Expand description
§laravel-iam
A thin, fail-closed Rust client for the Laravel IAM
authorization server. It speaks the canonical decision protocol
(POST {base_url}/decisions/check) and verifies OIDC tokens against the server’s JWKS —
mirroring the production PHP client’s wire contract exactly, in idiomatic async Rust.
There is no policy logic on the client: every decision is the server’s. The client only transports the question and the answer, and refuses to invent an “allow”.
§Fail-closed guarantee
A network error, timeout, 5xx, 4xx, malformed body or unverifiable token always becomes a
deny — never an allow. Operations return Result<_, IamError>; the ResultExt::is_allowed
helper collapses any error into false so a gate cannot accidentally open:
use laravel_iam::{IamClient, DecisionQuery, Subject, ResultExt};
use serde_json::json;
let iam = IamClient::builder()
.base_url("https://iam.example.com/api/iam/v1")
.token(std::env::var("IAM_SERVICE_TOKEN")?)
.build()?;
let decision = iam.check(DecisionQuery {
subject: Subject::user("usr_123"),
application: Some("warehouse".into()),
permission: "stock.adjust".into(),
resource: Some("wh_milan".into()),
context: json!({ "amount": 300 }),
..Default::default()
}).await;
// `decision` is `Result<Decision, IamError>`; on ANY error this is `false`.
if !decision.is_allowed() {
// deny — fail-closed
}§Token verification
IamClient::verify_token checks an ES256 signature against the cached JWKS plus the
iss/aud/exp claims. Configure the expected issuer and audience on the builder.
§Features
blocking— adds a synchronousblocking::IamClientwith identical semantics.
Modules§
- blocking
- Synchronous IAM client (enabled by the
blockingfeature).
Structs§
- Claims
- Verified claims extracted from an OIDC access/ID token.
- Decision
- A normalized policy decision.
- Decision
Query - A policy-decision query.
- IamClient
- A thin, fail-closed async client for the Laravel IAM control plane.
- IamClient
Builder - Builder for an IAM client.
- Resource
- A typed resource reference, e.g. an entry returned by
IamClient::list_resources. - Subject
- The principal a decision is about:
{ "type": "...", "id": "..." }.
Enums§
- IamError
- Errors returned by
crate::IamClientoperations.
Traits§
- Result
Ext - Fail-closed extension for
Result<Decision, IamError>.