systemprompt-oauth 0.3.1

OAuth 2.0 / OIDC with PKCE, token introspection, and audience/issuer validation for systemprompt.io AI governance infrastructure. WebAuthn and JWT auth for the MCP governance pipeline.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

use anyhow::{Result, anyhow};
use chrono::Utc;
use jsonwebtoken::{Algorithm, DecodingKey, Validation, decode};
use systemprompt_models::auth::JwtAudience;

use crate::models::JwtClaims;

pub fn validate_jwt_token(
    token: &str,
    jwt_secret: &str,
    issuer: &str,
    audiences: &[JwtAudience],
) -> Result<JwtClaims> {
    let mut validation = Validation::new(Algorithm::HS256);

    validation.set_issuer(&[issuer]);

    let audience_strs: Vec<&str> = audiences.iter().map(JwtAudience::as_str).collect();
    validation.set_audience(&audience_strs);

    let token_data = decode::<JwtClaims>(
        token,
        &DecodingKey::from_secret(jwt_secret.as_bytes()),
        &validation,
    )
    .map_err(|e| anyhow!("JWT validation failed: {e}"))?;

    let now = Utc::now().timestamp();

    if token_data.claims.exp < now {
        return Err(anyhow!("Token has expired"));
    }

    Ok(token_data.claims)
}