adk-auth

Access control and authentication for Rust Agent Development Kit (ADK-Rust).

Overview

adk-auth provides enterprise-grade access control for AI agents:

Role-Based Access - Define roles with tool/agent permissions
Permission Scopes - Fine-grained allow/deny rules (deny precedence)
Audit Logging - Log all access attempts to JSONL files
SSO/OAuth - JWT validation with Google, Azure AD, Okta, Auth0 providers

Features

Feature	Description
`default`	Core RBAC + audit logging
`sso`	JWT/OIDC providers (Google, Azure AD, Okta, Auth0)

Quick Start

use adk_auth::{Permission, Role, AccessControl, AuthMiddleware};

// Define roles
let admin = Role::new("admin").allow(Permission::AllTools);
let user = Role::new("user")
    .allow(Permission::Tool("search".into()))
    .deny(Permission::Tool("code_exec".into()));

// Build access control
let ac = AccessControl::builder()
    .role(admin)
    .role(user)
    .assign("alice@example.com", "admin")
    .assign("bob@example.com", "user")
    .build()?;

// Protect tools
let middleware = AuthMiddleware::new(ac);
let protected_tools = middleware.protect_all(tools);

SSO Integration

Enable with features = ["sso"]:

use adk_auth::sso::{GoogleProvider, ClaimsMapper, SsoAccessControl};

// Create provider
let provider = GoogleProvider::new("your-client-id");

// Map IdP groups to roles
let mapper = ClaimsMapper::builder()
    .map_group("AdminGroup", "admin")
    .default_role("viewer")
    .user_id_from_email()
    .build();

// Combined SSO + RBAC
let sso = SsoAccessControl::builder()
    .validator(provider)
    .mapper(mapper)
    .access_control(ac)
    .build()?;

// Validate token and check permission
let claims = sso.check_token(token, &Permission::Tool("search".into())).await?;
println!("User: {}", claims.email.unwrap());

Providers

Provider	Usage
Google	`GoogleProvider::new(client_id)`
Azure AD	`AzureADProvider::new(tenant_id, client_id)`
Okta	`OktaProvider::new(domain, client_id)`
Auth0	`Auth0Provider::new(domain, audience)`
Generic OIDC	`OidcProvider::from_discovery(issuer, client_id).await`

Audit Logging

use adk_auth::FileAuditSink;

let audit = FileAuditSink::new("/var/log/adk/audit.jsonl")?;
let middleware = AuthMiddleware::with_audit(ac, audit);

Output:

{"timestamp":"2025-01-01T10:30:00Z","user":"bob","resource":"search","outcome":"allowed"}

Examples

cargo run --example auth_basic          # RBAC basics
cargo run --example auth_audit          # Audit logging
cargo run --example auth_sso --features sso     # SSO integration
cargo run --example auth_jwt --features sso     # JWT validation
cargo run --example auth_oidc --features sso    # OIDC discovery
cargo run --example auth_google --features sso  # Google Identity

License

Apache-2.0

Part of ADK-Rust

This crate is part of the ADK-Rust framework for building AI agents in Rust.

adk-auth 0.1.9