+pub mod create;
+pub mod delete;
+pub mod inspect;
+pub mod list;
+pub mod token;