Lib.rs

β€Ί Authentication
#keycloak #axum #loco #web #initializer

loco-keycloak-auth

A plug-and-play Keycloak authentication layer for Loco.rs, powered by axum-keycloak-auth. This crate allows you to easily add secure Keycloak authentication to your Loco web app, with full control over protected routes and clean YAML-based config.

Owned by GKaszewski.

1 unstable release

Uses new Rust 2024

new 0.1.0 Apr 13, 2025

#488 in Authentication

MIT license

40KB
90 lines

πŸ” loco-keycloak-auth

A plug-and-play Keycloak authentication layer for Loco.rs, powered by axum-keycloak-auth.
This crate allows you to easily add secure Keycloak authentication to your Loco web app, with full control over protected routes and clean YAML-based config.

✨ Features

  • βœ… Simple integration with Loco initializers
  • βœ… Based on axum-keycloak-auth
  • βœ… Configurable via config.yaml
  • βœ… Supports Block and Pass passthrough modes
  • βœ… Designed to be flexible: apply middleware only where you want it
  • βœ… Ideal for securing internal APIs or user-facing endpoints

βš™οΈ Installation

Add to your Cargo.toml:

[dependencies]
loco-keycloak-auth = { git = "https://github.com/GKaszewski/loco-keycloak-auth" }

Note: If you’re using a local path for development:

loco-keycloak-auth = { path = "../loco-keycloak-auth" }

πŸ›  Setup

1. Add Keycloak config to your config/config.yaml

settings:
  keycloak_settings:
    url: "https://keycloak.example.com"
    realm: "myrealm"
    expected_audiences:
      - "account"
    passthrough_mode: "Block" # or "Pass"
    persist_raw_claims: false

2. Add the initializer to your App in app.rs if you want to have all routes protected.

use loco_keycloak_auth::KeycloakAuthInitializer;

#[async_trait]
impl Hooks for App {
    async fn initializers(_ctx: &AppContext) -> Result<Vec<Box<dyn Initializer>>> {
        let keycloak_auth = loco_keycloak_auth::initializer::KeycloakAuthInitializer {};
        Ok(vec![Box::new(keycloak_auth)])
    }
}

πŸ”’ Usage

Protect specific endpoints

use loco_keycloak_auth::Keycloak;

fn routes(ctx: &AppContext) -> Routes {
    let keycloak = Keycloak::from_context(ctx).expect("Failed to create Keycloak layer");

    Routes::new()
        .prefix("secure")
        .add("/profile", get(profile_handler).layer(keycloak.layer))
}

πŸ“¦ API

Settings struct

pub struct KeycloakSettings {
    pub url: String,
    pub realm: String,
    pub expected_audiences: Vec<String>,
    pub passthrough_mode: PassthroughMode, // "Block" or "Pass"
    pub persist_raw_claims: bool,
}

PassthroughMode lets you decide whether unauthenticated requests should be blocked or passed along.

🀝 Contributing

We welcome contributions! Here's how to get started:

git clone https://github.com/GKaszewski/loco-keycloak-auth
cd loco-keycloak-auth

2. Use in your Loco project with a local path

[dependencies]
loco-keycloak-auth = { path = "../loco-keycloak-auth" }

3. Run tests if there are any

cargo test

4. Submit a PR πŸš€

Please open an issue or discussion first for larger feature proposals or breaking changes.

πŸ“„ License

MIT

πŸ™Œ Credits

πŸ“« Contact

Questions? Ideas? Want to contribute together?
Open an issue or reach out on GitHub Discussions.

Dependencies

~38–54MB
~893K SLoC