Expand description
§Continuous Access Evaluation Protocol (CAEP)
This module implements the Continuous Access Evaluation Protocol (CAEP), enabling real-time access evaluation and revocation based on security events and risk changes.
§Overview
CAEP extends traditional OAuth 2.0 and OpenID Connect by providing continuous monitoring and evaluation of access tokens, allowing for immediate revocation when security conditions change.
§Key Features
- Real-time Event Processing: Continuous monitoring of security events
- Automatic Access Revocation: Immediate token revocation on security events
- Cross-system Event Propagation: Events can trigger actions across multiple systems
- Risk-based Evaluation: Dynamic access decisions based on changing risk profiles
- Session State Management: Continuous session validity assessment
§Event Types
- User Events: Login/logout, profile changes, credential changes
- Session Events: Session creation, modification, timeout, suspicious activity
- Risk Events: Location changes, device changes, behavioral anomalies
- Policy Events: Access policy updates, compliance violations
- System Events: Service outages, security incidents
§Usage Example
use auth_framework::server::caep_continuous_access::*;
use auth_framework::server::{SessionManager, oidc_backchannel_logout::BackChannelLogoutManager};
use chrono::Duration;
use std::sync::Arc;
use async_trait::async_trait;
// Example event handler implementation
struct RiskScoreHandler;
#[async_trait]
impl CaepEventHandler for RiskScoreHandler {
async fn handle_event(&self, event: &CaepEvent) -> auth_framework::errors::Result<()> {
if event.risk_score > 0.8 {
// High risk - would revoke access in real implementation
println!("High risk detected: {}", event.risk_score);
}
Ok(())
}
fn supported_event_types(&self) -> Vec<CaepEventType> {
vec![CaepEventType::RiskScoreChange]
}
}
// Initialize CAEP manager (simplified example - in real use, get managers from DI container)
let config = CaepConfig {
event_stream_url: "wss://events.example.com/caep".to_string(),
evaluation_interval: Duration::from_std(std::time::Duration::from_secs(30))?,
auto_revoke: true,
..Default::default()
};
// In real code, create these with proper configuration from your DI container
// Register event handler
caep_manager.register_event_handler(
CaepEventType::RiskScoreChange,
Arc::new(RiskScoreHandler)
).await?;
// Start continuous evaluation
caep_manager.start_continuous_evaluation().await?;Structs§
- Caep
Config - Configuration for Continuous Access Evaluation Protocol
- Caep
Device Info - Device information for CAEP events
- Caep
Evaluation Result - Result of a continuous access evaluation
- Caep
Evaluation Rule - Evaluation rule for continuous access decisions
- Caep
Event - A CAEP security event
- Caep
Event Source - Source of a CAEP event
- Caep
Location Info - Geographic location information for CAEP events
- Caep
Manager - Main CAEP manager for continuous access evaluation
- Caep
Session State - State of a CAEP session
- Comprehensive
Session Info - Comprehensive session information combining OIDC and CAEP data
Enums§
- Caep
Access Decision - Access decision from CAEP evaluation
- Caep
Event Severity - Severity levels for CAEP events
- Caep
Event Type - Types of CAEP events
- Caep
Rule Action - Action to take when a CAEP rule is triggered
- Caep
Rule Condition - Condition for a CAEP evaluation rule
Traits§
- Caep
Event Handler - Event handler trait for CAEP events