micromegas_auth/lib.rs
1//! Authentication providers for Micromegas
2//!
3//! This crate provides authentication and authorization for Micromegas services.
4//! It supports multiple authentication methods:
5//!
6//! - **API Keys**: Simple bearer token authentication
7//! - **OIDC**: OpenID Connect authentication with automatic JWKS caching
8//!
9//! # Example: API Key Authentication
10//!
11//! ```rust
12//! use micromegas_auth::api_key::{ApiKeyAuthProvider, parse_key_ring};
13//! use micromegas_auth::types::{AuthProvider, HttpRequestParts, RequestParts};
14//!
15//! # async fn example() -> anyhow::Result<()> {
16//! let json = r#"[{"name": "user1", "key": "secret-key-123"}]"#;
17//! let keyring = parse_key_ring(json)?;
18//! let provider = ApiKeyAuthProvider::new(keyring);
19//!
20//! // Create request parts with Bearer token
21//! let mut headers = http::HeaderMap::new();
22//! headers.insert(
23//! http::header::AUTHORIZATION,
24//! "Bearer secret-key-123".parse().unwrap(),
25//! );
26//! let parts = HttpRequestParts {
27//! headers,
28//! method: http::Method::GET,
29//! uri: "/api/endpoint".parse().unwrap(),
30//! };
31//!
32//! let auth_ctx = provider.validate_request(&parts as &dyn RequestParts).await?;
33//! println!("Authenticated: {}", auth_ctx.subject);
34//! # Ok(())
35//! # }
36//! ```
37//!
38//! # Example: OIDC Authentication
39//!
40//! ```rust,no_run
41//! use micromegas_auth::oidc::{OidcAuthProvider, OidcConfig, OidcIssuer};
42//! use micromegas_auth::types::{AuthProvider, HttpRequestParts, RequestParts};
43//!
44//! # async fn example() -> anyhow::Result<()> {
45//! let config = OidcConfig {
46//! issuers: vec![OidcIssuer {
47//! issuer: "https://accounts.google.com".to_string(),
48//! audience: "your-client-id.apps.googleusercontent.com".to_string(),
49//! }],
50//! jwks_refresh_interval_secs: 3600,
51//! token_cache_size: 1000,
52//! token_cache_ttl_secs: 300,
53//! };
54//!
55//! let provider = OidcAuthProvider::new(config).await?;
56//!
57//! // Create request parts with ID token
58//! let mut headers = http::HeaderMap::new();
59//! headers.insert(
60//! http::header::AUTHORIZATION,
61//! "Bearer id_token_here".parse().unwrap(),
62//! );
63//! let parts = HttpRequestParts {
64//! headers,
65//! method: http::Method::GET,
66//! uri: "/api/endpoint".parse().unwrap(),
67//! };
68//!
69//! let auth_ctx = provider.validate_request(&parts as &dyn RequestParts).await?;
70//! println!("Authenticated: {}", auth_ctx.subject);
71//! # Ok(())
72//! # }
73//! ```
74
75/// Core authentication types and traits
76pub mod types;
77
78/// API key authentication
79pub mod api_key;
80
81/// OIDC authentication with JWKS caching
82pub mod oidc;
83
84/// Multi-provider authentication (API key + OIDC)
85pub mod multi;
86
87/// Default authentication provider initialization
88pub mod default_provider;
89
90/// Tower service layer for tonic/gRPC authentication
91pub mod tower;
92
93/// Axum middleware for HTTP authentication
94pub mod axum;
95
96/// URL validation utilities for authentication flows
97pub mod url_validation;
98
99/// OAuth state parameter signing and verification
100pub mod oauth_state;
101
102/// User attribution validation (prevents impersonation attacks)
103pub mod user_attribution;