Skip to main content

Crate rvoip_auth_core

Crate rvoip_auth_core 

Source
Expand description

§Auth-Core - Authentication and Authorization Primitives for RVoIP

rvoip-auth-core provides cryptographic and token-validation primitives used across the RVoIP workspace. It does not own SIP dialog state, SIP request retry orchestration, or WWW-Authenticate / Authorization header routing. The SIP application layer in rvoip-sip owns those protocol workflows and calls into this crate for the underlying algorithms.

§SIP Digest Primitives

DigestAuthenticator generates Digest challenges and validates Digest responses. DigestClient computes UAC responses for challenges. They are used by rvoip-sip for SIP Digest over 401 WWW-Authenticate / Authorization and 407 Proxy-Authenticate / Proxy-Authorization.

Supported Digest algorithms are MD5, MD5-sess, SHA-256, SHA-256-sess, SHA-512-256, and SHA-512-256-sess. An omitted Digest algorithm defaults to MD5 for legacy SIP/PBX compatibility; unknown algorithms fail instead of silently downgrading.

§Bearer and Token Validators

BearerValidator is the common async validation trait for Bearer tokens. JwtValidator, JwksJwtValidator, OAuth2IntrospectionValidator, and AAuthValidator are concrete validator families that can be plugged into rvoip-sip’s SipAuthService for UAS-side SIP Bearer validation. JWT and JWKS validators can optionally call TokenRevocationChecker with token jti context after signature, issuer, audience, and expiry checks.

§Provider Contracts

Protocol crates and applications use provider traits to integrate with users-core, Keycloak/OIDC, LDAP/AD, Redis, IMS infrastructure, or custom services without coupling protocol code to a database. These contracts include PasswordVerifier, DigestSecretProvider, ApiKeyVerifier, TokenRevocationChecker, DigestReplayStore, AuthAuditSink, and AuthRateLimiter.

§Other Auth Building Blocks

The crate also includes DPoP validation (DpopValidator) and HTTP Message Signatures style envelope verification (Sig9421Verifier). These are standalone primitives; protocol-specific negotiation and retry behavior belongs in the crate that owns that protocol surface.

Re-exports§

pub use aauth::AAuthValidator;
pub use aauth::ActorClaims;
pub use aauth::ActorTokenValidator;
pub use bearer::bearer_stub;
pub use bearer::BearerAuthError;
pub use bearer::BearerValidator;
pub use dpop::jwk_thumbprint;
pub use dpop::DpopError;
pub use dpop::DpopProof;
pub use dpop::DpopValidator;
pub use dpop::ValidatedDpop;
pub use dpop::DEFAULT_IAT_LEEWAY;
pub use dpop::DEFAULT_JTI_CACHE_CAPACITY;
pub use error::AuthError;
pub use error::Result;
pub use introspection::OAuth2IntrospectionValidator;
pub use jwks::JwksJwtValidator;
pub use jwks::DEFAULT_JWKS_CACHE_TTL;
pub use jwt::JwtValidator;
pub use providers::ApiKeyVerifier;
pub use providers::AuthAuditEvent;
pub use providers::AuthAuditOutcome;
pub use providers::AuthAuditScheme;
pub use providers::AuthAuditSink;
pub use providers::AuthFailureReason;
pub use providers::AuthRateLimitKey;
pub use providers::AuthRateLimitKind;
pub use providers::AuthRateLimitVerdict;
pub use providers::AuthRateLimiter;
pub use providers::CredentialAuthError;
pub use providers::DigestNonceStatus;
pub use providers::DigestReplayStore;
pub use providers::DigestSecret;
pub use providers::DigestSecretProvider;
pub use providers::PasswordVerifier;
pub use providers::TokenRevocationChecker;
pub use providers::TokenRevocationContext;
pub use providers::TokenRevocationStatus;
pub use sig9421::EnvelopeSignature;
pub use sig9421::KeyResolver;
pub use sig9421::Sig9421Error;
pub use sig9421::Sig9421Verifier;
pub use sig9421::StaticKeyResolver;
pub use sig9421::DEFAULT_REPLAY_CACHE_CAPACITY;
pub use sig9421::DEFAULT_SIG_REPLAY_TTL;
pub use sip_digest::DigestAlgorithm;
pub use sip_digest::DigestAuthenticator;
pub use sip_digest::DigestChallenge;
pub use sip_digest::DigestChallengeDetails;
pub use sip_digest::DigestClient;
pub use sip_digest::DigestComputed;
pub use sip_digest::DigestResponse;

Modules§

aauth
AAuth — IETF actor-authentication ([draft-ietf-aauth-*]).
bearer
Bearer-token validation surface.
dpop
DPoP-Proof JWT validation per RFC 9449.
error
Error types for authentication operations
introspection
OAuth2 token introspection Bearer validator.
jwks
JWKS-fetching BearerValidator for OIDC-style deployments.
jwt
JWT-based BearerValidator for production deployments.
providers
Auth provider contracts for RVoIP services.
sig9421
RFC 9421 HTTP Message Signatures — UCTP inline envelope variant.
sip_digest
SIP Digest Authentication per RFC 2617, RFC 7616, and RFC 8760.
types
Core types for authentication