Skip to main content

Crate huskarl

Crate huskarl 

Source
Expand description

Huskarl provides tools for implementing secure OAuth2 clients in rust.

This library provides several grant implementations, each driven by grant-specific parameters that define how the grant/workflow should progress.

The library also provides a caching layer for token responses; and a HTTP authorizer that can be used to make authenticated requests to resource servers.

§The huskarl ecosystem

This crate is one of three that fit together. Each carries its own how-to guides and explanation in a _docs module:

  • huskarl (this crate) — OAuth2 clients: grants, token caching, and the request authorizer.
  • huskarl-resource-serverresource servers: access-token validation and request authorization.
  • huskarl-core — the shared foundation the other two build on.

§Conformance and interoperability

Huskarl’s client is verified against the official OpenID conformance suite. It passes the OpenID Connect Core Basic client certification plan, plus the FAPI 2.0 Security Profile and Message Signing client plans — these adding private_key_jwt client authentication, DPoP sender-constrained tokens, and signed authorization requests (JAR). The grants are additionally run end-to-end against real authorization servers — Keycloak, Dex, node-oidc-provider, and Okta — in CI. See the repository for the full provider matrix and conformance plans.

§Grants

Each grant is driven by grant-specific parameters and exchanges them for a token at the token endpoint. The simplest need only an exchange call; the workflow grants add interactive steps first. Each has a how-to guide with setup and a worked example.

Further grants — CIBA, provider-specific flows — can be implemented in this crate or by external crates. The registration module implements OAuth 2.0 Dynamic Client Registration (RFC 7591).

§Guides and explanation

The API items in this crate are the reference documentation. For task-oriented how-to guides — setting up each grant, choosing client authentication, sender-constraining tokens with DPoP, caching tokens, and making authenticated requests — and design explanation (error handling, sharing a refresh token store, refresh timing), see the _docs module.

Most applications wrap a grant in an InMemoryTokenCache and an HttpAuthorizer for the request path; every operation returns the one concrete Error type, which embeds in your own error enum. See caching tokens and wiring an authorizer and error handling.

Modules§

_docsdocsrs
Extended documentation: a tutorial, how-to guides, and explanation.
authorizer
Authorizer for OAuth2 grants.
cache
Token sources and caching for OAuth2 tokens.
core
The foundational traits and types for the huskarl OAuth2 ecosystem.
grant
OAuth2 grant type implementations.
prelude
Anonymous trait imports that make the crate’s method syntax work.
registration
OAuth 2.0 Dynamic Client Registration (RFC 7591).
revocation
Token revocation (RFC 7009).
token
OAuth2 and OIDC tokens.
userinfo
OpenID Connect UserInfo endpoint (OIDC Core §5.3).

Structs§

DefaultJwsVerifierPlatform
A type-erased wrapper around a core::crypto::verifier::JwsVerifierPlatform for use as a feature-gated default.