arcly-http-identity 0.9.0

CIAM building-block engine for arcly-http: identity store traits, password hashing, MFA (TOTP), passwordless & account lifecycle, risk signals, and an OIDC provider — storage-agnostic, zero-lock, all I/O behind traits.
Documentation

arcly-http-identity — CIAM building-block engine

A storage-agnostic Customer Identity & Access Management (CIAM) engine for arcly-http. It is not a turnkey product (no admin console, no hosted login UI): it ships the traits, services, and (optional) controllers you compose into your own identity provider, in the same spirit as Ory Kratos/Hydra but as an embeddable Rust crate.

What it gives you

Area Type
User & credential storage [store::UserStore], [store::CredentialStore]
Password hashing [password::PasswordHasher] + [password::Argon2idHasher]
Register / login / refresh / logout [identity::IdentityService]
Brute-force protection [lockout::LockoutPolicy]
One-time tokens (verify / reset / magic link) [ott::OneTimeTokenService]
Passwordless (magic link + email/SMS OTP) [passwordless::PasswordlessService]
MFA (TOTP + recovery codes) [mfa]
Passkeys / WebAuthn [mfa::passkey] (feature passkey)
Adaptive / risk-based auth [risk::RiskEngine]
Consent (GDPR) [consent::ConsentStore]
OIDC Provider [oidc] (feature oidc)

Design contract (matches the framework)

  • All I/O is behind a trait — you supply the Postgres/Redis/email backends; the crate links no database or mail SDK.
  • Provide services via DI in an ArclyPlugin::on_init (ctx.provide(IdentityService::new(...))), then resolve with Inject<T>.
  • Tokens are minted through the framework's JwtService so every existing guard (JWT_AUTH, RoleGuard, perms, ABAC) keeps working.
  • CPU-bound work runs off the reactor via spawn_blocking.