Expand description
Compile-time authentication system with type-level proofs.
This module provides a zero-cost abstraction for authentication that leverages Rust’s type system to ensure only authenticated clients can access resources. Authentication state is tracked at compile time, preventing runtime security bugs.
§Type-Level Authentication Design
The system uses phantom types and witness types to encode authentication state:
- Unauthenticated State: Raw credentials that haven’t been validated
- Authenticated State: Credentials that have passed validation with type-level proof
- Authorized Context: Request contexts that can only be created with valid authentication
- Linear Credentials: Authentication tokens that can only be consumed once
§Key Principles
- Impossible States: Unauthenticated access is unrepresentable
- Zero Runtime Cost: All validation happens at compile time where possible
- Linear Resources: Credentials are consumed during authentication
- Proof Carrying: Authenticated contexts carry evidence of validation
- Type Safety: Operations require specific authentication levels
§Example Usage
use scim_server::auth::{
AuthenticationValidator, AuthenticatedRequestContext,
LinearCredential, Credential, Unauthenticated
};
// Raw credential (unauthenticated)
let raw_cred = LinearCredential::new("api-key-123");
// Validation consumes the raw credential
let validator = AuthenticationValidator::new();
let witness = validator.authenticate(raw_cred).await?;
// Only validated credentials can create authenticated contexts
let auth_context = AuthenticatedRequestContext::from_witness(witness);
// Only authenticated contexts can access resources
// provider.list_resources(&auth_context).await;Structs§
- Authenticated
- Phantom type for authenticated state
- Authenticated
Context - Simplified authenticated context for common operations
- Authenticated
Request Context - Request context that can only be created with authentication proof
- Authentication
Validator - Compile-time authentication validator
- Authentication
Witness - Witness type proving successful authentication
- Consumed
Credential - Marker type proving a credential was consumed
- Credential
- Credential with compile-time authentication state
- Linear
Credential - Linear credential that can only be consumed once
- Tenant
Authority - Witness type proving tenant-level authority
- Unauthenticated
- Phantom type for unauthenticated state
Enums§
- Authentication
Error - Authentication errors
- Authentication
Result - Result of authentication that either succeeds with proof or fails
Traits§
- Auth
State - Type-level authentication states using phantom types
- Authenticated
Provider - Type-safe authentication traits for providers