jwt-authorizer
JWT authoriser Layer for Axum and Tonic.
Features
- JWT token verification (Bearer)
- Algoritms: ECDSA, RSA, EdDSA, HMAC
- JWKS endpoint support
- Configurable refresh
- OpenId Connect Discovery
- Validation
- exp, nbf, iss, aud
- Claims extraction
- Claims checker
- Tracing support (error logging)
Usage Example
# use ;
# use ;
# use Deserialize;
# async ;
Validation
Validation configuration object.
If no validation configuration is provided default values will be applyed.
docs: jwt-authorizer::Validation
# use ;
# use Value;
let validation = new
.iss
.aud
.nbf
.leeway;
let jwt_auth: = from_oidc
.validation;
ClaimsChecker
A check function (mapping deserialized claims to boolean) can be added to the authorizer.
A check failure results in a 403 (WWW-Authenticate: Bearer error="insufficient_scope") error.
Example:
use ;
use Deserialize;
// Authorized entity, struct deserializable from JWT claims
let authorizer = from_rsa_pem
.check;
JWKS Refresh
By default the jwks keys are reloaded when a request token is signed with a key (kid
jwt header) that is not present in the store (a minimal intervale between 2 reloads is 10s by default, can be configured).
JwtAuthorizer::no_refresh()
configures one and unique reload of jwks keysJwtAuthorizer::refresh(refresh_configuration)
allows to define a finer configuration for jwks refreshing, for more details see the documentation ofRefresh
struct.