[−][src]Crate azure_jwt

A library that authenticates Azure JWT tokens.

This library will fetch public keys from Microsoft and validate the authenticity of the Tokens and verify that they are issued by Azure and are not tampered with.

It will also check that this token is issued to the right audience matching the aud property of the token with the client_id you got when you registered your app in Azure. If either of these fail, the token is invalid.

Dafault validation

There are mainly five conditions a well formed token will need to meet to be validated:

That the token is issued by Azure and is not tampered with
That this token is issued for use in your application
That the token is not expired
That the token is not used before it's valid
That the token is not issued in the future
That the algorithm in the token header is the same as we use*

Note that we do NOT use the token header to set the algorithm for us, look at this article for more information on why that would be bad

The validation will Error on a failed validation providing more granularity for library users to find out why the token was rejected.

If the token is invalid it will return an Error instead of a boolean. The main reason for this is easier logging of what type of test it failed.

Security

You will need a private app_id created by Azure for your application to be able to veriify that the token is created for your application (and not anyone with a valid Azure token can log in) and you will need to authenticate that the user has the right access to your system.

For more information, see this artice: https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens

Features

vendored feature will compile OpenSSL with the vendored feature: https://docs.rs/openssl/0.10.20/openssl/, but needs to be used with the default-features = false flag or an error will occur.


azure_jwt = {version="0.1, default-features = false,  features = ["vendored"]}

Example

use azure_jwt::*;


    let mut az_auth = AzureAuth::new("6e74172b-be56-4843-9ff4-e66a39bb12e3").unwrap();

    let decoded_token = az_auth.validate_token(&token).expect("validated");
    assert_eq!(decoded_token.claims.preferred_username, Some("abeli@microsoft.com".to_string()));

Example in webserver

struct AppState {
    azure_auth: auth::AzureAuth,
}

pub fn start_web_server(port: &str) -> Result<(), Error> {

    // since this calls windows api, wrap in Arc<Mutex<_>> and share the validator
    let app_state = Arc::new(Mutex::new(AppState {
        azure_auth: auth::AzureAuth::new("32166c25-5e31-4cfc-a29b-04d0dfdb019a").unwrap(),
    }));
    println!("Starting web server on: http://localhost:8000");

    server::new(move || app(app_state.clone())).bind(port)?.run();

    Ok(())
}

OpenSSL

This library depends on the openssl crate. There are two options:

If you have an installation of OpenSSL installed you can most likely compile this library with its default settings.
If you don't have OpenSSL libraries installed you can use the vendored feature that will in turn compile the OpenSSL with its vendored feature enabled. This will compile and statically link OpenSSL to the library. You will need a C compiler, Make and Perl installed for it to build.

You'll find more information here: https://docs.rs/openssl/0.10.20/openssl/

Windows

On windows, the vendored feature requires a small workaround to find the systems root certificates so we will add an additional dependency to fix that. For more information see: https://github.com/alexcrichton/openssl-probe

Note

There is another library providing the same functionality but on a slightly lower level. If you reauire more control then have a look at: https://github.com/tazjin/alcoholic_jwt

Structs

AzureAuth	AzureAuth is the what you'll use to validate your token. I'll briefly explain here what defaults are set and which you can change:
AzureJwtClaims
AzureJwtHeader
Jwk

Enums

AuthErr