1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
//! Authentication and authorization module
//!
//! Provides JWT/OIDC authentication, multi-tenancy support, and RBAC.
//!
//! # Features
//!
//! - JWT validation with RS256/ES256/HS256 support via `jsonwebtoken`
//! - OIDC discovery support via `openidconnect` crate
//! - JWKS fetching with automatic key rotation
//! - Multi-tenant schema isolation via JWT claims
//! - Optional role-based access control
//!
//! # OIDC Support
//!
//! For OIDC-based authentication, use the `oidc` module which provides:
//! - `OidcConfig` - Configuration using `openidconnect` types directly
//! - `OidcClient` - Client with automatic OIDC discovery
//! - `TenantClaims` - Custom claims implementing `AdditionalClaims`
//! - `IdTokenClaims` - Type alias for `CoreIdTokenClaims<TenantClaims>`
//!
//! # Multi-User Cache Safety
//!
//! When authentication is enabled, user context is automatically included in
//! cache keys via `extract_user_id()` to prevent cross-user data leakage.
//! The `CacheKey::query_result()` method requires `user_id` parameter for
//! multi-tenant deployments.
//!
//! # User Context Extraction
//!
//! Use `extract_user_id()` to get the authenticated user's identifier from
//! MCP `RequestContext`. This extracts the `sub` claim from JWT tokens for
//! per-user cache isolation.
pub use ;
pub use ;
pub use ;
pub use ;
pub use JwtValidator;
pub use ;
pub use ;
pub use ;
pub use ;
pub use extract_user_id;