Crate helios_auth 

helios-auth — Authentication and Authorization for the Helios FHIR Server

This crate provides SMART Backend Services authentication via JWT/JWKS validation, SMART v2 scope-based authorization, and supporting infrastructure (JTI replay prevention, JWKS key caching, audit event sinks).

Architecture

HFS does not act as an authorization server. Token issuance and client registration remain external (Keycloak, Okta, Auth0, Entra ID, etc.). This crate performs local JWT validation: signature verification, claim checks (issuer, audience, expiry), and JTI replay prevention.

Key Types

• Principal — Authenticated identity extracted from a validated JWT
• ScopeSet — Parsed SMART v2 scopes with permission checking
• AuthProvider — Trait for token validation implementations
• JwksBearerAuthProvider — JWKS-based JWT validation
• SmartScopePolicy — Scope-based authorization checks
• AuthConfig — Configuration from environment variables

Re-exports

pub use config::AuthConfig;

pub use discovery::SmartConfiguration;

pub use error::AuthError;

pub use error::FhirOperation;

pub use jti::DisabledJtiCache;

pub use jti::JtiCache;

pub use jti::memory::InMemoryJtiCache;

pub use jwks::JwksCache;

pub use outbound::NoOpOutboundAuthProvider;

pub use outbound::OutboundAuthProvider;

pub use outbound::StaticBearerOutboundAuthProvider;

pub use outbound::provider_from_token;

pub use policy::SmartScopePolicy;

pub use principal::Principal;

pub use provider::AuthProvider;

pub use provider::jwks_bearer::JwksBearerAuthProvider;

pub use scope::ScopeSet;

pub use scope::SmartPermissions;

Modules

audit

config

discovery

error

jti

jwks

outbound

Outbound authentication for server-to-server HTTP requests.

policy

principal

provider

scope