Skip to main content

Module raw_credentials

Module raw_credentials 

Source

Structs§

DelegationKey
Composite key for cached delegated tokens. Token cache lookups hit on (subject, audience, scopes, mode) so different audiences or scope sets for the same subject mint independent tokens.
RawCredentialsExtension
The Layer-3 raw-credentials extension.
RawDelegatedToken
One minted outbound credential, produced by a TokenDelegate handler and cached for re-use until expiry. The token field is serde-skipped under the same invariant as RawInboundToken.token.
RawInboundToken
One inbound credential, captured at the wire layer and stashed here by an identity-resolver plugin. Validation happens elsewhere — this struct just carries the bytes and a few hints.

Enums§

DelegationMode
Whether a delegated outbound token represents the user’s identity or the gateway’s own identity to the downstream service. Affects scope-narrowing rules and audit-log attribution.
TokenKind
The wire-format family of a raw token. Lets handlers pick the right validation path without parsing the token first.
TokenRole
Which principal a raw inbound token represents. Lookups in RawCredentialsExtension.inbound_tokens are by this key.