|
| 1 | +--- |
| 2 | +title: "Introducing tower-oauth2-resource-server" |
| 3 | +date: 2025-03-07T00:00:00Z |
| 4 | +tags: ["rust", "tower", "OAuth", "jwt", "authorization"] |
| 5 | +featured_image: "/cuddlyferris.png" |
| 6 | +slug: "introducing-tower-oauth2-resource-server" |
| 7 | +author: |
| 8 | + - Rickard Andersson |
| 9 | +--- |
| 10 | + |
| 11 | +**TLDR:** I've built a middleware for handling JWT authorization. |
| 12 | +It's written for the Rust ecosystem and supports many popular web frameworks such as [axum](https://crates.io/crates/axum), [salvo](https://crates.io/crates/salvo/) and [tonic](https://crates.io/crates/tonic). |
| 13 | +It's called **tower-oauth2-resource-server** and you can find the source code on [github](https://github.com/Dunklas/tower-oauth2-resource-server). |
| 14 | +Feel free to use and contribute! |
| 15 | + |
| 16 | +--- |
| 17 | + |
| 18 | +Over the last few months, I've delved into the art of writing a REST API using Rust. |
| 19 | +Specifically, I've used the [axum](https://crates.io/crates/axum) crate to do so. |
| 20 | +Like most projects, mine eventually needed authorization. |
| 21 | +A way to validate incoming JSON Web Tokens (JWTs) from an external identity provider. |
| 22 | + |
| 23 | +In my daily job (where I work with Java and Spring) my go-to-solution for authorization is to use [Spring Security OAuth2 Resource Server](https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server). |
| 24 | +That library makes things easy — you simply specify an issuer URL, and it takes care of discovering JSON Web Key Sets (JWKS), handling key rotation, and validating JWTs. |
| 25 | +However, I couldn't find an equivalent Rust library that offered the same level of simplicity. |
| 26 | +So, I decided to build one myself. |
| 27 | + |
| 28 | +My objective was to write a middleware that intercepts incoming requests, validates their JWTs, and either allows or rejects them based on validity. |
| 29 | +In the Rust ecosystem there is a crate called [tower](https://crates.io/crates/tower) which provides an abstraction for the concept of taking a request and returning a response. |
| 30 | +It can be used for implementing middleware in both clients and servers, regardless of networking protocol. |
| 31 | +Many web frameworks (including Axum) use Tower instead of implementing their own middleware systems. |
| 32 | +With that in mind, I decided to write my middleware for Tower, ensuring it could be used across multiple web frameworks. |
| 33 | + |
| 34 | +So, I hereby introduce **tower-oauth2-resource-server**! |
| 35 | +The library is highly inspired by [Spring Security OAuth2 Resource Server](https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server) and some of its features include: |
| 36 | + |
| 37 | + - JWT validation for incoming HTTP requests |
| 38 | + - Signature matches public key from JWKS endpoint |
| 39 | + - Validity of `exp`, `nbf`, `iss` and `aud` claims |
| 40 | + - Automatic discovery and rotation of JWKS |
| 41 | + - Expose JWT claims to downstream services via a [Request extension](https://docs.rs/http/latest/http/struct.Extensions.html) |
| 42 | + |
| 43 | +It should be possible to use the library together with any web framework built on top of [tower](https://crates.io/crates/tower). |
| 44 | +However, I've only verified that it works together with [axum](https://crates.io/crates/axum), [salvo](https://crates.io/crates/salvo/) and [tonic](https://crates.io/crates/tonic). |
| 45 | + |
| 46 | +The library is available on [crates.io](https://crates.io/crates/tower-oauth2-resource-server), and you can find the source code on [github](https://github.com/Dunklas/tower-oauth2-resource-server). |
| 47 | +You can find **usage examples** for different web frameworks in the [examples](https://github.com/Dunklas/tower-oauth2-resource-server/tree/main/examples) folder of the repository. |
| 48 | + |
| 49 | +Feel free to use and contribute! |
0 commit comments