Skip to main content

Crate axum_authentik_auth

Crate axum_authentik_auth 

Source
Expand description

§axum-authentik-auth

An axum extractor and middleware for authentik Proxy Provider forward authentication.

§Overview

When using authentik’s Proxy Provider with forward auth (single application), authentik sits in front of your application via a reverse proxy (like Nginx). After authenticating the user, it forwards user identity information through HTTP headers such as:

  • X-authentik-username
  • X-authentik-email
  • X-authentik-name
  • X-authentik-uid
  • X-authentik-groups

This crate parses those headers into a typed AuthentikUser struct and provides ergonomic extractors for axum handlers.

§Quick Start

use axum::{routing::get, Router, Json};
use axum_authentik_auth::AuthentikUser;

async fn me(user: AuthentikUser) -> Json<AuthentikUser> {
    Json(user)
}

#[tokio::main]
async fn main() {
    let app = Router::new()
        .route("/api/me", get(me));

    let listener = tokio::net::TcpListener::bind("127.0.0.1:3000")
        .await
        .unwrap();
    axum::serve(listener, app).await.unwrap();
}

§Extractor variants

  • AuthentikUser — requires authentication, returns 401 if missing
  • Option<AuthentikUser> — optional authentication, returns None if missing
  • require_group / require_all_groups / require_any_group — handler wrappers for group-based access control

§Custom header prefix

If your reverse proxy uses a different header prefix, use the tower layer (requires layer feature):

use axum_authentik_auth::layer::{AuthentikLayer, AuthentikConfig};

let app = Router::new()
    .route("/api/me", get(me))
    .layer(AuthentikLayer::with_config(
        AuthentikConfig {
            header_prefix: "x-myproxy".to_string(),
            require_auth: true,
        }
    ));

§Feature flags

  • layer: Enables the tower Layer / middleware for custom header prefix injection.

Re-exports§

pub use guard::GroupGuard;
pub use guard::RequireGroup;
pub use guard::require_all_groups;
pub use guard::require_any_group;
pub use guard::require_group;

Modules§

guard
Permission guards for group-based access control.

Structs§

AuthentikUser
User information extracted from authentik proxy headers after successful authentication.

Enums§

AuthentikError
Error type for authentik authentication failures.