Crate middle

Source
Expand description

License Tests

§Client Authentication Middleware

This crate provides client authentication for HTTP and gRPC APIs. Features include:

  • Automatic token renewal when expired in a background task
  • Thread-safe token management with interior mutability
  • reqwest integration by using a wrapped HttpClient
  • tonic integration via Interceptors
  • Support for OAuth2 Client Credential flow
  • Support for Bearer Token authentication
  • Based on the oauth2 crate
  • Safe defaults - does not follow redirects and hides sensitive data in Debug
  • More flows coming soon!

§Example

In the following example we create a middle::HttpClient that wraps a reqwest::Client. The token is kept fresh with a background task of the ClientCredentialAuthorizer, so that the client always sends authorized requests.

use std::str::FromStr;

use middle::SimpleClientCredentialAuthorizerBuilder;
use reqwest::Client;
use url::Url;

#[tokio::main]
async fn main() {
    let client_id = "my-client-id";
    let client_secret = "my-client-secret";
    let token_endpoint = Url::from_str("https://identity.example.com/oauth2/token").unwrap();

    // Create a new Authorizer. The Authorizer keeps the token refreshed in the background.
    let authorizer =
        SimpleClientCredentialAuthorizerBuilder::new(client_id, client_secret, token_endpoint)
            .add_scope("my-scope")
            .refresh_tolerance(std::time::Duration::from_secs(30)) // Refresh 30 seconds before expiry
            .build()
            .await
            .unwrap();

    // The current authorization header. The header is always kept up-to-date.
    // Returns an error if the last refresh failed.
    let header = authorizer.authorization_header().unwrap();

    // Generate a new reqwest Client and wrap it with `HttpClient`.
    let reqwest_client = Client::new();
    let client = middle::HttpClient::new(authorizer).set_client(reqwest_client);

    // Start using the client - the authorization header is automatically added.
    let request = client.get("https://api.example.com/data").unwrap();
    let _response = request.send().await.unwrap();
}

§Tonic Integration

ALl Authorizers implemented by the middle crate, implement tonic::service::Interceptor if the tonic feature is enabled.

use hello_world::{greeter_service_client::GreeterServiceClient, SayHelloRequest};
use middle::BearerTokenAuthorizer;
use tonic::transport::Endpoint;

pub mod hello_world {
    tonic::include_proto!("helloworld");
}

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // All authorizers provided by the `middle` crate implement the `tonic::Interceptor` trait.
    let authorizer = BearerTokenAuthorizer::new("my-super-secret-token")?;

    let channel = Endpoint::from_static("http://service.example.com:50051")
        .connect()
        .await?;
    // Use the authorizer as an interceptor.
    let mut client = GreeterServiceClient::with_interceptor(channel, authorizer);

    // All following requests include the authorization header.
    let request = tonic::Request::new(SayHelloRequest {
        name: "Tonic".into(),
    });

    let response = client.say_hello(request).await?;

    println!("RESPONSE={:?}", response);

    Ok(())
}

§Feature Flags

  • all: Includes rustls-tls, tonic, client-credentials, and runtime-tokio.
  • default: Includes rustls-tls, client-credentials, and runtime-tokio.
  • rustls-tls: Enables reqwest/rustls-tls and reqwest/rustls-tls-native-roots.
  • tonic: Implement tonic::service::Interceptor for all Authorizers
  • runtime-tokio: Enables the tokio runtime (currently the only supported async runtime). Some Authorizers depend on an async runtime to spawn refresh tasks.
  • client-credentials: Enables the ClientCredentialAuthorizer for the OAuth2 Client Credential flow

Re-exports§

pub use error::Error;
pub use error::Result;

Modules§

error

Structs§

BearerTokenAuthorizer
Create a simple Authorizer that attaches a given token to any request a client sends. The token is attached with the Bearer auth-scheme.
ClientCredentialAuthorizer
Authenticate with an OAuth2 server using client credentials.
ClientCredentialAuthorizerBuilder
Builder for ClientCredentialAuthorizer.
HttpClient
Wrapper around reqwest::Client that automatically adds the authorization header, while keeping it up-to-date using an Authorizer.

Traits§

Authorizer
Main trait of this crate.

Type Aliases§

SimpleClientCredentialAuthorizer
Specialization of ClientCredentialAuthorizer for simple use cases.
SimpleClientCredentialAuthorizerBuilder
Specialization of ClientCredentialAuthorizer for simple use cases.