auth-framework 0.4.2

A comprehensive, production-ready authentication and authorization framework for Rust applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

# OAuth 2.0/2.1 Implementation Progress


## Completed Components


### 1. OAuth 2.1 Authorization Framework (`src/server/oauth21.rs`)


A complete implementation of the OAuth 2.1 authorization framework, which is a consolidation of OAuth 2.0 best practices:

- Mandatory PKCE for all clients
- Removal of the implicit flow
- Enhanced security requirements
- Support for authorization code, client credentials, refresh token, and device code grants
- Full validation of all OAuth 2.1 requirements
- Support for both public and confidential clients
- HTTPS enforcement for non-localhost redirects

### 2. RFC 9126: Pushed Authorization Requests (`src/server/par.rs`)


Implementation of the PAR protocol, enhancing security by moving authorization request parameters from the front-channel to the back-channel:

- Complete PARManager with request validation
- Expiration handling for pushed requests
- Request URI generation and validation
- Support for PAR-based authorization flows

### 3. RFC 8705: Mutual TLS Client Authentication (`src/server/mtls.rs`)


Support for X.509 certificate-based client authentication and certificate-bound access tokens:

- PKI-based mutual TLS authentication
- Self-signed certificate authentication
- Certificate-bound access token support
- X.509 certificate validation and processing
- Certificate thumbprint calculation

### 4. RFC 9449: DPoP - Proof-of-Possession (`src/server/dpop.rs`)


Application-layer proof-of-possession for OAuth 2.0 access tokens:

- DPoP proof validation
- JWK thumbprint calculation
- DPoP-bound access token confirmation
- Protection against token theft and replay attacks
- Nonce management for enhanced security

### 5. RFC 8414: Authorization Server Metadata (`src/server/metadata.rs`)


Dynamic discovery of authorization server capabilities:

- Comprehensive metadata builder pattern
- Support for all standard metadata fields
- OAuth 2.0 and OAuth 2.1 metadata generation
- Custom metadata extensions
- Support for metadata validation

## Next Steps


1. **RFC 8693: Token Exchange** - Implementation of token-to-token exchange flows
2. **FAPI 2.0** - Financial-grade API security profile implementation
3. **WS-Security 1.1** - Client-only implementation for enterprise legacy systems
4. **Enhanced WebAuthn/FIDO2** - Complete the implementation for passwordless authentication

## Integration


The new modules are integrated into the existing Auth Framework:

- All modules are included in `src/server/mod.rs`
- Dependencies have been added to Cargo.toml
- Implementation roadmap has been updated

This implementation creates a solid foundation for the enterprise and financial-grade features planned in the roadmap, providing one of the most comprehensive OAuth 2.0/2.1 implementations available for Rust.