axess-core 0.2.0

Core implementation for the axess library. Session state machine, multi-factor authentication engine, Cedar Policy evaluation, and pluggable storage backends. Use the `axess` facade crate unless you need direct access to internals.

axess-core

crates.io · docs.rs · GitHub

Core implementation for the [Axess](https://github.com/GnomesOfZurich/axess authentication and authorization library: session state machine, multi-factor authentication engine, Cedar Policy evaluation, and pluggable storage backends.

Most applications should depend on the axess facade crate instead. Use axess-core directly only if you're building a custom integration that needs internals the facade doesn't re-export.

Module layout

Module	Contents
`authn/`	`IdentityStore` / `FactorStore`, `AuthnService`, factor pipeline, OAuth/OIDC, JWT, device identity, audit, federation resolvers
`authz/`	Cedar Policy evaluation, `AuthzStore`, `PolicyStore`, entity caches
`session/`	`SessionLayer`, `AuthSession`, `SessionStore`, `SessionRegistry`, binding, crypto, refresh tokens, storage backends
`middleware/`	`RateLimitLayer`, `RequestIdLayer`, `TraceIdLayer`, CSRF
`principal/`	`Principal { Human, Workload }`, `PrincipalResolver`, Cedar entity bridge
`store/`	Shared key/value-with-TTL store abstraction (`Store<K, V>`); per-backend value codecs live with each store impl
`workload/`	Inbound workload-identity hub, outbound mTLS / OAuth clients
`health/`, `metrics/`	`HealthCheck`, `CompositeHealthCheck`, `AuthnMetrics`
`testing/`	`MockIdentityStore`, `MockFactorStore`, `MockClock`, `MockRng`, `LocalIdpFixture` (gated by `testing` feature)

Usage

use axess_core::{AuthnService, SessionLayer, InMemoryBackend};
use axess_core::backends::sqlite::SessionStore as SqliteSessionStore;
use axess_core::session::SessionCrypto;
use std::{sync::Arc, time::Duration};

// SQLite-backed session store with AES-256-GCM at rest.
let key: [u8; 32] = load_key_from_secrets();
let store = SqliteSessionStore::new(pool, SessionCrypto::new(key));
store.init_schema().await?;

let signing_key: [u8; 32] = load_signing_key();
let session_layer = SessionLayer::new(store, signing_key)
    .with_ttl(Duration::from_secs(86400));

let authn = Arc::new(
    AuthnService::new(identity_store, factor_store)
        .with_metrics(my_metrics)
        .with_registry(session_registry),
);

See the workspace README for the full integration walkthrough.

Feature flags

axess-core exposes a fine-grained feature set so adopters opt into only what they need. See Cargo.toml for the authoritative list, or the workspace README feature-flags table for the curated set of facade-relevant flags.

Licence

Dual-licensed under MIT and Apache-2.0.