Module middleware 

Axum middleware: dispatch to the configured AuthValidator, insert the resulting AuthenticatedPrincipal into request extensions, or short-circuit with the appropriate HTTP status.

Status-code mapping:

• MissingAuthHeader, MalformedAuthHeader, InvalidBearer, InvalidOidcToken → 401 (operator/client supplied wrong credentials)
• MissingTenantClaim, InvalidTenantClaim → 403 (credentials valid but the operator-tenant binding is wrong)
• Discovery, Jwks → 500 (upstream IdP is unreachable / misbehaving)

Enums

AuthValidator

Resolves either to a BearerValidator or an OidcValidator depending on the [auth] block in the config. Built once at server start; cloned cheaply on every request.

Functions

auth_middleware

Axum middleware. Reads the Authorization header, dispatches to the configured validator, attaches the principal to the request, or returns the appropriate error response.