Skip to main content

Crate huskarl_resource_server

Crate huskarl_resource_server 

Source
Expand description

§OAuth2 library for resource servers.

A resource server has two jobs: validate the access token presented with a request, and decide whether that token authorizes the request.

This crate does the first. A validator verifies the token (signature/introspection, expiry, audience, and any sender-constraint binding) and returns a ValidatedRequest carrying its claims — from which your application makes the second decision. When validation fails, rejection turns the failure into the matching response: status code, WWW-Authenticate challenges, and DPoP-Nonce.

§The huskarl ecosystem

This crate is one of three that fit together. Each carries its own how-to guides and explanation in a _docs module:

  • huskarlOAuth2 clients: grants, token caching, and the request authorizer.
  • huskarl-resource-server (this crate) — resource servers: access-token validation and request authorization.
  • huskarl-core — the shared foundation the other two build on.

§Example with RFC 9068 token validation:

use std::sync::Arc;

use huskarl_resource_server::{
    core::{http::HttpClient, jwk::JwksSource},
    validator::rfc9068::Rfc9068Validator,
};

let validator = Rfc9068Validator::builder()
    .issuer("https://issuer")
    .audience("audience")
    .jws_verifier_factory(Arc::new(
        JwksSource::builder().http_client(http_client).build(),
    ))
    .build()
    .await?;

§Guides and explanation

The API items here are the reference docs. For task-oriented how-to guides (validating RFC 9068, custom, introspection, and multi-issuer tokens, plus DPoP enforcement) and design explanation (choosing a validator, how multi-issuer routing stays safe), see the _docs module.

Modules§

_docsdocsrs
Extended documentation: explanation and how-to guides.
core
The foundational traits and types for the huskarl OAuth2 ecosystem.
error
RFC 6750 attribute-based error types and traits for resource server responses.
introspection
Low-level RFC 7662 token introspection call.
prelude
Anonymous trait imports that make the crate’s method syntax work.
rejection
Turning a validation failure into an HTTP rejection response.
validator
Access token validation: the AccessTokenValidator trait and ready-made implementations of it.

Structs§

DefaultJwsVerifierPlatform
The platform default core::crypto::verifier::JwsVerifierPlatform implementation.