mozambigue 0.1.1

JWT validation library with JWKS caching for Kubernetes service account tokens
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258

# Mozambigue

A generic, extensible Rust library for JWT (JSON Web Token) validation with JWKS (JSON Web Key Set) caching support.

**Designed for flexibility:** Mozambigue provides a trait-based architecture that makes it easy to add support for different JWT providers while maintaining type safety and zero serialization overhead.

## Features

- **Generic architecture** - Trait-based system supporting multiple JWT providers
-**Zero serialization overhead** - Direct field access via `StandardClaims` trait
- ✅ JWT signature verification (RSA and Octet keys)
- ✅ Automatic JWKS fetching from OpenID configuration endpoints
- ✅ Configurable JWKS caching with TTL
-**Secure audience validation** - Validates against configured expected audiences
- ✅ Issuer and expiration validation

### Currently Supported Providers

- **Kubernetes** - Service account token validation with namespace and service account extraction

### Ready to Add

The architecture is ready for additional providers:
- Standard OIDC (email, name, profile)
- Auth0 (roles, permissions, metadata)
- Google Sign-In
- Azure AD / Entra ID
- Keycloak (realm roles, client roles)
- Any custom OIDC provider

## Installation

Add this to your `Cargo.toml`:

```toml
[dependencies]
mozambigue = "0.1"
```

## Quick Start

### Kubernetes Service Account Tokens

```rust
use mozambigue::{KubernetesJwtVerifier, VerifyJwt};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Simple usage - one line setup
    let verifier = KubernetesJwtVerifier::with_issuer(
        "https://kubernetes.default.svc.cluster.local",
        "my-service"
    ).await?;

    // Verify a token
    let token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...";
    let identity = verifier.verify(token).await?;

    println!("Service Account: {}", identity.service_account);
    println!("Namespace: {}", identity.namespace);

    Ok(())
}
```

### Generic Usage (Custom Provider)

```rust
use mozambigue::{
    JwtVerifier,
    JwtVerifierConfig,
    IdentityExtractor,
    StandardClaims,
};
use serde::Deserialize;

// 1. Define your claims structure
#[derive(Deserialize)]
struct MyClaims {
    iss: String,
    sub: String,
    aud: Vec<String>,
    exp: i64,
    custom_field: String,
}

// 2. Implement StandardClaims
impl StandardClaims for MyClaims {
    fn iss(&self) -> &str { &self.iss }
    fn sub(&self) -> &str { &self.sub }
    fn aud(&self) -> &[String] { &self.aud }
    fn exp(&self) -> i64 { self.exp }
}

// 3. Define your identity type
struct MyIdentity {
    user_id: String,
    custom_data: String,
}

// 4. Create your extractor
struct MyExtractor;

impl IdentityExtractor for MyExtractor {
    type Claims = MyClaims;
    type Identity = MyIdentity;

    fn extract_identity(&self, claims: &Self::Claims)
        -> mozambigue::Result<Self::Identity>
    {
        Ok(MyIdentity {
            user_id: claims.sub.clone(),
            custom_data: claims.custom_field.clone(),
        })
    }
}

// 5. Use it!
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let config = JwtVerifierConfig::new(
        "https://my-issuer.example.com",
        "my-audience"
    );

    let verifier = JwtVerifier::new(config, MyExtractor).await?;
    let identity = verifier.verify("token").await?;

    println!("User: {}", identity.user_id);
    Ok(())
}
```

## Architecture

### Provider-Based Structure

```
mozambigue/
├── Generic Infrastructure
│   ├── JwtVerifier<E>       - Generic verifier
│   ├── IdentityExtractor    - Trait for extractors
│   ├── StandardClaims       - Trait for claims access
│   └── VerifyJwt            - Verification trait
│
└── providers/
    └── kubernetes/          - Kubernetes implementation
        ├── KubernetesClaims
        ├── KubernetesIdentity
        ├── KubernetesExtractor
        └── KubernetesJwtVerifier
```

### How It Works

1. **Token Parsing**: Parse JWT to extract issuer (without validation)
2. **JWKS Fetching**: Fetch JWKS from `{issuer}/.well-known/openid-configuration` (cached)
3. **Signature Verification**: Verify signature using key from JWKS
4. **Claims Validation**: Validate issuer, expiration, and audience
5. **Identity Extraction**: Provider-specific extraction via `IdentityExtractor` trait

## Examples

### Kubernetes: Custom Configuration

```rust
use mozambigue::{KubernetesJwtVerifier, JwtVerifierConfig, KubernetesExtractor};
use std::time::Duration;

let config = JwtVerifierConfig::new(
    "https://kubernetes.default.svc.cluster.local",
    "my-service"
)
.with_cache_ttl(Duration::from_secs(1800)); // 30 minutes

let verifier = JwtVerifier::new(config, KubernetesExtractor).await?;
let identity = verifier.verify(token).await?;
```

### Multiple Audiences

```rust
use mozambigue::JwtVerifierConfig;

let config = JwtVerifierConfig::new_with_audiences(
    "https://your-issuer.example.com",
    vec!["service-a".to_string(), "service-b".to_string()]
)?
.with_cache_ttl(Duration::from_secs(3600));

let verifier = JwtVerifier::new(config, KubernetesExtractor).await?;
```

### Custom HTTP Client

```rust
let custom_client = reqwest::Client::builder()
    .timeout(Duration::from_secs(10))
    .build()?;

let config = JwtVerifierConfig::new(
    "https://your-issuer.example.com",
    "my-service"
)
.with_http_client(custom_client);

let verifier = JwtVerifier::new(config, KubernetesExtractor).await?;
```

### Using Explicit Provider Path

```rust
use mozambigue::JwtVerifier;
use mozambigue::providers::kubernetes::{
    KubernetesExtractor,
    KubernetesIdentity,
};

let verifier = JwtVerifier::new(config, KubernetesExtractor).await?;
let identity: KubernetesIdentity = verifier.verify(token).await?;
```

## JWKS Caching

Efficient caching reduces network calls:

- Configurable TTL (default: 1 hour)
- Automatic cache expiration
- Thread-safe with `Arc<RwLock<HashMap>>`
- Per-issuer caching

## Implementing Custom Providers

Want to add support for Auth0, Google, or your custom OIDC provider? It's easy:

1. **Define your claims structure** with provider-specific fields
2. **Implement `StandardClaims`** for standard field access
3. **Define your identity type** with extracted information
4. **Implement `IdentityExtractor`** with your extraction logic

See the [Kubernetes provider](src/providers/kubernetes.rs) for a complete example.

## Examples

See the [examples](examples/) directory:

```bash
cargo run --example basic_usage
```

## License

Licensed under either of:

- Apache License, Version 2.0 ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT)

at your option.