Expand description
§mssql-auth
Authentication strategies for SQL Server connections.
This crate provides various authentication methods, isolated from connection logic for better modularity and testing.
§Supported Authentication Methods
| Method | Feature Flag | Status | Description |
|---|---|---|---|
| SQL Authentication | default | ✅ Implemented | Username/password |
| Azure AD Token | default | ✅ Implemented | Pre-obtained access token |
| Azure Managed Identity | azure-identity | ✅ Implemented | VM/container identity |
| Service Principal | azure-identity | ✅ Implemented | App credentials |
| Integrated (Kerberos) | integrated-auth | ✅ Implemented | GSSAPI/Kerberos (Linux/macOS) |
| Windows SSPI | sspi-auth | ✅ Implemented | Native Windows SSPI |
| Certificate | cert-auth | ⚠️ Token acquisition only¹ | Client certificate (mTLS) |
¹ CertificateAuth acquires tokens, but mssql-client does not yet wire
certificate credentials into the login sequence; Client::connect rejects
them with a clear error. Tracked in
#155.
The Azure AD methods use the FEDAUTH SecurityToken workflow: the token is
acquired client-side and sent in the LOGIN7 FEDAUTH feature extension
(see azure_ad::build_security_token_feature_data). The ADAL/MSAL
workflow (server-directed acquisition via FEDAUTHINFO) is #155 Phase 2.
§Authentication Tiers
Per ARCHITECTURE.md, authentication is tiered:
§Tier 1 (Core - Pure Rust, Default)
SqlServerAuth- Username/password via Login7 ✅ ImplementedAzureAdAuth- Pre-acquired access token ✅ Implemented
§Tier 2 (Azure Native - azure-identity feature) ✅ Implemented
ManagedIdentityAuth- Azure VM/Container identityServicePrincipalAuth- Client ID + Secret
§Tier 3 (Enterprise - integrated-auth or sspi-auth feature) ✅ Implemented
IntegratedAuth- Kerberos (Linux/macOS via GSSAPI)SspiAuth- Windows SSPI (native Windows, cross-platform via sspi-rs)
§Tier 4 (Certificate - cert-auth feature) ⚠️ login wiring pending (#155)
CertificateAuth- Client certificate authentication (mTLS)
§Secure Credential Handling
Enable the zeroize feature for secure credential handling:
mssql-auth = { version = "0.1", features = ["zeroize"] }This enables secure credential handling that automatically zeroes sensitive data from memory when dropped.
§Example
use mssql_auth::{SqlServerAuth, AzureAdAuth, AuthProvider};
// SQL Server authentication
let sql_auth = SqlServerAuth::new("sa", "Password123!");
let auth_data = sql_auth.authenticate().unwrap();
// Azure AD authentication with pre-acquired token
let azure_auth = AzureAdAuth::with_token("eyJ0eXAi...");Re-exports§
pub use credentials::Credentials;pub use error::AuthError;pub use provider::AsyncAuthProvider;pub use provider::AuthData;pub use provider::AuthMethod;pub use provider::AuthProvider;pub use azure_ad::AzureAdAuth;pub use azure_ad::FedAuthLibrary;pub use sql_auth::SqlServerAuth;pub use credentials::SecretString;pub use credentials::SecureCredentials;pub use azure_identity_auth::ManagedIdentityAuth;pub use azure_identity_auth::ServicePrincipalAuth;pub use cert_auth::CertificateAuth;pub use encryption::CekMetadata;pub use encryption::ColumnEncryptionConfig;pub use encryption::ColumnEncryptionInfo;pub use encryption::EncryptedValue;pub use encryption::EncryptionError;pub use encryption::EncryptionType;pub use encryption::KeyStoreProvider;pub use aead::AeadEncryptor;pub use key_store::CekCache;pub use key_store::CekCacheKey;pub use key_store::InMemoryKeyStore;pub use key_unwrap::RsaKeyUnwrapper;pub use azure_keyvault::AzureKeyVaultProvider;
Modules§
- aead
- AEAD_AES_256_CBC_HMAC_SHA256 encryption algorithm for Always Encrypted.
- azure_
ad - Azure AD / Entra ID authentication implementation.
- azure_
identity_ auth - Azure Identity authentication providers.
- azure_
keyvault - Azure Key Vault Column Master Key (CMK) provider for Always Encrypted.
- cek_
envelope - Canonical encrypted-CEK envelope codec for Always Encrypted.
- cert_
auth - Client certificate authentication provider.
- credentials
- Credential types for authentication.
- encryption
- Always Encrypted infrastructure for SQL Server.
- error
- Authentication error types.
- key_
store - Key store providers and CEK caching for Always Encrypted.
- key_
unwrap - RSA-OAEP key unwrapping for Always Encrypted.
- provider
- Authentication provider traits.
- sql_
auth - SQL Server authentication implementation.