The foundational traits and types for the huskarl OAuth2 ecosystem.
Most applications depend on the higher-level huskarl crate (grants, token
cache, authorizer) rather than this crate directly. huskarl-core is the shared
base they build on — the utilities below are also useful on their own, whether
you are writing OAuth tooling or implementing a backend for the rest of the
ecosystem.
The huskarl ecosystem
This crate is one of three that fit together. Each carries its own how-to guides
and explanation in a _docs module:
huskarl—OAuth2clients: grants, token caching, and the request authorizer.huskarl-resource-server— resource servers: access-token validation and request authorization.huskarl-core(this crate) — the shared foundation the other two build on.
What’s here
- JOSE primitives —
jwtbuilds, signs, and validates JWTs;jwkparses and produces JWK/JWKS wire types;cryptoholds the signing, verification, and encryption traits plus a set of composable wrappers (multi-key, refreshable, retrying). - Secret handling —
secretsretrieves credentials from environment variables, files, or your own provider, behind redacted wrappers that keep them out of logs, with optional decoding and caching. - Client authentication —
client_authcarries the ways a client authenticates to an authorization server (client secret, private-key JWT, or none). DPoP—dpopprovides proof-of-possession binding for the authorization-server and resource-server flows.- HTTP —
httpdefines theHttpClientseam that decouples the ecosystem from any specific HTTP implementation. - Authorization-server metadata —
server_metadatamodels RFC 8414 / OIDC discovery documents. - Wire encoding —
oauth_formserializes OAuth messages asapplication/x-www-form-urlencoded, including structured RFC 9396 values. - Errors — the flows return the one concrete
Error/ErrorKind, which embeds cleanly in your own error type. A few subsystems return their own typed errors where the variants are the API — JWT validation (JwtValidationError), low-level verification (crypto::verifier), and wire encoding (oauth_form::Error) — design oneFromarm forErrorplus arms for the subsystem errors you call directly.
Guides and explanation
The API items here are the reference documentation. For task-oriented how-to
guides — building and
validating JWTs,
providing secrets, and
implementing a backend — and design
explanation — the error model,
handling untrusted keys, and
composing crypto strategies — see the
_docs module.