Skip to main content

Crate systemprompt_oauth

Crate systemprompt_oauth 

Source
Expand description

§systemprompt-oauth

OAuth 2.0 / OIDC, WebAuthn, and JWT authentication primitives for the systemprompt.io AI governance platform. The crate provides:

  • OAuth 2.0 / OIDC — PKCE authorization code flow, dynamic client registration, refresh-token rotation, and audience/issuer validation.
  • WebAuthn — passkey registration and authentication backed by webauthn-rs.
  • JWT — admin and anonymous-session token generation, signing and validation utilities.
  • CIMD — Client-Initiated Metadata Discovery validation for federated OAuth clients.
  • Repositoriessqlx-backed Postgres persistence for clients, authorisation codes, refresh tokens, setup tokens and WebAuthn credentials.

§Feature flags

FeatureDefaultEffect
nonen/aThe crate currently exposes a single feature surface; all OAuth, WebAuthn, JWT and CIMD modules are always compiled.

No optional feature flags are defined at present. The [package.metadata.docs.rs] all-features = true setting is retained so future feature additions automatically appear in published docs.

§Layering

systemprompt-oauth is a domain crate. It depends only on shared and infra crates and is consumed by app and entry layers (HTTP handlers, CLI commands).

§Errors

Public APIs return OauthResult / OauthError. Variants enumerate the security-meaningful failure modes (invalid grant, expired code, PKCE mismatch, client not found, etc.) so HTTP handlers can map them to RFC 6749 / RFC 8628 / WebAuthn error codes without string parsing.

Re-exports§

pub use error::OauthError;
pub use error::OauthResult;
pub use repository::OAuthRepository;
pub use services::providers::JwtValidationProviderImpl;
pub use services::validation::jwt::validate_jwt_token;
pub use services::AnonymousSessionInfo;
pub use services::CreateAnonymousSessionInput;
pub use services::SessionCreationError;
pub use services::SessionCreationService;
pub use services::TemplateEngine;
pub use services::TokenValidator;
pub use services::extract_bearer_token;
pub use services::is_browser_request;
pub use models::*;

Modules§

constants
OAuth domain compile-time constants.
error
Typed error taxonomy for the systemprompt-oauth domain.
models
Domain models for OAuth clients, codes, tokens, and CIMD metadata.
repository
Persistence repositories backing the OAuth domain (clients, codes, tokens, WebAuthn credentials).
services
OAuth domain services: token generation, JWT, session, WebAuthn, CIMD, validation, templating.

Structs§

AuthenticatedUser
OAuthState
OauthExtension

Enums§

AuthError

Constants§

BEARER_PREFIX