helios_auth/lib.rs
1//! # helios-auth — Authentication and Authorization for the Helios FHIR Server
2//!
3//! This crate provides SMART Backend Services authentication via JWT/JWKS
4//! validation, SMART v2 scope-based authorization, and supporting infrastructure
5//! (JTI replay prevention, JWKS key caching, audit event sinks).
6//!
7//! ## Architecture
8//!
9//! HFS does **not** act as an authorization server. Token issuance and client
10//! registration remain external (Keycloak, Okta, Auth0, Entra ID, etc.).
11//! This crate performs local JWT validation: signature verification, claim
12//! checks (issuer, audience, expiry), and JTI replay prevention.
13//!
14//! ## Key Types
15//!
16//! - [`Principal`] — Authenticated identity extracted from a validated JWT
17//! - [`ScopeSet`] — Parsed SMART v2 scopes with permission checking
18//! - [`AuthProvider`] — Trait for token validation implementations
19//! - [`JwksBearerAuthProvider`] — JWKS-based JWT validation
20//! - [`SmartScopePolicy`] — Scope-based authorization checks
21//! - [`AuthConfig`] — Configuration from environment variables
22
23pub mod audit;
24pub mod config;
25pub mod discovery;
26pub mod error;
27pub mod jti;
28pub mod jwks;
29pub mod outbound;
30pub mod policy;
31pub mod principal;
32pub mod provider;
33pub mod scope;
34
35// Re-export commonly used types
36pub use config::AuthConfig;
37pub use discovery::SmartConfiguration;
38pub use error::{AuthError, FhirOperation};
39pub use jti::{DisabledJtiCache, JtiCache, memory::InMemoryJtiCache};
40pub use jwks::JwksCache;
41pub use outbound::{
42 NoOpOutboundAuthProvider, OutboundAuthProvider, StaticBearerOutboundAuthProvider,
43 provider_from_token,
44};
45pub use policy::SmartScopePolicy;
46pub use principal::Principal;
47pub use provider::{AuthProvider, jwks_bearer::JwksBearerAuthProvider};
48pub use scope::{ScopeSet, SmartPermissions};
49
50#[cfg(feature = "redis")]
51pub use jti::redis::RedisJtiCache;