Giter Club home page Giter Club logo

axum-keycloak-auth's Introduction

axum-keycloak-auth

Protect axum routes with a JWT emitted by Keycloak.

Features

  • Tower layer / service that can be attached to axum routers.
  • Automatic OIDC discovery
  • Forwarding only requests providing a verifiable and non-expired JWT.
  • Ability to allow forwarding a failed authentication attempt to possibly handle the authentication using another middleware.
  • Ability to access the extracted JWT data (including roles, the KC uuid, ...) in route handler function.
  • Tests to check that one or more required or forbidden Keycloak realm or client roles were included in the JWT.
  • Ability to access the JWT's raw claims in a handler, allowing to extract custom attributes.
  • An error type implementing IntoResponse providing exact information about why authentication failed in an error response.
  • Ability to define a custom role type from your application to which all roles are automatically parsed.

Planned

  • Ability to provide a custom type into which the token is parsed, with which non-standard JWT claims can be extracted without overhead.
  • Allowing fine-grained control over how an AuthError is converted into a response. Giving the user control and the ability to add context, roll their own.

Usage

This library provides KeycloakAuthLayer, a tower layer/service implementation that parses and validates a JWT.

See the Documentation for more detailed instructions!

enum Role {
    Administrator,
    Unknown(String),
}

pub fn protected_router(instance: KeycloakAuthInstance) -> Router {
    Router::new()
        .route("/protected", get(protected))
        .layer(
             KeycloakAuthLayer::<Role>::builder()
                 .instance(instance)
                 .passthrough_mode(PassthroughMode::Block)
                 .build(),
        )
}

pub async fn protected(Extension(token): Extension<KeycloakToken<Role>>) -> Response {
    expect_role!(&token, Role::Administrator);

    info!("Token payload is {token:#?}");
    (
        StatusCode::OK,
        format!(
            "Hello {name} ({subject}). Your token is valid for another {valid_for} seconds.",
            name = token.extra.profile.preferred_username,
            subject = token.subject,
            valid_for = (token.expires_at - time::OffsetDateTime::now_utc()).whole_seconds()
        ),
    ).into_response()
}

Axum compatibility

axum axum-keycloak-auth
0.6 0.2
0.7 0.3 - 0.4

axum-keycloak-auth's People

Contributors

lpotthast avatar fmeow avatar eboskma avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.