Expand description
Huskarl provides tools for implementing secure OAuth2 clients in rust.
This library provides several grant implementations, each driven by grant-specific parameters that define how the grant/workflow should progress.
The library also provides a caching layer for token responses; and a HTTP authorizer that can be used to make authenticated requests to resource servers.
§The huskarl ecosystem
This crate is one of three that fit together. Each carries its own how-to guides
and explanation in a _docs module:
huskarl(this crate) —OAuth2clients: grants, token caching, and the request authorizer.huskarl-resource-server— resource servers: access-token validation and request authorization.huskarl-core— the shared foundation the other two build on.
§Conformance and interoperability
Huskarl’s client is verified against the official OpenID conformance
suite. It passes the OpenID Connect Core
Basic client certification plan, plus the FAPI 2.0 Security Profile and
Message Signing client plans — these adding private_key_jwt client
authentication, DPoP sender-constrained tokens, and signed authorization
requests (JAR). The grants are additionally run end-to-end against real
authorization servers — Keycloak, Dex, node-oidc-provider, and Okta — in CI.
See the repository for the full provider
matrix and conformance plans.
§Grants
Each grant is driven by grant-specific parameters and exchanges them for a token
at the token endpoint. The simplest need only an exchange call; the workflow
grants add interactive steps first. Each has a how-to guide with
setup and a worked example.
ClientCredentialsGrant— RFC 6749 §4.4RefreshGrant— RFC 6749 §6AuthorizationCodeGrant— RFC 6749 §4.1DeviceAuthorizationGrant— RFC 8628TokenExchangeGrant— RFC 8693JwtBearerGrant— RFC 7523
Further grants — CIBA, provider-specific flows — can be implemented in this
crate or by external crates. The registration module implements OAuth 2.0
Dynamic Client Registration (RFC 7591).
§Guides and explanation
The API items in this crate are the reference documentation. For
task-oriented how-to guides — setting up each grant, choosing client
authentication, sender-constraining
tokens with DPoP, caching tokens, and making
authenticated requests — and design explanation (error handling, sharing a
refresh token store, refresh timing), see the _docs module.
Most applications wrap a grant in an
InMemoryTokenCache and an
HttpAuthorizer for the request path; every
operation returns the one concrete Error type, which embeds
in your own error enum. See caching tokens and wiring an
authorizer and error
handling.
Modules§
- _docs
docsrs - Extended documentation: a tutorial, how-to guides, and explanation.
- authorizer
- Authorizer for
OAuth2grants. - cache
- Token sources and caching for
OAuth2tokens. - core
- The foundational traits and types for the huskarl
OAuth2ecosystem. - grant
OAuth2grant type implementations.- prelude
- Anonymous trait imports that make the crate’s method syntax work.
- registration
- OAuth 2.0 Dynamic Client Registration (RFC 7591).
- revocation
- Token revocation (RFC 7009).
- token
OAuth2and OIDC tokens.- userinfo
OpenIDConnectUserInfoendpoint (OIDC Core §5.3).
Structs§
- Default
JwsVerifier Platform - A type-erased wrapper around a
core::crypto::verifier::JwsVerifierPlatformfor use as a feature-gated default.