Skip to main content

Crate axess_identity

Crate axess_identity 

Source
Expand description

Identity primitives for the axess workspace.

Two layers in one crate:

  1. Typed identifiers (id module, re-exported at the crate root): TenantId, UserId, DeviceId, SessionId, EventId: all FooId(Uuid) newtypes (16 bytes, Copy) minted via the define_id! macro. Adopters can declare their own domain ids (AccountId, OrderId, …) with the same shape.
  2. Principal abstraction: Principal unifies human and workload identity under one type so authorization policies, audit trails, and downstream consumers treat both kinds symmetrically. HumanPrincipal (a user behind an authenticated session) and WorkloadPrincipal (a service, batch job, agent, CI runner, anything that authenticates without an interactive session) both carry TenantId so the multi-tenant rail cuts through every consumer uniformly.

§Workload identity model

Workload identifiers follow the SPIFFE-ID URI shape from day one (spiffe://<trust-domain>/<path>), even when resolved from a non-SPIFFE source (Issuer::Cli today; JWT-SVID, mTLS, and SPIRE land later). Using the SPIFFE format up front means the on-wire identity string does not change when those resolution modes light up; only the Issuer variant flips.

§Layering

Foundation crate, deliberately small: depends only on axess-rng (for the DST-injectable SecureRng trait), uuid, and thiserror. No tokio, no axum, no Cedar. axess-core layers two more pieces on top:

  • SessionResolver: extracts a HumanPrincipal from an authenticated AuthSession (depends on axess-core’s session state machine).
  • ToCedarEntity trait: emits cedar_policy::Entity values for adopters using axess Cedar authorization (depends on cedar-policy).

Downstream consumers that only need the principal data (event envelope stamping, log spans, audit attribution) pull in axess-identity directly and skip the heavier axess-core dep.

Re-exports§

pub use human::HumanPrincipal;
pub use resolver::CliResolver;
pub use resolver::CliResolverBuilder;
pub use resolver::PrincipalResolver;
pub use workload::TrustDomain;
pub use workload::WorkloadId;
pub use workload::WorkloadPrincipal;
pub use id::*;

Modules§

human
Human principals: users authenticated through an interactive session.
id
Typed identifier primitives for the axess workspace.
resolver
PrincipalResolver trait + CliResolver impl.
testingtesting
Test fixtures for the identity layer.
workload
Workload principals: services, batch jobs, agents, CI runners.

Macros§

define_id
Declare a typed id newtype.

Enums§

IdentityError
Errors from principal construction and identity parsing.
Issuer
How a principal’s identity was vouched for at resolution time.
Principal
An authenticated principal: either a human user or a workload.