Introducing tower-oauth2-resource-server

Rickard Andersson

TLDR: I’ve built a middleware for handling JWT authorization. It’s written for the Rust ecosystem and supports many popular web frameworks such as axum, salvo and tonic. It’s called tower-oauth2-resource-server and you can find the source code on github. Feel free to use and contribute!

Over the last few months, I’ve delved into the art of writing a REST API using Rust. Specifically, I’ve used the axum crate to do so. Like most projects, mine eventually needed authorization. A way to validate incoming JSON Web Tokens (JWTs) from an external identity provider.

In my daily job (where I work with Java and Spring) my go-to-solution for authorization is to use Spring Security OAuth2 Resource Server. That library makes things easy — you simply specify an issuer URL, and it takes care of discovering JSON Web Key Sets (JWKS), handling key rotation, and validating JWTs. However, I couldn’t find an equivalent Rust library that offered the same level of simplicity. So, I decided to build one myself.

My objective was to write a middleware that intercepts incoming requests, validates their JWTs, and either allows or rejects them based on validity. In the Rust ecosystem there is a crate called tower which provides an abstraction for the concept of taking a request and returning a response. It can be used for implementing middleware in both clients and servers, regardless of networking protocol. Many web frameworks (including Axum) use Tower instead of implementing their own middleware systems. With that in mind, I decided to write my middleware for Tower, ensuring it could be used across multiple web frameworks.

So, I hereby introduce tower-oauth2-resource-server! The library is highly inspired by Spring Security OAuth2 Resource Server and some of its features include:

  • JWT validation for incoming HTTP requests
    • Signature matches public key from JWKS endpoint
    • Validity of exp, nbf, iss and aud claims
  • Automatic discovery and rotation of JWKS
  • Expose JWT claims to downstream services via a Request extension

It should be possible to use the library together with any web framework built on top of tower. However, I’ve only verified that it works together with axum, salvo and tonic.

The library is available on crates.io, and you can find the source code on github. You can find usage examples for different web frameworks in the examples folder of the repository.

Feel free to use and contribute!