The state of Rust: Authorization/authentication libraries

This article was originally published here

The state of Rust: Authorization/authentication libraries

Rust is low level language with high level ergonomics. Rust is fast and reliable language with support of asynchronous I/O arriving in stable rust it has become first choice for performance focus network and web applications. Most of web application requires some sort of authentication and authorization mechanism, Rust has some high quality production ready crates available for various authentication and authorization mechanisms.

Stable Production Ready Libraries

I classified libraries based on

  • Popularity
  • Completeness
  • Maintenance
  • Support for stable rust

Cookie

  • Website: https://docs.rs/cookie/0.14.1
  • Productions Ready: Yes
  • Async Support: No The cookie is a crate for creating and parsing HTTP cookies. It is used for manging session, encrypting, and signing cookies. The cookie is a production-ready crate with thousands of downloads. It serves as a foundation for building session-based authentication strategery. Cookie supports saving and recording changes in cookies. It is web framework agnostic, supports actix, rocket, and all other frameworks.

Jsonwebtoken

  • Website: https://docs.rs/jsonwebtoken/7.2.0/jsonwebtoken

  • Production Ready: Yes

  • Async Support: No JSON web token is very popular for authorization. Many OAuth provider issues JWT. Jsonwebtoken provides support for verifying and creating JWT tokens. Few features of jsonwebstoken:

  • Jsonwebtoken supports all standard signing algorithms. It also supports Symateric and Asymateric encryption algorithms.

  • Inbuilt validation of standard claims.

  • Strongly typed and highly configurable APIs.

  • Full implementation of RFC 7519

Jsonwebtoken is a highly stable and widely used library with thousands of downloads. It has an active team of maintainers with huge community support.

Oauth2

  • Website: https://docs.rs/oauth2/4.0.0-alpha.1/oauth2/index.html

  • Production Ready: Yes

  • Async Support: Yes OAuth2 provides a complete implementation of the OAuth 2 protocol. It supports Async I/O and Sync I/O. It provides a client-side implementation of the OAuth 2 protocol. Oauth2 provides support to obtains access tokens, verifying state, and obtaining refresh token. Few feature of oauth2 crate:

  • Full implementation of RFC 6749

  • Strongly Type implementation

  • Support for state and crf_state validation

  • PKCE challenge is also supported

  • The custom HTTP client with default support for reqwest and curl is baked in oauth2 crate.

  • Examples for different oAuth provider also available :

  • Framework agnostic. It supports all web frameworks.

  • Using the password and username directly is also supported.

Oauth2 is easy to use and provides a complete OAuth 2 client solution including refresh tokens, managing claims, scopes, and grants.

Otpauth

  • Website: https://messense.github.io/otpauth-rs
  • Production Ready: Yes
  • Async Support: No Otpauth provides support for both HOTP and TOTP algorithm. It is used to generate One-time Passwords. It can generate Time based OTPs with support for changing validation time. APIs are easy to use and intuitive. It has full impementation of HOTP and TOTP.

Yup-oauth2

  • Website: https://crates.io/crates/yup-oauth2
  • Production Ready: Yes
  • Async Support: Yes Yup-oauth2 is a crate that provides the implementation of OAuth 2.0 for Server to Server. It is used to implement a client library for different services example google-api-rs. Support for both service accounts and installed applications. It supports any service that implements OAuth 2.0 for Server to Server authentication. It is used for authentication on devices with limited input capabilities using Device Flow. It used for services like Google cloud platform, firebase, and other google services using Service Flow. It also supports application where the authentication token cannot be saved securely using Installed Application Flow.

Asap

  • Website: https://crates.io/crates/asap
  • Production Ready: Yes
  • Async Support: No ASAP is an authentication mechanism by Atlassian. It supports non standard claims. It is lighting fast at validationa and token generation. It maintained by Atlassian. It is based on jsonwebtoken crate. It fully support ASAP specifications.

Jwks-client

  • Website: https://github.com/jfbilodeau/jwks-client
  • Production Ready: Yes
  • Async Support: Yes Jwks-client provides support for validating JSON web token using a JWKS(JSON web keyset). Asymmetric Signature validation for JWT Tokens using a JWKS is the primary function of the crate. It is primarily used for Google and Firebase OAuth but can be used with any other provider easily. It takes the URL of the key arguments and verifies the token. It also supports key caching.

Openssl

  • Website: https://docs.rs/openssl/0.10.30
  • Production Ready: Yes
  • Async Support: No Openssl crate is rust binding for the OpenSSL library. It provides full support for signing tokens, hashing passwords, generating random auth tokens, and encrypting data. Many authentication libraries use OpenSSL for signing and hashing data. Jsonwebtoken uses OpenSSL for signing tokens. Openssl crate support for both static and dynamic linking. It also supports the available version of OpenSSL or downloads the required version.

Pgen

Upcoming Libraries

These libraries are not stable yet but have promising features. As rust is growing more and more standards are being supported.

Boringauth

  • Website: https://docs.rs/boringauth/0.9.0
  • Production Ready: No
  • Async Support: No Boringauth is one stop solution for authentication related needs for any application. It supports Passpharse authentication, HTOP and TOP based authentication. It support customizing period, hashing algorithm, output length and initial timestamps. It can be used in CLI app and desktop apps also apart from web. It doesn’t have full support for HTOP and TOPT yet. Suport for universal 2 factor authentication is also coming.

Oxide-auth

  • Website: https://docs.rs/oxide-auth/0.4.5
  • Production Ready: No
  • Async Support: No Oxide-auth crate provide implementation of OAuth for server. It can be used to implement OAuth on server. It has support for many web frameworks including actix,iron,rocket, and rouille. It managing oauth token easy on the server. It also support handling token for custom servers. Oxide-auth is a very good library. It’s APIs aren’t stable yet. Support crates for web framework are still work in progress.

Frank-jwt

  • Website: https://github.com/GildedHonour/frank_jwt
  • Production Ready: No
  • Async Support: No Frank-jwt is a crate used for verifying and generating JWT. It has support to read keys automatically from path. It is not production ready since it doesn’t support validation of iss , sub and many other claims.

Summary

NameProduction ReadyTypeAsync supportUsageConsRemarkMaintenance
CookieYesHelper library for AuthenticationNo- Creating a custom session and cookies based auth
- Saving JWT in encrypted cookies
- tracking users
- only a helper library- lot of users
- support for parser and creating cookies
Actively maintained
oauth2Yesoauth supportYes- support for obtain token oAuth
- support multiple https request clients
- reqwest
- curl
- custom
- Any Oauth provider which supports oAuth2 is supported
- No support for verifying obtained token- full implementation of oAuth2Actively maintained
oauth-clientNo (state validation is missing)oauth supportNo- oAuth support- No support for verifying obtained token
- Not actively maintained
Unmaintained
oauth-client-asyncNo (state validation is missing)oauth supportYes- async version of oauth-client- Not actively maintained
- Not that many users
- No support for verifying obtained token
Unmaintained
oxide-authNo (frequently changing api)oAuth server libraryYes- library for building server based on oAuth
- support for various framework
- oxide-auth-actix
- oxide-auth-iron
- oxide-auth-rocket
- oxide-auth-rouille
- No stable APIActively maintained
inth-oauth2No (no longer maintained)oAuth server libraryYes- An oAuth client server
- support for google, github,imgur out of box
- pluggable interface with community support for slack and other provider
- Not mainatedUnmaintained
yup-oauth2YesoAuth helper libraryYes- OAuth for Google services like gmail, gcp etc.
- Support for token caching
- No out of box auth provider support- support for :
- installed application
- Service account
- used by google-api-rs
Actively maintained
frank_jwtNo (some important validation missing)JWT helper libraryNo- JWT creation
- JWT validation
- Support both symateric and asymateric alog
- no support for fetching keys from jwks- support for alot of algorithmsActively maintained
jsonwebtokenYesJwt helper libraryNo- JWT creation
- JWT validation
- Support both symateric and asymateric alog
- No support for fetching keys from jwks- great community support and used by thousands of porjects and cratesActively maintained
otpauthYesOtp auth libraryNo- Otp creation and validation- no support for secret generation- support both :
- topt
- htop
Passively maintained
boringauthNoOtp auth libraryNo- otp creation and validation- highly configurable
- support for pasword
- support both:
- topt
- htop
Maintained
asapYesASAP Auth libraryYes- ASAP Tokens(JWT with custom claims)- No support for JWKS- super fast
- supported by atlassian
Actively maintained
jwks-clientYesJWT auth middlewareYes- JWT validation using JWKS- works only for rocket web framework- uses JWKSActively maintained
opensslYesCryptography libraryNo- hashing passwords
- generating salts
- it is binding for openssl libraryActively maintained
pgenYesParaphrases GeneratorN0- generate passphrases- Based on EFF listActively maintained