Crate axess_factors 

Factor implementations for axess: password (Argon2id), TOTP (RFC 6238), HOTP (RFC 4226).

All comparisons against secret material use subtle::ConstantTimeEq; all in-memory secrets are wrapped in zeroize::Zeroizing so the buffer is wiped on drop. Verification functions clamp digit length and TOTP drift windows to defensive bounds.

Module layout

• password: Argon2id hashing/verification re-exports from password_auth (password feature).
• hotp: HOTP per RFC 4226 with SHA-1 / SHA-256 / SHA-512 variants (hotp feature).
• totp: TOTP per RFC 6238, secret generation, and otpauth:// URI builder (totp feature).

Each module is feature-gated; lib.rs re-exports everything at the crate root so downstream code can import via either path.

Re-exports

pub use password::PasswordConfig;

pub use password::PasswordRules;

pub use hotp::HOTP_LENGTH;

pub use hotp::HotpAlgorithm;

pub use hotp::HotpConfig;

pub use hotp::verify_hotp;

pub use totp::TOTP_LENGTH;

pub use totp::TOTP_PERIOD;

pub use totp::TotpConfig;

pub use totp::TotpVerifyParams;

pub use totp::build_totp_uri;

pub use totp::generate_totp_secret;

pub use totp::verify_totp;

pub use email_otp::EmailOtpConfig;

pub use fido2::Fido2Config;

pub use fido2::DefaultFido2Provider;

pub use fido2::Fido2Credential;

pub use fido2::Fido2Options;

pub use fido2::Fido2Provider;

pub use fido2::MockFido2Provider;

pub use ldap::LdapBindResult;

pub use ldap::LdapError;

pub use ldap::LdapGroupSearch;

pub use ldap::LdapProvider;

pub use ldap::LdapProviderConfig;

pub use ldap::MockLdapProvider;

pub use mtls::MtlsError;

pub use mtls::MtlsResolver;

pub use mtls::PeerCertChain;

pub use mtls::SpiffeIdComponents;

pub use mtls::peek_spiffe;

pub use oidc::Discovery;

pub use oidc::DiscoveryDocument;

pub use oidc::JwksCache;

pub use oidc::MIN_JWKS_REFRESH_INTERVAL;

pub use oidc::OidcError;

pub use bearer::BearerConfig;

pub use bearer::BearerError;

pub use bearer::BearerIssuerConfig;

pub use bearer::BearerTokenLayer;

pub use bearer::BearerTokenService;

pub use bearer::JwtVerificationError;

pub use bearer::WorkloadIdentity;

pub use bearer::validate_bearer_token;

pub use outbound_oauth_client::ClientAuthMethod;

pub use outbound_oauth_client::OAuthClientError;

pub use outbound_oauth_client::OutboundOAuthClient;

pub use otp_algorithm::OtpAlgorithm;

pub use secret::ZeroizedString;

Modules

bearer

Bearer JWT workload-auth middleware. Verifies inbound Authorization: Bearer <jwt> headers against configured issuers and JWKS, inserts a WorkloadIdentity into axum request extensions (bearer feature). Bearer JWT workload authentication middleware.

email_otp

Server-issued EmailOtpConfig: the typed challenge state for the out-of-band email factor (email_otp feature). Email OTP factor configuration: server-issued one-time codes delivered out-of-band by email.

federation

Workload-identity federation. The generic federation::workload::WorkloadResolver verifies any JWT-bearer workload token (GitHub Actions OIDC, Kubernetes SA, GitLab CI OIDC, Okta, Azure AD, Auth0, axess LocalIdP, …) via a caller-supplied claim parser + mapping closure. Gated on the jwt feature. Workload-identity federation.

fido2

FIDO2/WebAuthn factor data: Fido2Config + Fido2Credential + Fido2Options + re-exports of webauthn-rs primitives (fido2 feature). FIDO2/WebAuthn factor data types: config, credential metadata, options, and re-exports of the webauthn-rs primitives the orchestrator persists alongside them.

hotp

HOTP: HMAC-Based One-Time Passwords (RFC 4226).

jwt

JWT validation + JwtVerifier builder + SPIFFE JWT-SVID resolver (jwt / jwt-svid features). Adopters performing JWT verification (workload identity, federated OIDC checks, custom logout flows) share the same hardened parse-and-verify paths internally used by OAuth + back-channel logout. Shared JWT primitives for signature verification and claim validation.

ldap

LDAP simple-bind verifier: LdapProvider trait + LdapProviderConfig production impl (ldap3-backed) + MockLdapProvider (ldap feature). HealthCheck integration lives in axess-core as an extension impl. LDAP bind authentication: verify credentials against Active Directory or any LDAP-compatible directory.

mtls

mTLS SPIFFE X509-SVID resolver. Extracts a Principal::Workload from the leaf client certificate in a rustls peer-cert chain (mtls feature). SPIFFE X509-SVID resolver over rustls peer-cert chain.

oauth

OAuth 2.0 / OIDC ceremony surface: OAuthProvider trait, DefaultOAuthProvider (openidconnect-backed), builder, device-flow, FAPI 2.0 DPoP (oauth / fapi features). OAuth 2.0 / OpenID Connect relying party support.

oidc

OIDC discovery + JWKS retrieval / rotation primitives (oidc feature). Shared between the full OAuth ceremony surface and adopters that verify JWTs without taking it. OIDC discovery and JWKS retrieval primitives.

otp_algorithm

OtpAlgorithm: the storage-shape HMAC algorithm tag shared by TotpConfig and HotpConfig. Gated on totp OR hotp because it has no consumer outside the two OTP configs. HMAC algorithm choice shared by TotpConfig and HotpConfig.

outbound_oauth_client

Outbound OAuth client: client_credentials grant with optional private_key_jwt client assertion (RFC 7523) (outbound-oauth feature). Outbound OAuth client.

password

Password factor: Argon2id hashing/verification plus the typed PasswordConfig / PasswordRules data the orchestrator persists per user.

pkce

PKCE (RFC 7636) code_verifier predicate. Always-on (no feature gate) because it’s a pure-spec character-class check with no protocol deps. PKCE utilities exposed for application-side validation.

secret

ZeroizedString: secret-string primitive shared across factor configs and other credential-bearing types. Always on (no feature gate) because the orchestrator’s OAuth token storage and delegated-credential storage hold it without the password/totp/hotp features. Secret-string primitive shared across factor configs and other credential-bearing types in the axess workspace.

social

Plain-OAuth-2.0 user login (“social login”) for IdPs that don’t support OIDC (GitHub user login, Twitter/X, Discord, Reddit, Spotify, …). Off by default. Weaker security model than the OIDC path under oauth: claims come from a TLS-trusted userinfo endpoint, not from a signed assertion. See module docs for the full delta and when to reach for this. Plain-OAuth-2.0 user login (a.k.a. “social login”).

totp

TOTP: Time-Based One-Time Passwords (RFC 6238).

Structs

AuthenticationResult

Information about the authentication that occurred.

TOTP

TOTP holds informations as to how to generate an auth code and validate it. Its secret field is sensitive data, treat it accordingly

Enums

AuthenticatorAttachment

The authenticator attachment hint. This is NOT enforced, and is only used to help a user select a relevant authenticator type.

TotpAlgorithm

Algorithm enum holds the three standards algorithms for TOTP as per the reference implementation

Functions

generate_password_hash

Generate a password hash for the given password.

verify_password

Verify the provided password against the provided password hash.

Type Aliases

CredentialID

The ID of this Credential