systemprompt-oauth 0.7.0

OAuth 2.0 / OIDC with PKCE, token introspection, and audience/issuer validation for systemprompt.io AI governance infrastructure. WebAuthn and JWT auth for the MCP governance pipeline.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

//! # systemprompt-oauth
//!
//! OAuth 2.0 / OIDC, `WebAuthn`, and JWT authentication primitives for the
//! systemprompt.io AI governance platform. The crate provides:
//!
//! - **OAuth 2.0 / OIDC** — PKCE authorization code flow, dynamic client
//!   registration, refresh-token rotation, and audience/issuer validation.
//! - **`WebAuthn`** — passkey registration and authentication backed by
//!   `webauthn-rs`.
//! - **JWT** — admin and anonymous-session token generation, signing and
//!   validation utilities.
//! - **CIMD** — Client-Initiated Metadata Discovery validation for federated
//!   OAuth clients.
//! - **Repositories** — `sqlx`-backed Postgres persistence for clients,
//!   authorisation codes, refresh tokens, setup tokens and `WebAuthn`
//!   credentials.
//!
//! ## Feature flags
//!
//! | Feature | Default | Effect |
//! |---------|---------|--------|
//! | _none_  | n/a     | The crate currently exposes a single feature surface; all OAuth, `WebAuthn`, JWT and CIMD modules are always compiled. |
//!
//! No optional feature flags are defined at present. The
//! `[package.metadata.docs.rs] all-features = true` setting is retained so
//! future feature additions automatically appear in published docs.
//!
//! ## Layering
//!
//! `systemprompt-oauth` is a **domain** crate. It depends only on
//! `shared` and `infra` crates and is consumed by `app` and `entry`
//! layers (HTTP handlers, CLI commands).
//!
//! ## Errors
//!
//! Public APIs return [`OauthResult`] / [`OauthError`]. Variants enumerate
//! the security-meaningful failure modes (invalid grant, expired code,
//! PKCE mismatch, client not found, etc.) so HTTP handlers can map them
//! to RFC 6749 / RFC 8628 / `WebAuthn` error codes without string parsing.

pub mod constants;
pub mod error;
pub(crate) mod extension;
pub mod models;
pub(crate) mod queries;
pub mod repository;
pub mod services;
pub(crate) mod state;

pub use error::{OauthError, OauthResult};
pub use extension::OauthExtension;

pub use models::*;
pub use repository::OAuthRepository;
pub use services::providers::JwtValidationProviderImpl;
pub use services::validation::jwt::validate_jwt_token;
pub use services::{
    AnonymousSessionInfo, CreateAnonymousSessionInput, SessionCreationError,
    SessionCreationService, TemplateEngine, TokenValidator, extract_bearer_token,
    extract_cookie_token, is_browser_request,
};

pub use state::OAuthState;
pub use systemprompt_models::auth::{AuthError, AuthenticatedUser, BEARER_PREFIX};