cf-authn-resolver-sdk 0.2.3

SDK for authn_resolver module: API traits, models, and error definitions
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

# AuthN Resolver SDK

SDK crate for the AuthN Resolver module, providing public API contracts for authentication in CyberFabric.

## Overview

This crate defines the transport-agnostic interface for the AuthN Resolver module:

- **`AuthNResolverClient`** — Async trait for consumers (authenticate bearer tokens)
- **`AuthNResolverPluginClient`** — Async trait for plugin implementations
- **`AuthenticationResult`** — Result containing the validated `SecurityContext`
- **`AuthNResolverError`** — Error types for authentication failures
- **`AuthNResolverPluginSpecV1`** — GTS schema for plugin registration

## Usage

### Getting the Client

Consumers obtain the client from `ClientHub`:

```rust
use authn_resolver_sdk::AuthNResolverClient;

let authn = hub.get::<dyn AuthNResolverClient>()?;
```

### Authenticating a Token

```rust
let result = authn.authenticate("eyJhbGciOiJSUzI1NiIs...").await?;
let ctx = result.security_context;

println!("Subject: {}", ctx.subject_id());
println!("Tenant: {}", ctx.subject_tenant_id());
println!("Scopes: {:?}", ctx.token_scopes());
```

### AuthenticationResult

```rust
pub struct AuthenticationResult {
    /// Contains: subject_id, subject_tenant_id, token_scopes, bearer_token
    pub security_context: SecurityContext,
}
```

The `SecurityContext` carries the authenticated identity through the request pipeline. The original bearer token is preserved for downstream PDP forwarding.

## Error Handling

```rust
use authn_resolver_sdk::AuthNResolverError;

match authn.authenticate(token).await {
    Ok(result) => { /* use result.security_context */ },
    Err(AuthNResolverError::Unauthorized(msg)) => { /* invalid/expired token */ },
    Err(AuthNResolverError::NoPluginAvailable) => { /* no AuthN plugin registered */ },
    Err(AuthNResolverError::ServiceUnavailable(msg)) => { /* plugin not ready */ },
    Err(AuthNResolverError::Internal(msg)) => { /* unexpected error */ },
}
```

## Implementing a Plugin

Implement `AuthNResolverPluginClient` and register with a GTS instance ID:

```rust
use async_trait::async_trait;
use authn_resolver_sdk::{AuthNResolverPluginClient, AuthenticationResult, AuthNResolverError};

struct MyOidcPlugin { /* ... */ }

#[async_trait]
impl AuthNResolverPluginClient for MyOidcPlugin {
    async fn authenticate(&self, bearer_token: &str)
        -> Result<AuthenticationResult, AuthNResolverError> {
        // Validate token, extract claims, build SecurityContext
    }
}
```

## License

Apache-2.0