Skip to main content

AuthNResolverPluginClient

authn_resolver_sdk::plugin_api

Trait AuthNResolverPluginClient 

Source 
pub trait AuthNResolverPluginClient: Send + Sync {
    // Required methods
    fn authenticate<'life0, 'life1, 'async_trait>(
        &'life0 self,
        bearer_token: &'life1 str,
    ) -> Pin<Box<dyn Future<Output = Result<AuthenticationResult, AuthNResolverError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait,
             'life1: 'async_trait;
    fn exchange_client_credentials<'life0, 'life1, 'async_trait>(
        &'life0 self,
        request: &'life1 ClientCredentialsRequest,
    ) -> Pin<Box<dyn Future<Output = Result<AuthenticationResult, AuthNResolverError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait,
             'life1: 'async_trait;
}
Expand description

Plugin API trait for AuthN resolver implementations.

Each plugin registers this trait with a scoped ClientHub entry using its GTS instance ID as the scope.

The gateway delegates to this method. Cross-cutting concerns (logging, metrics) may be added at the gateway level in the future.

Required Methods§

Source

fn authenticate<'life0, 'life1, 'async_trait>( &'life0 self, bearer_token: &'life1 str, ) -> Pin<Box<dyn Future<Output = Result<AuthenticationResult, AuthNResolverError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait,

Authenticate a bearer token and return the validated identity.

§Arguments
  • bearer_token - The raw bearer token string
§Errors
  • Unauthorized if the token is invalid, expired, or malformed
  • Internal for unexpected errors
Source

fn exchange_client_credentials<'life0, 'life1, 'async_trait>( &'life0 self, request: &'life1 ClientCredentialsRequest, ) -> Pin<Box<dyn Future<Output = Result<AuthenticationResult, AuthNResolverError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait,

Exchange client credentials for an AuthenticationResult.

The plugin performs the actual OAuth2 client_credentials flow (or static credential lookup) and returns an AuthenticationResult containing the validated SecurityContext.

§Scopes

Production plugins forward scopes to the IdP as-is in the OAuth2 scope parameter. Plugins that do not interact with an IdP (e.g., static dev plugins) may ignore this field.

§Errors
  • TokenAcquisitionFailed if credentials are invalid or IdP is unreachable
  • Internal for unexpected errors

Implementors§