adk-auth
| Crates.io | adk-auth |
| lib.rs | adk-auth |
| version | 0.2.1 |
| created_at | 2026-01-03 15:55:53.84152+00 |
| updated_at | 2026-01-22 03:40:23.138928+00 |
| description | Access control and authentication for Rust Agent Development Kit (ADK-Rust) |
| homepage | |
| repository | https://github.com/zavora-ai/adk-rust |
| max_upload_size | |
| id | 2020375 |
| size | 144,780 |
James Karanja Maina (jkmaina)
documentation
https://docs.rs/adk-auth
README
adk-auth
Access control and authentication for Rust Agent Development Kit (ADK-Rust).
Overview
adk-auth provides enterprise-grade access control for AI agents:
- Role-Based Access - Define roles with tool/agent permissions
- Permission Scopes - Fine-grained allow/deny rules (deny precedence)
- Audit Logging - Log all access attempts to JSONL files
- SSO/OAuth - JWT validation with Google, Azure AD, Okta, Auth0 providers
Features
| Feature | Description |
|---|---|
default |
Core RBAC + audit logging |
sso |
JWT/OIDC providers (Google, Azure AD, Okta, Auth0) |
Quick Start
use adk_auth::{Permission, Role, AccessControl, AuthMiddleware};
// Define roles
let admin = Role::new("admin").allow(Permission::AllTools);
let user = Role::new("user")
.allow(Permission::Tool("search".into()))
.deny(Permission::Tool("code_exec".into()));
// Build access control
let ac = AccessControl::builder()
.role(admin)
.role(user)
.assign("alice@example.com", "admin")
.assign("bob@example.com", "user")
.build()?;
// Protect tools
let middleware = AuthMiddleware::new(ac);
let protected_tools = middleware.protect_all(tools);
SSO Integration
Enable with features = ["sso"]:
use adk_auth::sso::{GoogleProvider, ClaimsMapper, SsoAccessControl};
// Create provider
let provider = GoogleProvider::new("your-client-id");
// Map IdP groups to roles
let mapper = ClaimsMapper::builder()
.map_group("AdminGroup", "admin")
.default_role("viewer")
.user_id_from_email()
.build();
// Combined SSO + RBAC
let sso = SsoAccessControl::builder()
.validator(provider)
.mapper(mapper)
.access_control(ac)
.build()?;
// Validate token and check permission
let claims = sso.check_token(token, &Permission::Tool("search".into())).await?;
println!("User: {}", claims.email.unwrap());
Providers
| Provider | Usage |
|---|---|
GoogleProvider::new(client_id) |
|
| Azure AD | AzureADProvider::new(tenant_id, client_id) |
| Okta | OktaProvider::new(domain, client_id) |
| Auth0 | Auth0Provider::new(domain, audience) |
| Generic OIDC | OidcProvider::from_discovery(issuer, client_id).await |
Audit Logging
use adk_auth::FileAuditSink;
let audit = FileAuditSink::new("/var/log/adk/audit.jsonl")?;
let middleware = AuthMiddleware::with_audit(ac, audit);
Output:
{"timestamp":"2025-01-01T10:30:00Z","user":"bob","resource":"search","outcome":"allowed"}
Examples
cargo run --example auth_basic # RBAC basics
cargo run --example auth_audit # Audit logging
cargo run --example auth_sso --features sso # SSO integration
cargo run --example auth_jwt --features sso # JWT validation
cargo run --example auth_oidc --features sso # OIDC discovery
cargo run --example auth_google --features sso # Google Identity
License
Apache-2.0
Part of ADK-Rust
This crate is part of the ADK-Rust framework for building AI agents in Rust.