Expand description
§OAuth2 library for resource servers.
A resource server has two jobs: validate the access token presented with a request, and decide whether that token authorizes the request.
This crate does the first. A validator verifies the token
(signature/introspection, expiry, audience, and any sender-constraint
binding) and returns a ValidatedRequest
carrying its claims — from which your application makes the second decision.
When validation fails, rejection turns the failure into the matching
response: status code, WWW-Authenticate challenges, and DPoP-Nonce.
§The huskarl ecosystem
This crate is one of three that fit together. Each carries its own how-to
guides and explanation in a _docs module:
huskarl—OAuth2clients: grants, token caching, and the request authorizer.huskarl-resource-server(this crate) — resource servers: access-token validation and request authorization.huskarl-core— the shared foundation the other two build on.
§Example with RFC 9068 token validation:
use std::sync::Arc;
use huskarl_resource_server::{
core::{http::HttpClient, jwk::JwksSource},
validator::rfc9068::Rfc9068Validator,
};
let validator = Rfc9068Validator::builder()
.issuer("https://issuer")
.audience("audience")
.jws_verifier_factory(Arc::new(
JwksSource::builder().http_client(http_client).build(),
))
.build()
.await?;§Guides and explanation
The API items here are the reference docs. For task-oriented how-to guides
(validating RFC 9068, custom, introspection, and multi-issuer tokens, plus
DPoP enforcement) and design explanation (choosing a validator, how
multi-issuer routing stays safe), see the _docs module.
Modules§
- _docs
docsrs - Extended documentation: explanation and how-to guides.
- core
- The foundational traits and types for the huskarl
OAuth2ecosystem. - error
- RFC 6750 attribute-based error types and traits for resource server responses.
- introspection
- Low-level RFC 7662 token introspection call.
- prelude
- Anonymous trait imports that make the crate’s method syntax work.
- rejection
- Turning a validation failure into an HTTP rejection response.
- validator
- Access token validation: the
AccessTokenValidatortrait and ready-made implementations of it.
Structs§
- Default
JwsVerifier Platform - The platform default
core::crypto::verifier::JwsVerifierPlatformimplementation.