huskarl-resource-server 0.9.1

OAuth2 resource server (JWT validation) support for the huskarl ecosystem.
Documentation

OAuth2 library for resource servers.

A resource server has two jobs: validate the access token presented with a request, and decide whether that token authorizes the request.

This crate does the first. A validator verifies the token (signature/introspection, expiry, audience, and any sender-constraint binding) and returns a ValidatedRequest carrying its claims — from which your application makes the second decision. When validation fails, rejection turns the failure into the matching response: status code, WWW-Authenticate challenges, and DPoP-Nonce.

The huskarl ecosystem

This crate is one of three that fit together. Each carries its own how-to guides and explanation in a _docs module:

  • huskarlOAuth2 clients: grants, token caching, and the request authorizer.
  • huskarl-resource-server (this crate) — resource servers: access-token validation and request authorization.
  • huskarl-core — the shared foundation the other two build on.

Example with RFC 9068 token validation:

use std::sync::Arc;

use huskarl_resource_server::{
    core::{http::HttpClient, jwk::JwksSource},
    validator::rfc9068::Rfc9068Validator,
};

let validator = Rfc9068Validator::builder()
    .issuer("https://issuer")
    .audience("audience")
    .jws_verifier_factory(Arc::new(
        JwksSource::builder().http_client(http_client).build(),
    ))
    .build()
    .await?;

Guides and explanation

The API items here are the reference docs. For task-oriented how-to guides (validating RFC 9068, custom, introspection, and multi-issuer tokens, plus DPoP enforcement) and design explanation (choosing a validator, how multi-issuer routing stays safe), see the _docs module.