mozambigue 0.1.2

JWT validation library with JWKS caching for Kubernetes and Okta tokens
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

//! # Mozambigue
//!
//! A Rust library for JWT (JSON Web Token) validation with JWKS (JSON Web Key Set) caching support.
//!
//! This library is designed for validating JWTs issued by Kubernetes, Okta, or other OpenID Connect
//! providers, with built-in support for Kubernetes service account tokens and Okta OAuth2/OIDC tokens.
//!
//! ## Features
//!
//! - JWT signature verification using RSA and Octet keys
//! - Automatic JWKS fetching from OpenID configuration endpoints
//! - Configurable JWKS caching with TTL (Time-To-Live)
//! - Issuer, audience and expiration validation
//! - Kubernetes-specific claims extraction (service account and namespace)
//! - Okta OAuth2/OIDC token validation (access tokens and ID tokens)
//!
//! ## Example
//!
//! ```rust,no_run
//! use mozambigue::{KubernetesJwtVerifier, JwtVerifierConfig, KubernetesExtractor, JwtVerifier, VerifyJwt};
//! use std::time::Duration;
//!
//! #[tokio::main]
//! async fn main() -> Result<(), Box<dyn std::error::Error>> {
//!     // Simple usage with convenience method
//!     let verifier = KubernetesJwtVerifier::with_issuer(
//!         "https://kubernetes.default.svc.cluster.local",
//!         "my-service"
//!     ).await?;
//!
//!     // Or create with custom configuration
//!     let config = JwtVerifierConfig::new(
//!         "https://kubernetes.default.svc.cluster.local",
//!         "my-service"
//!     ).with_cache_ttl(Duration::from_secs(1800)); // 30 minutes
//!
//!     let verifier = JwtVerifier::new(config, KubernetesExtractor).await?;
//!
//!     // Verify a token
//!     let token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...";
//!     let identity = verifier.verify(token).await?;
//!
//!     println!("Service Account: {}", identity.service_account);
//!     println!("Namespace: {}", identity.namespace);
//!
//!     Ok(())
//! }
//! ```

mod claims;
mod config;
mod error;
mod extractor;
mod jwks_cache;
mod verifier;

pub mod providers;

// Re-exports
// Generic infrastructure
pub use claims::StandardClaims;
pub use config::JwtVerifierConfig;
pub use error::Error;
pub use error::Result;
pub use extractor::IdentityExtractor;
pub use verifier::JwtVerifier;
pub use verifier::VerifyJwt;
// Kubernetes
pub use providers::kubernetes::KubernetesClaims;
pub use providers::kubernetes::KubernetesExtractor;
pub use providers::kubernetes::KubernetesIdentity;
pub use providers::kubernetes::KubernetesJwtVerifier;
// Okta
pub use providers::okta::OktaClaims;
pub use providers::okta::OktaExtractor;
pub use providers::okta::OktaIdentity;
pub use providers::okta::OktaJwtVerifier;