Module remote_verifier

Expand description

Fetch, cache, refresh, and use a remote JWKS document to verify JWTs.

RemoteJwksVerifier fetches, caches, and refreshes a remote JWKS document and exposes a RemoteJwksVerifier::verify_token method that both Axum and Tonic integrations can depend on without duplicating fetch/cache/refresh logic.

§Behavior

Startup: attempts a live JWKS fetch; falls back to a persistent cache if the fetch fails; fails closed (returns an error) when neither source provides valid ES384 keys.
Background refresh: call RemoteJwksVerifier::start_background_refresh once after bootstrap to keep keys current.
Unknown-kid recovery: on a first verification failure caused by an unknown kid, the verifier performs one bounded refresh before retrying.
Request-path verification: all JWT validation is local; no per-request network I/O is performed.

§Example

use webgates_codecs::jwt::remote_verifier::{RemoteJwksVerifier, RemoteJwksVerifierConfig};
use webgates_codecs::jwt::JwtClaims;

let config = RemoteJwksVerifierConfig::from_jwks_url(
    "https://auth.example.com/.well-known/jwks.json",
);
let verifier = RemoteJwksVerifier::<JwtClaims<()>>::bootstrap(config).await?;
let _refresh_handle = verifier.start_background_refresh();

Structs§

RemoteJwksVerifier: Transport-agnostic remote JWKS verifier.
RemoteJwksVerifierConfig: Configuration for a RemoteJwksVerifier.

Enums§

RemoteJwksVerifierError: Errors produced by RemoteJwksVerifier.

Module remote_verifier

Module remote_verifier Copy item path

§Behavior

§Example

Structs§

Enums§

Module remote_verifier