auth-framework 0.5.0-rc18

A comprehensive, production-ready authentication and authorization framework for Rust applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

//! RFC 8707 — Resource Indicators for OAuth 2.0
//!
//! Adds the `resource` parameter to authorization and token requests so clients
//! can signal which protected resource(s) they intend to access.  The
//! authorization server can use this to audience-restrict issued tokens.
//!
//! <https://datatracker.ietf.org/doc/html/rfc8707>

use crate::errors::{AuthError, Result};

/// Validate that every entry in `resources` is an absolute URI without a
/// fragment component, as required by RFC 8707 §2.
///
/// Returns `Ok(())` when all entries are valid, or an error describing the
/// first invalid entry.
pub fn validate_resource_indicators(resources: &[String]) -> Result<()> {
    for res in resources {
        if res.is_empty() {
            return Err(AuthError::validation(
                "resource parameter must not be empty".to_string(),
            ));
        }

        // Must be a valid absolute URI.
        let parsed = url::Url::parse(res).map_err(|e| {
            AuthError::validation(format!(
                "resource indicator is not a valid URI: {res} ({e})"
            ))
        })?;

        // RFC 8707 §2: "MUST NOT include a fragment component."
        if parsed.fragment().is_some() {
            return Err(AuthError::validation(format!(
                "resource indicator must not contain a fragment: {res}"
            )));
        }

        // Must be an absolute URI (scheme is required).
        if parsed.scheme().is_empty() {
            return Err(AuthError::validation(format!(
                "resource indicator must be an absolute URI: {res}"
            )));
        }
    }
    Ok(())
}

/// Check that the `resource` values presented at the token endpoint are a
/// subset of those originally requested at the authorization endpoint.
///
/// RFC 8707 §2: when the token request includes a `resource` parameter, it
/// MUST be a subset of the resources requested in the corresponding
/// authorization request.
pub fn validate_token_resource_subset(
    token_resources: &[String],
    authz_resources: &[String],
) -> Result<()> {
    for res in token_resources {
        if !authz_resources.contains(res) {
            return Err(AuthError::validation(format!(
                "resource '{res}' was not requested in the authorization request"
            )));
        }
    }
    Ok(())
}

/// Build the `aud` (audience) claim for a token based on the requested
/// resources.  If no resources were requested, returns `None` so the caller
/// can fall back to its default audience.
pub fn audience_from_resources(resources: &[String]) -> Option<Vec<String>> {
    if resources.is_empty() {
        None
    } else {
        Some(resources.to_vec())
    }
}

// ─── Tests ────────────────────────────────────────────────────────────────────

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn valid_https_resource() {
        let res = vec!["https://api.example.com/v1".to_string()];
        assert!(validate_resource_indicators(&res).is_ok());
    }

    #[test]
    fn valid_multiple_resources() {
        let res = vec![
            "https://api.example.com/v1".to_string(),
            "https://data.example.com".to_string(),
        ];
        assert!(validate_resource_indicators(&res).is_ok());
    }

    #[test]
    fn rejects_empty_resource() {
        let res = vec!["".to_string()];
        assert!(validate_resource_indicators(&res).is_err());
    }

    #[test]
    fn rejects_fragment() {
        let res = vec!["https://api.example.com/v1#section".to_string()];
        let err = validate_resource_indicators(&res).unwrap_err();
        assert!(err.to_string().contains("fragment"));
    }

    #[test]
    fn rejects_relative_uri() {
        let res = vec!["/relative/path".to_string()];
        assert!(validate_resource_indicators(&res).is_err());
    }

    #[test]
    fn subset_check_passes() {
        let authz = vec![
            "https://a.example.com".to_string(),
            "https://b.example.com".to_string(),
        ];
        let token = vec!["https://a.example.com".to_string()];
        assert!(validate_token_resource_subset(&token, &authz).is_ok());
    }

    #[test]
    fn subset_check_fails_on_extra_resource() {
        let authz = vec!["https://a.example.com".to_string()];
        let token = vec![
            "https://a.example.com".to_string(),
            "https://c.example.com".to_string(),
        ];
        assert!(validate_token_resource_subset(&token, &authz).is_err());
    }

    #[test]
    fn audience_from_resources_none_when_empty() {
        assert!(audience_from_resources(&[]).is_none());
    }

    #[test]
    fn audience_from_resources_returns_list() {
        let res = vec!["https://api.example.com".to_string()];
        let aud = audience_from_resources(&res).unwrap();
        assert_eq!(aud, res);
    }
}