Module access_token_substrate

Expand description

Shared access-token substrate — cross-mode runtime infrastructure.

This module owns capabilities that depend only on a verified access token and X-SecurityDept-Propagation, regardless of which OIDC mode originally produced the token.

§Capability axes

token_propagation — disabled vs enabled (downstream bearer propagation substrate)

§Submodules

Submodule	Description
`capabilities`	Substrate capability axes (`TokenPropagation`)
`config`	`AccessTokenSubstrateConfig`
`runtime`	`AccessTokenSubstrateRuntime` — single authority for substrate runtime objects
[`propagation`]	Destination-policy gated bearer propagation
[`forwarder`]	Propagation forwarder traits (`PropagationForwarderConfigSource`, `PropagationForwarder`, `PropagationForwarderError`) + axum reverse-proxy forwarder (feature-gated)

§Resource-server types

Key resource-server types from securitydept-oauth-resource-server are re-exported here so adopters do not need a direct dependency:

Re-exports§

pub use capabilities::TokenPropagation;
pub use capabilities::TokenPropagationKind;
pub use config::AccessTokenSubstrateConfig;
pub use config::AccessTokenSubstrateConfigSource;
pub use config::ResolvedAccessTokenSubstrateConfig;
pub use runtime::AccessTokenSubstrateRuntime;
pub use runtime::AccessTokenSubstrateRuntimeError;

Modules§

capabilities
config
runtime

Structs§

AccessTokenSubstrateResourceService: Cross-mode resource service for verifying bearer tokens and forwarding propagation requests.
OAuthResourceServerVerifier
PropagatedBearer: Runtime bearer material and access-token facts used during propagation.
PropagatedTokenValidationConfig: Additional token constraints evaluated before a bearer token may be forwarded.
PropagationDestinationPolicy: Allowlist and safety guards for downstream targets.
PropagationDirective: Parsed value of x-securitydept-propagation.
PropagationRequestTarget: Normalized downstream target context used during bearer propagation.
ResourceTokenPrincipal
TokenPropagator
TokenPropagatorConfig: Server-side token propagation configuration.
VerificationPolicy
VerifiedAccessToken

Enums§

AccessTokenSubstrateResourceServiceError: Errors produced by AccessTokenSubstrateResourceService.
AllowedPropagationTarget: A single downstream target allowlist rule.
BearerPropagationPolicy: Controls how a validated upstream bearer token may be propagated downstream.
PropagationForwarderError: Error type for propagation forwarders.
PropagationScheme: Normalized scheme used for downstream propagation rules.
TokenPropagatorError
VerifiedToken

Constants§

DEFAULT_PROPAGATION_HEADER_NAME

Traits§

PropagationForwarder: Runtime trait for a propagation forwarder.
PropagationForwarderConfigSource: Config-source trait for a propagation forwarder.
PropagationNodeTargetResolver

Type Aliases§

PropagationForwarderResult
TokenPropagatorResult

Module access_token_substrate

Module access_token_substrate Copy item path

§Capability axes

§Submodules

§Resource-server types

Re-exports§

Modules§

Structs§

Enums§

Constants§

Traits§

Type Aliases§

Module access_token_substrate