tower-oauth2-resource-server 0.12.0

Tower middleware that provides JWT authorization against an OpenID Connect (OIDC) Provider
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

use std::{marker::PhantomData, sync::Arc};

use serde::de::DeserializeOwned;

use crate::{
    auth_resolver::{AuthorizerResolver, IssuerAuthorizerResolver, SingleAuthorizerResolver},
    error::StartupError,
    jwt_resolver::BearerTokenResolver,
    server::OAuth2ResourceServer,
    tenant::TenantConfiguration,
};

pub struct OAuth2ResourceServerBuilder<Claims> {
    tenant_configurations: Vec<TenantConfiguration>,
    auth_resolver: Option<Arc<dyn AuthorizerResolver<Claims>>>,
    bearer_token_resolver: Option<Arc<dyn BearerTokenResolver + Send + Sync>>,
    phantom: PhantomData<Claims>,
}

impl<Claims> OAuth2ResourceServer<Claims>
where
    Claims: Clone + DeserializeOwned + Send + Sync + 'static,
{
    pub fn builder() -> OAuth2ResourceServerBuilder<Claims> {
        OAuth2ResourceServerBuilder::new()
    }
}

impl<Claims> OAuth2ResourceServerBuilder<Claims> {
    fn new() -> Self {
        OAuth2ResourceServerBuilder::<Claims> {
            tenant_configurations: Vec::new(),
            auth_resolver: None,
            bearer_token_resolver: None,
            phantom: PhantomData,
        }
    }
}

impl<Claims> OAuth2ResourceServerBuilder<Claims>
where
    Claims: Clone + DeserializeOwned + Send + Sync + 'static,
{
    /// Add a tenant (authorization server).
    pub fn add_tenant(mut self, tenant_configuration: TenantConfiguration) -> Self {
        self.tenant_configurations.push(tenant_configuration);
        self
    }

    /// Add multiple tenants (authorization servers).
    pub fn add_tenants(mut self, tenant_configurations: Vec<TenantConfiguration>) -> Self {
        self.tenant_configurations.extend(tenant_configurations);
        self
    }

    /// Provide a custom authorization resolver.
    ///
    /// Only needs to be provided if the default resolver is not sufficient.
    ///
    /// See [AuthorizerResolver] for more information.
    pub fn auth_resolver(mut self, auth_resolver: Arc<dyn AuthorizerResolver<Claims>>) -> Self {
        self.auth_resolver = Some(auth_resolver);
        self
    }

    /// Provide a custom bearer token resolver.
    ///
    /// Only needs to be provided if the default bearer token resolver is not sufficient.
    ///
    /// See [BearerTokenResolver] for more information.
    pub fn bearer_token_resolver(
        mut self,
        bearer_token_resolver: Arc<dyn BearerTokenResolver + Send + Sync>,
    ) -> Self {
        self.bearer_token_resolver = Some(bearer_token_resolver);
        self
    }

    /// Construct an OAuth2ResourceServer.
    ///
    /// During construction the OIDC Provider Configuration endpoint of the
    /// authorization server might be queried.
    /// Thus, the operation can fail and therefore returns a Result.
    pub async fn build(self) -> Result<OAuth2ResourceServer<Claims>, StartupError> {
        if self.tenant_configurations.is_empty() {
            return Err(StartupError::InvalidParameter(
                "At least one TenantConfiguration is required".to_owned(),
            ));
        }
        let num_tenants = self.tenant_configurations.len();
        let auth_resolver = self.auth_resolver.unwrap_or_else(|| {
            if num_tenants == 1 {
                Arc::new(SingleAuthorizerResolver {})
            } else {
                Arc::new(IssuerAuthorizerResolver {})
            }
        });
        OAuth2ResourceServer::new(
            self.tenant_configurations,
            auth_resolver,
            self.bearer_token_resolver,
        )
        .await
    }
}

impl<Claims> Default for OAuth2ResourceServerBuilder<Claims> {
    fn default() -> Self {
        Self::new()
    }
}

#[cfg(test)]
mod tests {
    use serde::Deserialize;

    use super::*;

    #[derive(Clone, Debug, Deserialize)]
    struct Claims {}

    #[tokio::test]
    async fn should_require_tenant_configurations() {
        let result = OAuth2ResourceServerBuilder::<Claims>::new().build().await;
        assert!(result.is_err());
        assert_eq!(
            result.unwrap_err(),
            StartupError::InvalidParameter(
                "At least one TenantConfiguration is required".to_owned()
            )
        )
    }
}