Expand description
§systemprompt-oauth
OAuth 2.0 / OIDC, WebAuthn, and JWT authentication primitives for the
systemprompt.io AI governance platform. The crate provides:
- OAuth 2.0 / OIDC — PKCE authorization code flow, authenticated dynamic
client registration (the resulting
oauth_clientsrow carries the caller asowner_user_id), refresh-token rotation, and audience/issuer validation. The four canonical grants live onGrantType:AuthorizationCode,RefreshToken,ClientCredentials, andTokenExchange. - RFC 8693 token exchange —
/oauth/tokenacceptsgrant_type=urn:ietf:params:oauth:grant-type:token-exchange, validates thesubject_tokenagainstprofile.security.trusted_issuers(or the deployment’s own RS256 signing key for self-issued tokens), intersects the requestedscopewith the subject’s scope, the client’s scope grant, and the client owner’s role set, and mints a delegated token whose theactclaim records the calling client. Pre-existingactchains on the subject token are preserved and chained underneath. - Federated identities —
find_or_create_federatedprovisions a user from a trusted-issuer subject token on first appearance. WebAuthn— passkey registration and authentication backed bywebauthn-rs.- JWT — admin and anonymous-session token generation; tokens are signed
RS256 by the in-process
TokenAuthorityand carry akidheader resolved against the published JWKS. - CIMD — Client-Initiated Metadata Discovery validation for federated OAuth clients.
- Repositories —
sqlx-backed Postgres persistence for clients, authorisation codes, refresh tokens, setup tokens andWebAuthncredentials. Refresh-token ids and authorisation codes are stored as HMAC-SHA-256 digests under the deploymentoauth_at_rest_pepper; a database read alone does not yield a live credential.
§Feature flags
| Feature | Default | Effect |
|---|---|---|
| none | n/a | The crate currently exposes a single feature surface; all OAuth, WebAuthn, JWT and CIMD modules are always compiled. |
No optional feature flags are defined at present. The
[package.metadata.docs.rs] all-features = true setting is retained so
future feature additions automatically appear in published docs.
§Layering
systemprompt-oauth is a domain crate. It depends only on
shared and infra crates and is consumed by app and entry
layers (HTTP handlers, CLI commands).
§Errors
Public APIs return OauthResult / OauthError. Variants enumerate
the security-meaningful failure modes (invalid grant, expired code,
PKCE mismatch, client not found, etc.) so HTTP handlers can map them
to RFC 6749 / RFC 8628 / WebAuthn error codes without string parsing.
Re-exports§
pub use error::OauthError;pub use error::OauthResult;pub use repository::OAuthRepository;pub use services::providers::JwtValidationProviderImpl;pub use services::validation::jwt::validate_jwt_token;pub use services::AnonymousSessionInfo;pub use services::CreateAnonymousSessionInput;pub use services::SessionCreationError;pub use services::SessionCreationService;pub use services::TemplateEngine;pub use services::TokenValidator;pub use services::extract_bearer_token;pub use services::is_browser_request;pub use models::*;
Modules§
- constants
- OAuth domain compile-time constants.
- error
- Typed error taxonomy for the systemprompt-oauth domain.
- models
- Domain models for OAuth clients, codes, tokens, and CIMD metadata.
- repository
- Persistence repositories backing the OAuth domain (clients, codes, tokens,
WebAuthncredentials). - services
- OAuth domain services: token generation, JWT, session,
WebAuthn, CIMD, validation, templating.