Expand description
§arcly-http-identity — CIAM building-block engine
A storage-agnostic Customer Identity & Access Management (CIAM) engine for
arcly-http. It is not a turnkey product (no admin console, no hosted
login UI): it ships the traits, services, and (optional) controllers you
compose into your own identity provider, in the same spirit as Ory
Kratos/Hydra but as an embeddable Rust crate.
§What it gives you
| Area | Type |
|---|---|
| User & credential storage | store::UserStore, store::CredentialStore |
| Password hashing | password::PasswordHasher + password::Argon2idHasher |
| Register / login / refresh / logout | identity::IdentityService |
| Brute-force protection | lockout::LockoutPolicy |
| One-time tokens (verify / reset / magic link) | ott::OneTimeTokenService |
| Passwordless (magic link + email/SMS OTP) | passwordless::PasswordlessService |
| MFA (TOTP + recovery codes) | mfa |
| Passkeys / WebAuthn | mfa::passkey (feature passkey) |
| Adaptive / risk-based auth | risk::RiskEngine |
| Consent (GDPR) | consent::ConsentStore |
| OIDC Provider | oidc (feature oidc) |
§Design contract (matches the framework)
- All I/O is behind a trait — you supply the Postgres/Redis/email backends; the crate links no database or mail SDK.
- Provide services via DI in an
ArclyPlugin::on_init(ctx.provide(IdentityService::new(...))), then resolve withInject<T>. - Tokens are minted through the framework’s
JwtServiceso every existing guard (JWT_AUTH,RoleGuard, perms, ABAC) keeps working. - CPU-bound work runs off the reactor via
spawn_blocking.
Re-exports§
pub use error::IdentityError;pub use identity::IdentityConfig;pub use identity::IdentityService;pub use model::AccountStatus;pub use model::Identity;pub use model::LoginOutcome;pub use model::MfaState;pub use model::TokenResponse;pub use password::Argon2idHasher;pub use password::PasswordHasher;pub use store::CredentialStore;pub use store::UserStore;
Modules§
- consent
- Consent capture & withdrawal (GDPR / privacy). A
ConsentStorerecords which purposes a subject has agreed to, with a timestamp and version, so the app can prove lawful basis and honour withdrawal. - dpop
- DPoP — Demonstration of Proof-of-Possession (RFC 9449), i.e. sender-constrained access tokens (H3).
- error
- Error type for the identity engine, with a mapping to the framework’s
HttpExceptionso handlers can?directly and get RFC-7807 problem responses with the right status codes. - federation
- Secure federated login (“Sign in with Google / Facebook / an enterprise
IdP”). This is the relying-party side — the app consumes an external
identity — as opposed to
crate::oidc, which is an identity provider. - identity
IdentityService— the orchestrator that ties stores, hashing, JWT minting, lockout, and MFA together into the register / login / refresh / logout flows. Provide it via DI and call it from your controllers (or mount the ready-made ones behind thecontrollersfeature).- lockout
- Brute-force / credential-stuffing lockout, backed by a pluggable counter.
- mfa
- Multi-factor authentication: the
MfaVerifierhook the login flow calls, plus concrete factors (TOTP today, passkeys behind thepasskeyfeature). - model
- Canonical identity records and the DTOs the flows exchange.
- notify
- Delivery of identity messages (verification links, reset links, OTP codes,
magic links). The app supplies the transport — the crate links no mail/SMS
SDK, matching the
OAuth2Provider/SecretSourcepattern. - oidc
- OpenID Connect Provider — turn the app into an identity provider.
- ott
- One-time tokens: the shared primitive behind email/phone verification, password reset, magic-link login, and login OTP.
- password
- Password hashing behind a trait, with an Argon2id default and transparent bcrypt-verification so legacy hashes migrate on next login.
- passwordless
- Passwordless authentication built on
OneTimeTokenService+Notifier: magic-links (email) and one-time codes (email or SMS). - prelude
- One-line prelude for CIAM apps.
- risk
- Adaptive / risk-based authentication. A
RiskEnginescores a login attempt from environmental signals; the login flow uses the verdict to allow, force step-up MFA, or deny. - session
- Server-side token state: refresh-token rotation, pending MFA challenges, and the per-user device/session index used for “log out everywhere” and back-channel revocation (Phase 4).
- store
- Storage traits — the app supplies the backends (Postgres, Redis, …). The
crate links no database. An in-memory implementation (
MemoryStore) is provided for tests, examples, and local development.