One of the missing pieces of the Rust ecosystem is a decent auth system. I'm tired to wait (and considering that my current options mean I need to integrate with big dependencies like keycloak, making my life complicated) I start to work in a WIP design for it.

The crate is called "Forbidden" and is here:

I'm in an "enterprise" space for small businesses, so I have more diverse auth needs, meaning I need a lot of flexibility in what I can do. So:

  • I need to plug any "user/group/etc" definition
  • I need to plug any IDP (Identity Provider) and/or be able to make my own
  • I need auth for all kinds of apps (web, CLI utilities, mobile apps, ...)
  • But also, I wish to be lazy and hopefully use something already done. Most of the above are so simple in practice (like the "users" are in a file with plain-text passwords) that the main thing is how to provide a "safe" facade on top of whatever.

The idea of Forbidden is to build a set of idioms that allow to implement auth systems as "Lego blocks" + create some pre-made solutions to integrate into popular libraries like actix/rocket. Is a stepping stone to get "auth like in Django/AuthBoss/etc".

A few highlights of what I hope to get from this:

  • Have some research links to sketch the design.
  • Separation between "User", "Credential", "Forms", "Tokens" so we can send/return with enough flexibility (all of these are not the same!).
  • Proudly use of unsafe: Wanna create passwords like "123"? Go aheah an do it as: let p = unsafe{ Password::hash_unsafe("123").unwrap() };
  • But wanna assert that password was validated as safe (like is > 8 chars long, enough entropy, etc)? Send a checker.
  • The password is a PHC string and so will never store it as plain-text

Some samples are available at:

I am open to tips that allow building a robust system, and also members that have experience building this kind of stuff.