16 releases
new 0.3.0 | Apr 15, 2025 |
---|---|
0.2.3 | Apr 14, 2025 |
0.2.2 | Mar 17, 2025 |
0.1.10 | Feb 27, 2025 |
0.1.4 | Nov 25, 2024 |
#514 in Authentication
267 downloads per month
70KB
1.5K
SLoC
tower-oauth2-resource-server
Tower middleware that provides JWT authorization against an OpenID Connect (OIDC) Provider. This is useful when an application has delegated authentication and/or authorization to an external authorization service (e.g. Auth0, Microsoft Entra, etc).
Main inspiration for this middleware (both in naming and functionality) is Spring Security OAuth 2.0 Resource Server.
The middleware will attempt to process each request by:
- Read JWT from
Authorization
header (withBearer
prefix) - Validate the JWT's signature against a public key obtained from
jwks_url
- Validate
iss
,exp
,aud
and possiblynbf
scopes of the JWT
If validation fails, a HTTP 401 is returned. Otherwise next service in the middleware chain will be called. Claims of the JWT are made available as a Request extension. This enables you to write further application logic based on the claims, e.g. rejecting request that lack a certain scope.
Configuration
See docs for OAuth2ResourceServerBuilder.
Example usage
Check the examples.
Dependencies
~9–23MB
~350K SLoC