#keycloak #auth #jwt #oidc #axum


Protect axum routes with a JWT emitted by Keycloak

3 releases

0.1.2 Mar 16, 2023
0.1.1 Feb 27, 2023
0.1.0 Feb 27, 2023

#147 in Authentication

Download history 21/week @ 2023-02-21 22/week @ 2023-02-28 41/week @ 2023-03-07 22/week @ 2023-03-14 3/week @ 2023-03-21

109 downloads per month


536 lines


Protect axum routes with a JWT emitted by Keycloak.

Note: This is still in an early stage and not security-audited.


  • Tower layer / service that can be attached to axum routers.
  • Forwarding only requests providing a verifiable and non-expired JWT.
  • Ability to allow forwarding a failed authentication attempt to possibly handle the authentication using another middleware.
  • Ability to access the extracted JWT data (including roles, the KC uuid, ...) in route handler function.
  • Tests to check that one or more required or forbidden Keycloak realm or client roles were included in the JWT.
  • Ability to access the JWT's raw claims in a handler, allowing to extract custom attributes.
  • An error type implementing IntoResponse providing exact information about why authentication failed in an error response.
  • Ability to define a custom role type from your application to which all roles are automatically parsed.


  • Ability to provide a custom type into which the token is parsed, with which non-standard JWT claims can be extracted without overhead.
  • Allowing fine-grained control over how an AuthError is converted into a response. Giving the user control and the ability to add context, roll their own.


This library provides KeycloakAuthLayer, a tower layer/service implementation that parses and validates a JWT.

Note that this is an extremely abbreviated example.

See the Documentation for detailed instructions.

enum Role {

pub fn protected_router(decoding_key: Arc<DecodingKey>) -> Router {
        .route("/protected", get(protected))

pub async fn protected(Extension(token): Extension<KeycloakToken<Role>>) -> Response {
    expect_role!(&token, Role::Administrator);

    info!("Token payload is {token:#?}");
            "Hello {name} ({subject}). Your token is valid for another {valid_for} seconds.",
            name = token.full_name,
            subject = token.subject,
            valid_for = (token.expires_at - time::OffsetDateTime::now_utc()).whole_seconds()


~392K SLoC