1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
/// [Authorizer](crate::authorizer::token_authorizer::Authorizer) is the struct responsible for
/// validating requests and performing JWKS rotation against an authorization server.
///
/// Not to be used directly.
/// Only need to be publically exposed for custom implementations of [AuthorizerResolver](crate::auth_resolver::AuthorizerResolver).
/// Builder used to construct an [OAuth2ResourceServer](crate::server::OAuth2ResourceServer) instance.
///
/// For further information on the different properties,
/// see [OAuth2ResourceServerBuilder](crate::builder::OAuth2ResourceServerBuilder)
/// and [TenantConfigurationBuilder](crate::tenant::TenantConfigurationBuilder).
///
/// # Example using [DefaultClaims](crate::claims::DefaultClaims)
///
/// ```no_run
/// use tower_oauth2_resource_server::server::OAuth2ResourceServer;
/// use tower_oauth2_resource_server::tenant::TenantConfiguration;
///
/// #[tokio::main]
/// async fn main() {
/// let oauth2_resource_server = <OAuth2ResourceServer>::builder()
/// .add_tenant(TenantConfiguration::builder("https://some-auth-server.com")
/// .audiences(&["https://some-resource-server.com"])
/// .build().await.expect("Failed to build tenant configuration"))
/// .build()
/// .await;
/// }
/// ```
///
/// # Example using custom claims implementation
///
/// ```no_run
/// use serde::{Deserialize, Serialize};
/// use tower_oauth2_resource_server::server::OAuth2ResourceServer;
/// use tower_oauth2_resource_server::tenant::TenantConfiguration;
///
/// #[derive(Clone, Debug, Deserialize, Serialize)]
/// struct MyClaims {
/// pub iss: String,
/// pub scp: Vec<String>
/// }
/// #[tokio::main]
/// async fn main() {
/// let oauth2_resource_server = OAuth2ResourceServer::<MyClaims>::builder()
/// .add_tenant(TenantConfiguration::builder("https://some-auth-server.com")
/// .audiences(&["https://some-resource-server.com"])
/// .build().await.expect("Failed to build tenant configuration"))
/// .build()
/// .await;
/// }
/// ```
/// Default claims implementation.
///
/// Used by default when constructing a [OAuth2ResourceServer](crate::server::OAuth2ResourceServer).
///
/// If you need other claims, an own struct can be provided
/// to [OAuth2ResourceServer](crate::server::OAuth2ResourceServer) as a
/// generic parameter.
/// The actual tower middleware
///
/// Contains implementations of [Service](https://docs.rs/tower/latest/tower/trait.Service.html)
/// and [Layer](https://docs.rs/tower/latest/tower/trait.Layer.html)
/// from the tower library.
///
/// You shouldn't need to interact with these implementations, more than
/// calling [OAuth2ResourceServer::into_layer()](crate::server::OAuth2ResourceServer::into_layer).
/// [OAuth2ResourceServer](crate::server::OAuth2ResourceServer) is
/// what underpins the tower middleware, and actually performs
/// JWT validation.
///
/// In addition, it queries and maintains a state of public
/// keys used by the external authorization server.
///
/// It's recommended to keep a single instance of this in
/// an [Arc](https://doc.rust-lang.org/std/sync/struct.Arc.html)
/// and provide references to it to the different routes
/// where JWT validation is needed.
/// [ClaimsValidationSpec](crate::validation::ClaimsValidationSpec) is used to
/// optionally customize what claims that are required in incoming JWTs.
///
/// Provided when constructing a [OAuth2ResourceServer](crate::server::OAuth2ResourceServer)
/// via [claims_validation_spec](crate::tenant::TenantConfiguration::claims_validation_spec).
/// [AuthorizerResolver](crate::auth_resolver::AuthorizerResolver) is used to
/// decide what [Authorizer](crate::authorizer::token_authorizer::Authorizer) that
/// will validate a request.
///
/// By default, either [SingleAuthorizerResolver](crate::auth_resolver::SingleAuthorizerResolver)
/// or [IssuerAuthorizerResolver](crate::auth_resolver::IssuerAuthorizerResolver) will be used.
///
/// You can also provide your own implementation of [AuthorizerResolver](crate::auth_resolver::AuthorizerResolver)
/// to customize the behavior.
/// [UnverifiedJwt](crate::jwt_unverified::UnverifiedJwt) is used internally
/// to represent an unverified JWT.
///
/// May be accessed in a custom [AuthorizerResolver](crate::auth_resolver::AuthorizerResolver)
/// to make decisions based on JWT claims or header.
/// [TenantConfiguration](crate::tenant::TenantConfiguration) is used to
/// configure the interaction with and validation strategy against an authorization server.
///
/// Provided when constructing a [OAuth2ResourceServer](crate::server::OAuth2ResourceServer)
/// via [add_tenant](crate::builder::OAuth2ResourceServerBuilder::add_tenant).
/// [ErrorHandler](crate::error_handler::ErrorHandler) is used to produce a HTTP response
/// on authentication error.
///
/// A custom implementation may be provided by using [into_layer_with_error_handler](crate::server::OAuth2ResourceServer::into_layer_with_error_handler).
///
/// If no implementation is provided, [DefaultErrorHandler](crate::error_handler::DefaultErrorHandler)
/// will be used.
/// Error types
/// [BearerTokenResolver](crate::jwt_resolver::BearerTokenResolver) is used to extract JWT tokens from HTTP requests.
///
/// The default implementation [DefaultBearerTokenResolver](crate::jwt_resolver::DefaultBearerTokenResolver)
/// extracts tokens from the Authorization header with the "Bearer" prefix.
///
/// You can provide a custom implementation to extract tokens from different headers,
/// query parameters, etc.
///
/// Custom implementations may be provided via [bearer_token_resolver](crate::builder::OAuth2ResourceServerBuilder::bearer_token_resolver).