Expand description
§oauth2-passkey-axum
Axum web framework integration for the oauth2-passkey authentication library.
This crate provides ready-to-use Axum handlers, middleware, and UI components for OAuth2 and passkey authentication in your Axum web applications.
§Quick Start
For a complete working example, see the demo-both application which demonstrates both OAuth2 and passkey authentication in a single application.
§Features
- Drop-in Axum Integration: Pre-built routers and middleware
- Admin UI: Optional admin interface for user management
- User UI: Authentication pages and flows
- Route Protection: Middleware for protecting routes
- CSRF Protection: Built-in CSRF token handling
- Static Assets: CSS and JavaScript for authentication UI
§Basic Usage
use axum::{Router, response::Html};
use oauth2_passkey_axum::{oauth2_passkey_router, init, O2P_ROUTE_PREFIX};
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
// Initialize authentication (reads configuration from environment variables)
init().await?;
// Create your application router
let app: Router = Router::new()
.route("/", axum::routing::get(|| async { Html("Hello World!") }))
// Add authentication routes (default: /o2p, configurable via O2P_ROUTE_PREFIX env var)
.nest(O2P_ROUTE_PREFIX.as_str(), oauth2_passkey_router());
// .merge(other_routes) // Add your other routes here
// Start server
let listener = tokio::net::TcpListener::bind("127.0.0.1:3000").await?;
axum::serve(listener, app).await?;
Ok(())
}See the repository documentation and examples for more details.
Structs§
- Auth
User - Authenticated user information, available as an Axum extractor
- Credential
Id - Type-safe wrapper for credential identifiers.
- Csrf
Header Verified - Indicates whether the CSRF token was verified via an HTTP header.
- Csrf
Token - CSRF (Cross-Site Request Forgery) token for request validation.
- DbUser
- Represents a core user identity in the system
- Login
History Entry - A single login history entry
- OAuth2
Account - Represents an OAuth2 account linked to a user
- Passkey
Credential - Stored credential information for a WebAuthn/Passkey.
- Provider
Info - Public information about a single enabled OAuth2 provider.
- Provider
User Id - Type-safe wrapper for provider-specific user identifiers.
- Provider
View - Human-readable presentation data for an OAuth2 provider.
- Session
Id - Type-safe wrapper for session identifiers.
- UserId
- Type-safe wrapper for user identifiers.
Enums§
- Login
History Error - Errors that can occur during login history operations
Statics§
- O2P_
ACCOUNT_ URL - URL of the user account management page Default: “/o2p/user/account”
- O2P_
ADMIN_ URL - URL of the admin index page Default: “/o2p/admin/index”
- O2P_
CUSTOM_ CSS_ URL - Optional URL for custom CSS to override default styles Example: O2P_CUSTOM_CSS_URL=/static/my-theme.css Users can override CSS Custom Properties in their custom CSS file
- O2P_
DEFAULT_ REDIRECT - Default redirect URL for authenticated-user flows Used when: authenticated users visit login page, logout redirect target in templates Default: “/”
- O2P_
LOGIN_ URL - URL of the login page, used by middleware and AuthUser extractor to redirect unauthenticated users
- O2P_
ROUTE_ PREFIX - Route prefix for all oauth2_passkey endpoints
Functions§
- cleanup_
old_ login_ history - Delete login history entries older than
O2P_LOGIN_HISTORY_RETENTION_DAYS. - custom_
css_ vars_ block - Build the inline
:root { ... }CSS block injecting--o2p-custom{N}/--o2p-custom{N}-hovervariables for every enabled generic OIDC slot. - delete_
oauth2_ account_ admin - Deletes an OAuth2 account as an administrator.
- delete_
passkey_ credential_ admin - Deletes a passkey credential as an administrator.
- delete_
user_ account_ admin - Completely deletes a user account as an administrator.
- enabled_
provider_ views - Returns
ProviderViewfor every currently enabled OAuth2 provider, in stable display order (Google first, then optional providers). - enabled_
providers - Returns UI info for every currently enabled OAuth2 provider, in stable display order (Google first, then enabled generic OIDC slots Custom1..Custom8 in order).
- get_
all_ users - Retrieves a list of all users in the system.
- get_
user - Retrieves a specific user by their ID.
- init
- Initialize the authentication system
- is_
authenticated_ 401 - Authentication middleware that returns HTTP 401 for unauthenticated requests
- is_
authenticated_ redirect - Authentication middleware that redirects unauthenticated requests to login page
- is_
authenticated_ user_ 401 - Authentication middleware that provides user data and returns HTTP 401 for unauthenticated requests
- is_
authenticated_ user_ redirect - Authentication middleware that provides user data and redirects unauthenticated requests
- is_
provider_ enabled - Returns true if the named OAuth2 provider is configured and enabled.
- list_
accounts_ core - Lists all OAuth2 accounts associated with a user.
- list_
credentials_ core - Core function that handles the business logic of listing passkey credentials
- oauth2_
passkey_ full_ router - Creates a complete router with all authentication endpoints
- oauth2_
passkey_ router - Create a combined router for all authentication endpoints
- passkey_
well_ known_ router - Creates a router for the WebAuthn well-known endpoint Creates a router for WebAuthn/.well-known endpoints
- spawn_
login_ history_ cleanup - Spawn a background task that runs
cleanup_old_login_historyevery 24 hours. - update_
user_ admin_ status - Updates a user’s administrative status.