Crate turbomcp_auth

Crate turbomcp_auth 

Source
Expand description

§TurboMCP Auth - Unified Authentication Framework

World-class authentication and authorization for TurboMCP with standards-compliant implementations of OAuth 2.1, JWT, API keys, and DPoP token binding.

§Design Principles

  • Single Source of Truth: ONE canonical AuthContext type used everywhere
  • Feature-Gated Complexity: Simple by default, powerful when needed
  • Zero-Cost Abstractions: No overhead for unused features
  • Standards-Compliant: OAuth 2.1, RFC 7519 (JWT), RFC 9449 (DPoP), RFC 9728

§Key Features

  • Unified AuthContext - Single type for all authentication scenarios
  • OAuth 2.1 - RFC 8707/9728/7591 compliant with PKCE support
  • Multi-Provider - Google, GitHub, Microsoft, GitLab out of the box
  • API Key Auth - Simple and secure API key authentication
  • RBAC Support - Role-based access control with fine-grained permissions
  • Session Management - Flexible token storage and lifecycle management
  • DPoP Support - Optional RFC 9449 proof-of-possession tokens

§Architecture

  • context - Unified AuthContext type (THE canonical auth representation)
  • types - Core types (UserInfo, TokenInfo, provider traits)
  • config - Configuration types for authentication providers
  • providers - Authentication provider implementations
    • api_key - API key authentication
    • oauth2 - OAuth 2.1 provider
  • manager - Authentication manager for provider orchestration
  • oauth2 - OAuth 2.1 client with authorization flows
  • server - Server-side authentication helpers (RFC 9728 Protected Resource)

§Quick Start

use turbomcp_auth::{AuthContext, UserInfo};
use std::time::SystemTime;
use std::collections::HashMap;

// Create an auth context using the builder
let user = UserInfo {
    id: "user123".to_string(),
    username: "alice".to_string(),
    email: Some("alice@example.com".to_string()),
    display_name: Some("Alice".to_string()),
    avatar_url: None,
    metadata: HashMap::new(),
};

let auth = AuthContext::builder()
    .subject("user123")
    .user(user)
    .provider("api-key")
    .roles(vec!["admin".to_string(), "user".to_string()])
    .permissions(vec!["write:data".to_string()])
    .build()
    .unwrap();

// Check authorization
if auth.has_role("admin") && auth.has_permission("write:data") {
    println!("User {} has write access", auth.sub);
}

§Feature Flags

§Default Features

  • api-key - API key authentication
  • oauth2 - OAuth 2.1 flows and providers

§Core Authentication Methods

  • jwt - JWT token validation
  • custom - Custom auth provider support (traits only)

§Advanced Features

  • dpop - RFC 9449 DPoP token binding
  • rbac - Role-based access control helpers

§Token Lifecycle

  • token-refresh - Automatic token refresh
  • token-revocation - Token revocation support

§Observability

  • metrics - Metrics collection (future)
  • tracing-ext - Extended tracing support

§Middleware

  • middleware - Tower middleware support (future)

§Batteries-Included

  • full - All features enabled

§Standards Compliance

  • RFC 7519 - JSON Web Token (JWT)
  • RFC 6749 - OAuth 2.0 Authorization Framework
  • RFC 7636 - Proof Key for Code Exchange (PKCE)
  • RFC 8707 - OAuth 2.0 Resource Indicators
  • RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession (DPoP)
  • RFC 9728 - OAuth 2.0 Protected Resource Metadata

Re-exports§

pub use api_key::ApiKeyProvider;
pub use oauth2::OAuth2Provider;
pub use turbomcp_dpop as dpop;

Modules§

api_key
API Key Authentication Provider
api_key_validation
Secure API Key Validation with Constant-Time Comparison
config
Authentication Configuration Types
context
Unified Authentication Context
introspection
OAuth 2.0 Token Introspection (RFC 7662)
jwt
JWT Infrastructure - Shared JWT validation and signing for TurboMCP
manager
Authentication Manager
oauth2
OAuth 2.1 Implementation
providers
Authentication Providers
server
Server-side authentication and authorization helpers
types
Core Authentication Types

Structs§

AccessToken
Secure access token with metadata
AuthConfig
Authentication configuration
AuthContext
Unified authentication context containing user identity, claims, and session metadata.
AuthContextBuilder
Builder for constructing AuthContext
AuthManager
Authentication manager for coordinating multiple authentication providers
AuthProviderConfig
Authentication provider configuration
AuthorizationConfig
Authorization configuration
ClientRegistrationError
Client Registration Error Response (RFC 7591)
ClientRegistrationRequest
Dynamic Client Registration Request (RFC 7591)
ClientRegistrationResponse
Dynamic Client Registration Response (RFC 7591)
DefaultAuthMiddleware
Default authentication middleware
DeviceAuthorizationResponse
Device authorization response for CLI/IoT flows
DpopConfig
DPoP (Demonstration of Proof-of-Possession) configuration
DynamicClientRegistration
Dynamic Client Registration Manager for RFC 7591 compliance
McpResourceRegistry
MCP Server Resource Registry for RFC 9728 compliance
OAuth2AuthResult
OAuth 2.1 authorization result
OAuth2Config
OAuth 2.1 configuration
ProtectedResourceMetadata
Protected Resource Metadata (RFC 9728) for server-side discovery
ProviderConfig
Provider-specific configuration for handling OAuth quirks
TokenInfo
Token information
UserInfo
User information
ValidationConfig
Validation configuration for AuthContext

Enums§

ApplicationType
Application type for OAuth client (RFC 7591)
AuthCredentials
Authentication credentials
AuthProviderType
Authentication provider types
BearerTokenMethod
Bearer token delivery methods (RFC 9728)
ClientRegistrationErrorCode
Client Registration Error Codes (RFC 7591)
DpopKeyStorageConfig
DPoP key storage configuration
OAuth2FlowType
OAuth 2.1 flow types
ProviderType
OAuth2 provider types with built-in configurations
RefreshBehavior
Token refresh behavior strategies
SecurityLevel
Security levels for OAuth 2.1 flows

Traits§

AuthMiddleware
Authentication middleware trait
AuthProvider
Authentication provider trait
TokenStorage
Secure token storage abstraction