Skip to main content

Crate mssql_auth

Crate mssql_auth 

Source
Expand description

§mssql-auth

Authentication strategies for SQL Server connections.

This crate provides various authentication methods, isolated from connection logic for better modularity and testing.

§Supported Authentication Methods

MethodFeature FlagStatusDescription
SQL Authenticationdefault✅ ImplementedUsername/password
Azure AD Tokendefault✅ ImplementedPre-obtained access token
Azure Managed Identityazure-identity✅ ImplementedVM/container identity
Service Principalazure-identity✅ ImplementedApp credentials
Integrated (Kerberos)integrated-auth✅ ImplementedGSSAPI/Kerberos (Linux/macOS)
Windows SSPIsspi-auth✅ ImplementedNative Windows SSPI
Certificatecert-auth⚠️ Token acquisition only¹Client certificate (mTLS)

¹ CertificateAuth acquires tokens, but mssql-client does not yet wire certificate credentials into the login sequence; Client::connect rejects them with a clear error. Tracked in #155.

The Azure AD methods use the FEDAUTH SecurityToken workflow: the token is acquired client-side and sent in the LOGIN7 FEDAUTH feature extension (see azure_ad::build_security_token_feature_data). The ADAL/MSAL workflow (server-directed acquisition via FEDAUTHINFO) is #155 Phase 2.

§Authentication Tiers

Per ARCHITECTURE.md, authentication is tiered:

§Tier 1 (Core - Pure Rust, Default)

§Tier 2 (Azure Native - azure-identity feature) ✅ Implemented

  • ManagedIdentityAuth - Azure VM/Container identity
  • ServicePrincipalAuth - Client ID + Secret

§Tier 3 (Enterprise - integrated-auth or sspi-auth feature) ✅ Implemented

  • IntegratedAuth - Kerberos (Linux/macOS via GSSAPI)
  • SspiAuth - Windows SSPI (native Windows, cross-platform via sspi-rs)

§Tier 4 (Certificate - cert-auth feature) ⚠️ login wiring pending (#155)

  • CertificateAuth - Client certificate authentication (mTLS)

§Secure Credential Handling

Enable the zeroize feature for secure credential handling:

mssql-auth = { version = "0.1", features = ["zeroize"] }

This enables secure credential handling that automatically zeroes sensitive data from memory when dropped.

§Example

use mssql_auth::{SqlServerAuth, AzureAdAuth, AuthProvider};

// SQL Server authentication
let sql_auth = SqlServerAuth::new("sa", "Password123!");
let auth_data = sql_auth.authenticate().unwrap();

// Azure AD authentication with pre-acquired token
let azure_auth = AzureAdAuth::with_token("eyJ0eXAi...");

Re-exports§

pub use credentials::Credentials;
pub use error::AuthError;
pub use provider::AsyncAuthProvider;
pub use provider::AuthData;
pub use provider::AuthMethod;
pub use provider::AuthProvider;
pub use azure_ad::AzureAdAuth;
pub use azure_ad::FedAuthLibrary;
pub use sql_auth::SqlServerAuth;
pub use credentials::SecretString;
pub use credentials::SecureCredentials;
pub use azure_identity_auth::ManagedIdentityAuth;
pub use azure_identity_auth::ServicePrincipalAuth;
pub use cert_auth::CertificateAuth;
pub use encryption::CekMetadata;
pub use encryption::ColumnEncryptionConfig;
pub use encryption::ColumnEncryptionInfo;
pub use encryption::EncryptedValue;
pub use encryption::EncryptionError;
pub use encryption::EncryptionType;
pub use encryption::KeyStoreProvider;
pub use aead::AeadEncryptor;
pub use key_store::CekCache;
pub use key_store::CekCacheKey;
pub use key_store::InMemoryKeyStore;
pub use key_unwrap::RsaKeyUnwrapper;
pub use azure_keyvault::AzureKeyVaultProvider;

Modules§

aead
AEAD_AES_256_CBC_HMAC_SHA256 encryption algorithm for Always Encrypted.
azure_ad
Azure AD / Entra ID authentication implementation.
azure_identity_auth
Azure Identity authentication providers.
azure_keyvault
Azure Key Vault Column Master Key (CMK) provider for Always Encrypted.
cek_envelope
Canonical encrypted-CEK envelope codec for Always Encrypted.
cert_auth
Client certificate authentication provider.
credentials
Credential types for authentication.
encryption
Always Encrypted infrastructure for SQL Server.
error
Authentication error types.
key_store
Key store providers and CEK caching for Always Encrypted.
key_unwrap
RSA-OAEP key unwrapping for Always Encrypted.
provider
Authentication provider traits.
sql_auth
SQL Server authentication implementation.