The state of Rust: Authorization/authentication libraries
This article was originally published here#
The state of Rust: Authorization/authentication libraries
Rust is low level language with high level ergonomics. Rust is fast and reliable language with support of asynchronous I/O arriving in stable rust it has become first choice for performance focus network and web applications. Most of web application requires some sort of authentication and authorization mechanism, Rust has some high quality production ready crates available for various authentication and authorization mechanisms.
Stable Production Ready Libraries
I classified libraries based on
- Popularity
- Completeness
- Maintenance
- Support for stable rust
Cookie#
- Website: https://docs.rs/cookie/0.14.1
- Productions Ready: Yes
- Async Support: No The cookie is a crate for creating and parsing HTTP cookies. It is used for manging session, encrypting, and signing cookies. The cookie is a production-ready crate with thousands of downloads. It serves as a foundation for building session-based authentication strategery. Cookie supports saving and recording changes in cookies. It is web framework agnostic, supports actix, rocket, and all other frameworks.
Jsonwebtoken#
Production Ready: Yes
Async Support: No JSON web token is very popular for authorization. Many OAuth provider issues JWT. Jsonwebtoken provides support for verifying and creating JWT tokens. Few features of jsonwebstoken:
Jsonwebtoken supports all standard signing algorithms. It also supports Symateric and Asymateric encryption algorithms.
Inbuilt validation of standard claims.
Strongly typed and highly configurable APIs.
Full implementation of RFC 7519
Jsonwebtoken is a highly stable and widely used library with thousands of downloads. It has an active team of maintainers with huge community support.
Oauth2#
Website: https://docs.rs/oauth2/4.0.0-alpha.1/oauth2/index.html
Production Ready: Yes
Async Support: Yes OAuth2 provides a complete implementation of the OAuth 2 protocol. It supports Async I/O and Sync I/O. It provides a client-side implementation of the OAuth 2 protocol. Oauth2 provides support to obtains access tokens, verifying state, and obtaining refresh token. Few feature of oauth2 crate:
Full implementation of RFC 6749
Strongly Type implementation
Support for state and
crf_statevalidationPKCE challenge is also supported
The custom HTTP client with default support for
reqwestandcurlis baked in oauth2 crate.Examples for different oAuth provider also available :
Framework agnostic. It supports all web frameworks.
Using the password and username directly is also supported.
Oauth2 is easy to use and provides a complete OAuth 2 client solution including refresh tokens, managing claims, scopes, and grants.
Otpauth#
- Website: https://messense.github.io/otpauth-rs
- Production Ready: Yes
- Async Support: No Otpauth provides support for both HOTP and TOTP algorithm. It is used to generate One-time Passwords. It can generate Time based OTPs with support for changing validation time. APIs are easy to use and intuitive. It has full impementation of HOTP and TOTP.
Yup-oauth2#
- Website: https://crates.io/crates/yup-oauth2
- Production Ready: Yes
- Async Support: Yes
Yup-oauth2 is a crate that provides the implementation of OAuth 2.0 for Server to Server. It is used to implement a client library for different services example
google-api-rs. Support for both service accounts and installed applications. It supports any service that implements OAuth 2.0 for Server to Server authentication. It is used for authentication on devices with limited input capabilities using Device Flow. It used for services like Google cloud platform, firebase, and other google services using Service Flow. It also supports application where the authentication token cannot be saved securely using Installed Application Flow.
Asap#
- Website: https://crates.io/crates/asap
- Production Ready: Yes
- Async Support: No ASAP is an authentication mechanism by Atlassian. It supports non standard claims. It is lighting fast at validationa and token generation. It maintained by Atlassian. It is based on jsonwebtoken crate. It fully support ASAP specifications.
Jwks-client#
- Website: https://github.com/jfbilodeau/jwks-client
- Production Ready: Yes
- Async Support: Yes Jwks-client provides support for validating JSON web token using a JWKS(JSON web keyset). Asymmetric Signature validation for JWT Tokens using a JWKS is the primary function of the crate. It is primarily used for Google and Firebase OAuth but can be used with any other provider easily. It takes the URL of the key arguments and verifies the token. It also supports key caching.
Openssl#
- Website: https://docs.rs/openssl/0.10.30
- Production Ready: Yes
- Async Support: No Openssl crate is rust binding for the OpenSSL library. It provides full support for signing tokens, hashing passwords, generating random auth tokens, and encrypting data. Many authentication libraries use OpenSSL for signing and hashing data. Jsonwebtoken uses OpenSSL for signing tokens. Openssl crate support for both static and dynamic linking. It also supports the available version of OpenSSL or downloads the required version.
Pgen#
- Website: https://github.com/ctsrc/Pgen
- Production Ready: Yes
- Async Support: No Pgen generates passphrases using the wordlists for random passphrases made by the EFF. It is used for generating passphrases.
Upcoming Libraries
These libraries are not stable yet but have promising features. As rust is growing more and more standards are being supported.
Boringauth#
- Website: https://docs.rs/boringauth/0.9.0
- Production Ready: No
- Async Support: No Boringauth is one stop solution for authentication related needs for any application. It supports Passpharse authentication, HTOP and TOP based authentication. It support customizing period, hashing algorithm, output length and initial timestamps. It can be used in CLI app and desktop apps also apart from web. It doesn’t have full support for HTOP and TOPT yet. Suport for universal 2 factor authentication is also coming.
Oxide-auth#
- Website: https://docs.rs/oxide-auth/0.4.5
- Production Ready: No
- Async Support: No Oxide-auth crate provide implementation of OAuth for server. It can be used to implement OAuth on server. It has support for many web frameworks including actix,iron,rocket, and rouille. It managing oauth token easy on the server. It also support handling token for custom servers. Oxide-auth is a very good library. It’s APIs aren’t stable yet. Support crates for web framework are still work in progress.
Frank-jwt#
- Website: https://github.com/GildedHonour/frank_jwt
- Production Ready: No
- Async Support: No
Frank-jwt is a crate used for verifying and generating JWT. It has support to read keys automatically from path. It is not production ready since it doesn’t support validation of
iss,suband many other claims.
Summary
| Name | Production Ready | Type | Async support | Usage | Cons | Remark | Maintenance |
|---|---|---|---|---|---|---|---|
| Cookie | Yes | Helper library for Authentication | No | - Creating a custom session and cookies based auth - Saving JWT in encrypted cookies - tracking users | - only a helper library | - lot of users - support for parser and creating cookies | Actively maintained |
| oauth2 | Yes | oauth support | Yes | - support for obtain token oAuth - support multiple https request clients - reqwest - curl - custom - Any Oauth provider which supports oAuth2 is supported | - No support for verifying obtained token | - full implementation of oAuth2 | Actively maintained |
| oauth-client | No (state validation is missing) | oauth support | No | - oAuth support | - No support for verifying obtained token - Not actively maintained | Unmaintained | |
| oauth-client-async | No (state validation is missing) | oauth support | Yes | - async version of oauth-client | - Not actively maintained - Not that many users - No support for verifying obtained token | Unmaintained | |
| oxide-auth | No (frequently changing api) | oAuth server library | Yes | - library for building server based on oAuth - support for various framework - oxide-auth-actix - oxide-auth-iron - oxide-auth-rocket - oxide-auth-rouille | - No stable API | Actively maintained | |
| inth-oauth2 | No (no longer maintained) | oAuth server library | Yes | - An oAuth client server - support for google, github,imgur out of box - pluggable interface with community support for slack and other provider | - Not mainated | Unmaintained | |
| yup-oauth2 | Yes | oAuth helper library | Yes | - OAuth for Google services like gmail, gcp etc. - Support for token caching | - No out of box auth provider support | - support for : - installed application - Service account - used by google-api-rs | Actively maintained |
| frank_jwt | No (some important validation missing) | JWT helper library | No | - JWT creation - JWT validation - Support both symateric and asymateric alog | - no support for fetching keys from jwks | - support for alot of algorithms | Actively maintained |
| jsonwebtoken | Yes | Jwt helper library | No | - JWT creation - JWT validation - Support both symateric and asymateric alog | - No support for fetching keys from jwks | - great community support and used by thousands of porjects and crates | Actively maintained |
| otpauth | Yes | Otp auth library | No | - Otp creation and validation | - no support for secret generation | - support both : - topt - htop | Passively maintained |
| boringauth | No | Otp auth library | No | - otp creation and validation | - highly configurable - support for pasword | - support both: - topt - htop | Maintained |
| asap | Yes | ASAP Auth library | Yes | - ASAP Tokens(JWT with custom claims) | - No support for JWKS | - super fast - supported by atlassian | Actively maintained |
| jwks-client | Yes | JWT auth middleware | Yes | - JWT validation using JWKS | - works only for rocket web framework | - uses JWKS | Actively maintained |
| openssl | Yes | Cryptography library | No | - hashing passwords - generating salts | - it is binding for openssl library | Actively maintained | |
| pgen | Yes | Paraphrases Generator | N0 | - generate passphrases | - Based on EFF list | Actively maintained |