JwtManager

auth_framework::server::core::common_jwt

Struct JwtManager 

Source 
pub struct JwtManager { /* private fields */ }
Expand description

Common JWT token management for OAuth 2.0 and OpenID Connect operations.

JwtManager provides comprehensive JWT token creation, verification, and management capabilities specifically designed for OAuth 2.0 authorization servers and OpenID Connect providers. It supports both symmetric and asymmetric signing algorithms with security best practices.

§Supported Algorithms

  • HMAC: HS256, HS384, HS512 (symmetric)
  • RSA: RS256, RS384, RS512 (asymmetric)
  • ECDSA: ES256, ES384, ES512 (asymmetric)
  • EdDSA: EdDSA (asymmetric, Ed25519)

§Security Features

  • Algorithm Validation: Prevents algorithm confusion attacks
  • Time Validation: Automatic exp, nbf, and iat claim validation
  • Audience Validation: Ensures tokens are used by intended recipients
  • Issuer Validation: Verifies token origin
  • Secure Defaults: Uses secure algorithm choices and expiration times

§Token Types Supported

  • Access Tokens: OAuth 2.0 access tokens with scopes
  • ID Tokens: OpenID Connect identity tokens
  • Refresh Tokens: Long-lived tokens for access token renewal
  • Custom Tokens: Application-specific token types

§Key Management

  • Symmetric Keys: HMAC-based signing with shared secrets
  • RSA Keys: Support for PKCS#1 and PKCS#8 key formats
  • Key Rotation: Support for multiple signing keys
  • Key Security: Secure key storage and access patterns

§Example

use auth_framework::server::core::common_jwt::{JwtManager, JwtConfig, CommonJwtClaims};

// Create JWT manager with RSA keys
let config = JwtConfig::with_rsa_keys(
    private_key_bytes,
    public_key_bytes,
    "https://auth.example.com".to_string()
)?;
let jwt_manager = JwtManager::new(config);

// Create access token
let claims = CommonJwtClaims::new(
    "https://auth.example.com".to_string(),
    "user123".to_string(),
    vec!["api".to_string()],
    expiration_time
).with_custom_claim("scope".to_string(), json!("read write"));

let token = jwt_manager.create_token(&claims)?;

// Verify token
let verified_claims = jwt_manager.verify_token(&token)?;

§Performance Considerations

  • Asymmetric algorithms are more computationally expensive
  • Token verification is optimized for high-throughput scenarios
  • Key caching reduces cryptographic operation overhead

§RFC Compliance

  • RFC 7519: JSON Web Token (JWT)
  • RFC 7515: JSON Web Signature (JWS)
  • RFC 8725: JWT Best Current Practices
  • RFC 9068: JWT Profile for OAuth 2.0 Access Tokens

Implementations§

Source§

impl JwtManager

Source

pub fn new(config: JwtConfig) -> Self

Create new JWT manager

Source

pub fn create_token(&self, claims: &CommonJwtClaims) -> Result<String>

Create signed JWT token

Source

pub fn create_token_with_custom_claims<T>(&self, claims: &T) -> Result<String>
where T: Serialize,

Create signed token with custom claims

Source

pub fn verify_token(&self, token: &str) -> Result<CommonJwtClaims>

Verify and decode JWT token

Source

pub fn verify_token_with_custom_claims<T>(&self, token: &str) -> Result<T>
where T: for<'de> Deserialize<'de>,

Verify token and extract custom claims

Source

pub fn create_access_token( &self, subject: String, scope: Vec<String>, client_id: Option<String>, ) -> Result<String>

Create access token with standard claims

Source

pub fn create_refresh_token( &self, subject: String, client_id: String, ) -> Result<String>

Create refresh token

Source

pub fn create_id_token( &self, subject: String, nonce: Option<String>, auth_time: Option<i64>, user_info: HashMap<String, Value>, ) -> Result<String>

Create ID token for OpenID Connect

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<'a, T, E> AsTaggedExplicit<'a, E> for T
where T: 'a,

Source§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

Source§

impl<'a, T, E> AsTaggedImplicit<'a, E> for T
where T: 'a,

Source§

fn implicit( self, class: Class, constructed: bool, tag: u32, ) -> TaggedParser<'a, Implicit, Self, E>

Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> ErasedDestructor for T
where T: 'static,