Expand description
Authentication module for the Blueprint SDK.
This module provides a three-tier token authentication system:
- API Keys (
ak_xxxxx.yyyyy) - Long-lived credentials for service authentication - Access Tokens (
v4.local.xxxxx) - Short-lived Paseto tokens for authorization - Legacy Tokens (
id|token) - Deprecated format for backward compatibility
§Architecture
The authentication flow follows these steps:
- Client authenticates with API key
- API key is exchanged for a short-lived access token
- Access token is used for subsequent requests
- Token refresh happens automatically before expiration
§Security Features
- Cryptographic tenant binding prevents impersonation
- Header re-validation prevents injection attacks
- Persistent key storage with secure permissions
- Automatic token rotation and refresh
§Example
use blueprint_auth::proxy::AuthenticatedProxy;
fn main() -> Result<(), Box<dyn std::error::Error>> {
// Initialize proxy with persistent storage
let proxy = AuthenticatedProxy::new("/var/lib/auth/db")?;
// Start the proxy server
let router = proxy.router();
Ok(())
}Modules§
- api_
keys - Long-lived API key management Long-lived API key management
- api_
tokens - Generates API Tokens for the authentication process.
- auth_
token - Unified authentication token types
- certificate_
authority - Certificate Authority utilities for mTLS Certificate Authority utilities for mTLS implementation.
- db
- The database module for the authentication process.
- models
- Database models
- oauth
- OAuth 2.0 JWT assertion verifier and per-service policy
- paseto_
tokens - Paseto token generation and validation Paseto token generation and validation for short-lived access tokens
- proxy
- Authenticated Proxy Server built on top of Axum.
- request_
auth - Request-level auth context parsing and extractors
- request_
extensions - Request extension plumbing for client certificate identity Request extension plumbing for client certificate identity Provides mechanisms to extract and inject mTLS identity information
- tls_
assets - TLS assets management TLS assets management module Provides functionality to manage TLS certificates, keys, and related assets
- tls_
client - TLS client management for outbound connections
- tls_
envelope - TLS envelope encryption for certificate material TLS envelope encryption for secure storage of certificate material
- tls_
listener - TLS listener for dual socket support (HTTP + HTTPS) TLS listener runtime for terminating inbound TLS/mTLS connections and forwarding them into the authenticated proxy router.
- types
- Holds the authentication-related types.
- validation
- Header validation utilities
Enums§
Functions§
- generate_
challenge - Generates a random challenge string to be used in the authentication process.
- verify_
challenge - Verifies the challenge solution sent from the client.