secure_identity
Authentication building blocks: JWT validation, JWKS, OIDC (PKCE), API keys, sessions, MFA/TOTP, biometric step-up, and passwordless flows. Part of the SunLit Security Libraries workspace.
When to reach for this crate
- You're integrating an OIDC provider and want PKCE-first authorization-code flow with cached JWKS.
- You need MFA/TOTP with replay defense and clock-skew tolerance.
- You need API key issuance/validation that survives a key-leak audit.
- You want biometric step-up + device-binding (MASVS-AUTH-2/3).
- You want a production-safe boot check that refuses to start a service which has a
DevAuthenticatorregistered inAPP_ENV=production.
Output is a security_core::identity::AuthenticatedIdentity, which secure_authz consumes to make policy decisions.
Install
[]
= "0.1.2"
# OIDC (PKCE) flows:
# secure_identity = { version = "0.1.2", features = ["oidc"] }
# Redis-backed sessions:
# secure_identity = { version = "0.1.2", features = ["session-redis"] }
# Biometric / device-binding / step-up:
# secure_identity = { version = "0.1.2", features = ["biometric"] }
Quick example — production boot check
use assert_no_dev_identity_in_production;
What's inside
| Module | Use it for |
|---|---|
authenticator::Authenticator / AuthenticationRequest / TokenKind |
Pluggable authentication entry-point. |
jwks |
JWKS discovery, caching, and RSA/EC signature verification. |
token |
JWT issuance/validation with strict alg enforcement. |
mfa / totp |
TOTP step-up with replay defense and skew tolerance. |
api_key |
API key issuance and constant-time validation. |
session |
Session creation, expiration, and revocation policy. |
session_redis (feature) |
Redis-backed session storage. |
passwordless |
Passwordless authentication helpers. |
oidc (feature) |
OIDC discovery + PKCE auth-code flow via openidconnect. |
biometric / device_binding / step_up (feature) |
Biometric, device-binding, and step-up policy (MASVS-AUTH-2/3). |
boot |
assert_no_dev_identity_in_production startup guard. |
dev |
A DevAuthenticator for tests; production boot guards against this. |
auth_events |
security_events-typed authentication audit events. |
Feature flags
| Flag | Default | Enables |
|---|---|---|
oidc |
off | oidc module — OIDC discovery and PKCE-first authentication via openidconnect + reqwest. |
session-redis |
off | session_redis — Redis-backed session storage. |
biometric |
off | biometric, device_binding, step_up (MASVS-AUTH-2, MASVS-AUTH-3). |
Compatibility
- MSRV: 1.78
#![forbid(unsafe_code)],#![deny(missing_docs)]- Boot-time guard against
DevAuthenticatorreaching production
Status
Alpha.
Related crates
Part of the SunLit Security Libraries workspace:
| Crate | Purpose |
|---|---|
security_core |
Shared types, identity, classification, severity, redaction. |
security_events |
Security logging and tamper-evident audit chain. |
secure_errors |
Three-layer error model with redaction-safe public errors. |
secure_output |
Context-aware output encoders (HTML, JSON, URL, JS, CSS, XML, LDAP, shell). |
secure_data |
Secrets, envelope encryption, Argon2id, FIPS, mobile storage. |
secure_network |
TLS policy, SPKI pinning, mTLS, cleartext detection. |
secure_device_trust |
Native-client device trust and session certificates. |
secure_resilience |
RASP and environment-detection policy. |
secure_privacy |
PII classification, consent, retention, pseudonymization. |
secure_boundary |
Input validation, security headers, boundary protections. |
secure_authz |
Typed deny-by-default authorization with device-trust predicates. |
Getting help
- Questions, ideas, design discussions — open a GitHub Discussion.
- Bug reports — use the bug-report template in GitHub Issues.
- Security issues — please do not open a public issue. See SECURITY.md for the responsible-disclosure process.
Contributing
Contributions are welcome. Please read CONTRIBUTING.md and the Code of Conduct before opening a PR.
License
Dual-licensed under MIT or Apache-2.0 at your option.