Crates.io | azure_jwt |
lib.rs | azure_jwt |
version | 0.2.3 |
source | src |
created_at | 2019-04-21 18:05:22.029455 |
updated_at | 2024-06-01 22:28:06.026326 |
description | A simple JWT validator for Microsoft Azure Id tokens. |
homepage | |
repository | https://github.com/cfsamson/azure-jwt |
max_upload_size | |
id | 129320 |
size | 57,210 |
This library will fetch public keys from Microsoft and use those keys to validate the authenticity of a token you provide. It defaults to validating and mapping Azure Id tokens for you out of the box.
We fetch Azures public keys by sending request for them through the open-connect api. The default is to expire the stored keys after
24 hours and fetch new ones since that correspond with the normal key rotation scheme. There is also a default retry fallback
where a kid
that doesn't match any of our current public keys wil trigger one refresh of the keys (limited to once an hour),
just in case the set default is badly synced with the rotation of the public keys or Microsoft decides to rotate the keys
immediately for some reason. Both of these settings can be configured.
use azure_auth_rs::*;
let client_id = "my client id from Azure";
let mut az_auth = AzureAuth::new(client_id).unwrap();
let decoded = az_auth.validate_token(TEST_TOKEN)?;
When you create a new AzureAuth
instance in its default configuration it will trigger two calls
to Microsoft endpoints (one to get the open connect metadata to get the current jwks_uri and one to
fetch the jwk sets). You should create these objects with care and prefer using a reference to one
instance. If you're using it on a webserver you should avoid creating a new instance on every connection
and rather instantiate one on server start and use a mutex or channels to do validation. Once the keys
are loaded the operations should be very fast. More benchmarks are however needed to confirm this, but
the current benchmark indicates around 34 us to perform a validation on my 2020 Ryzen 3900X
processor, once the public keys are retrieved (which should only occur every 24h
if set up correctly).
This library validates six things:
The validation will Error
on a failed validation providing more granularity for library users to find out why the token
was rejected.
You'll need:
You will need a private client_id created by Azure for your application to be able to verify that the token is created for your application (and not anyone with a valid Azure token can log in). This is the ID this library needs from you to authenticate that the token vas issued for your application.
You get a verified token parsed for you in return.
You still must take care of:
custom_validation
method.For more information, see this article: https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens