arcly-http-identity — CIAM building-block engine
A storage-agnostic Customer Identity & Access Management (CIAM) engine for
arcly-http. It is not a turnkey product (no admin console, no hosted
login UI): it ships the traits, services, and (optional) controllers you
compose into your own identity provider, in the same spirit as Ory
Kratos/Hydra but as an embeddable Rust crate.
What it gives you
| Area | Type |
|---|---|
| User & credential storage | [store::UserStore], [store::CredentialStore] |
| Password hashing | [password::PasswordHasher] + [password::Argon2idHasher] |
| Register / login / refresh / logout | [identity::IdentityService] |
| Brute-force protection | [lockout::LockoutPolicy] |
| One-time tokens (verify / reset / magic link) | [ott::OneTimeTokenService] |
| Passwordless (magic link + email/SMS OTP) | [passwordless::PasswordlessService] |
| MFA (TOTP + recovery codes) | [mfa] |
| Passkeys / WebAuthn | [mfa::passkey] (feature passkey) |
| Adaptive / risk-based auth | [risk::RiskEngine] |
| Consent (GDPR) | [consent::ConsentStore] |
| OIDC Provider | [oidc] (feature oidc) |
Design contract (matches the framework)
- All I/O is behind a trait — you supply the Postgres/Redis/email backends; the crate links no database or mail SDK.
- Provide services via DI in an
ArclyPlugin::on_init(ctx.provide(IdentityService::new(...))), then resolve withInject<T>. - Tokens are minted through the framework's
JwtServiceso every existing guard (JWT_AUTH,RoleGuard, perms, ABAC) keeps working. - CPU-bound work runs off the reactor via
spawn_blocking.