authkestra-flow 0.1.2

OAuth2 and OIDC flow orchestration for the authkestra framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

# authkestra-flow

High-level authentication flows for [authkestra](https://github.com/marcjazz/authkestra).

This crate orchestrates authentication flows such as OAuth2, Device Flow, Client Credentials, and direct credentials-based auth, providing a high-level API that is independent of web frameworks.

## Features

- `OAuth2Flow`: Orchestrates the Authorization Code flow (initiation and finalization).
- `DeviceFlow`: Orchestrates the Device Authorization Flow (RFC 8628).
- `ClientCredentialsFlow`: Orchestrates the Client Credentials Flow (RFC 6749 Section 4.4).
- `CredentialsFlow`: Orchestrates direct credential-based authentication.
- Support for `UserMapper` to integrate with local user databases.

## Usage

Add this to your `Cargo.toml`:

```toml
[dependencies]
authkestra-flow = "0.1.2"
```

### Relationship with `AuthkestraGuard`

`authkestra-flow` is responsible for the **Login Flow** (getting the user into the system). Once a user is logged in (e.g., a session is created), you use the **`AuthkestraGuard`** (from `authkestra-guard`) to protect your API routes.

- **`Authkestra`**: Orchestrates providers, session stores, and token managers to handle login/logout.
- **`AuthkestraGuard`**: Executes a chain of strategies (Session, Token, API Key) to authorize incoming requests.

### Example: OAuth2 Flow

```rust
use authkestra_flow::OAuth2Flow;
use authkestra_providers_github::GitHubProvider;

// Setup provider and flow
let provider = GitHubProvider::new(client_id, client_secret, callback_url);
let flow = OAuth2Flow::new(provider);

// 1. Initiate login: Generate authorization URL and CSRF state
let (auth_url, csrf_state) = flow.initiate_login(&["user:email"], None);

// ... redirect user to auth_url, then receive code and state in callback ...

// 2. Finalize login: Exchange code for identity and tokens
let (identity, token, local_user) = flow.finalize_login(
    &code,
    &received_state,
    &expected_state,
    None // PKCE verifier
).await?;
```

### Example: Device Flow

```rust
use authkestra_flow::DeviceFlow;

let flow = DeviceFlow::new(client_id, device_auth_url, token_url);

// 1. Initiate device authorization
let resp = flow.initiate_device_authorization(&["read", "write"]).await?;

println!("Go to {} and enter code: {}", resp.verification_uri, resp.user_code);

// 2. Poll for token
let token = flow.poll_for_token(&resp.device_code, resp.interval).await?;
```

### Example: Client Credentials Flow

```rust
use authkestra_flow::ClientCredentialsFlow;

let flow = ClientCredentialsFlow::new(client_id, client_secret, token_url);

// Obtain an access token
let token = flow.get_token(Some(&["api:read"])).await?;
```

### Example: Credentials Flow

```rust
use authkestra_flow::CredentialsFlow;
// Assuming a provider that implements CredentialsProvider
let flow = CredentialsFlow::new(my_credentials_provider);

let (identity, local_user) = flow.authenticate(my_credentials).await?;
```

## Part of authkestra

This crate is part of the [authkestra](https://github.com/marcjazz/authkestra) workspace.