rskit-auth — Authentication Helpers
JWT signing/verification, OIDC validation, password hashing, API-key helpers, and request-context auth extractors.
Features
JwtCodec/JwtHeader— rskit-owned JWT encode/decode/header primitives without exposing the underlying JWT libraryJwtService— sign and verify tokens with explicitHS256(internal-only),RS256,ES256, orEdDSAOidcClient— discovery, PKCE, JWKS-backed ID-token validation, and userinfo lookupsPasswordHasher— Argon2id hashing and verificationResetTokenGenerator— short-lived random opaque tokensapikey— prefix lookup + peppered HMAC-SHA-256 digest storage with constant-time compareTokenValidator/TokenGeneratortraits for pluggable backendsBearerAuthLayerandapikey::ApiKeyLayer— Tower middleware with fail-closed defaultsAuthOutcome<C>/AuthClaims<C>— typed request extensions for authenticated and explicitly missing credentials
Usage
[]
= "0.1.0-alpha.1"
use ;
#
#
let hasher = default;
let hash = hasher.hash.unwrap;
assert!;
let jwt = new
.unwrap;
let codec = new
.unwrap;
# let _ = ;
JWT / OIDC policy
- Public-key algorithms are preferred:
RS256,ES256,EdDSA HS256remains available only through the explicitJwtConfig::hs256_internal(...)constructor- Verifiers require
sub,iss,aud,exp,nbf, andiat; issuer and audience configuration must not be blank - OIDC enforces authorization-code flow, exact redirect URIs, state, nonce, and PKCE for public clients
- Request middleware extracts credentials from headers only, rejects missing credentials by default, and requires explicit
accept_missing()for optional authentication BearerAuthLayerreturns a neutralWWW-Authenticate: Bearerchallenge on rejected requests; downstream applications can add app-specific realm/scope policy at their HTTP boundary if needed- Credential-bearing Debug output masks bearer/API keys, key digests, PKCE verifiers, authorization codes, and callback secrets