Skip to main content

Crate laravel_iam

Crate laravel_iam 

Source
Expand description

§laravel-iam

A thin, fail-closed Rust client for the Laravel IAM authorization server. It speaks the canonical decision protocol (POST {base_url}/decisions/check) and verifies OIDC tokens against the server’s JWKS — mirroring the production PHP client’s wire contract exactly, in idiomatic async Rust.

There is no policy logic on the client: every decision is the server’s. The client only transports the question and the answer, and refuses to invent an “allow”.

§Fail-closed guarantee

A network error, timeout, 5xx, 4xx, malformed body or unverifiable token always becomes a deny — never an allow. Operations return Result<_, IamError>; the ResultExt::is_allowed helper collapses any error into false so a gate cannot accidentally open:

use laravel_iam::{IamClient, DecisionQuery, Subject, ResultExt};
use serde_json::json;

let iam = IamClient::builder()
    .base_url("https://iam.example.com/api/iam/v1")
    .token(std::env::var("IAM_SERVICE_TOKEN")?)
    .build()?;

let decision = iam.check(DecisionQuery {
    subject: Subject::user("usr_123"),
    application: Some("warehouse".into()),
    permission: "stock.adjust".into(),
    resource: Some("wh_milan".into()),
    context: json!({ "amount": 300 }),
    ..Default::default()
}).await;

// `decision` is `Result<Decision, IamError>`; on ANY error this is `false`.
if !decision.is_allowed() {
    // deny — fail-closed
}

§Token verification

IamClient::verify_token checks an ES256 signature against the cached JWKS plus the iss/aud/exp claims. Configure the expected issuer and audience on the builder.

§Features

Modules§

blocking
Synchronous IAM client (enabled by the blocking feature).

Structs§

Claims
Verified claims extracted from an OIDC access/ID token.
Decision
A normalized policy decision.
DecisionQuery
A policy-decision query.
IamClient
A thin, fail-closed async client for the Laravel IAM control plane.
IamClientBuilder
Builder for an IAM client.
Resource
A typed resource reference, e.g. an entry returned by IamClient::list_resources.
Subject
The principal a decision is about: { "type": "...", "id": "..." }.

Enums§

IamError
Errors returned by crate::IamClient operations.

Traits§

ResultExt
Fail-closed extension for Result<Decision, IamError>.