v0.6.0

What's Changed

• oidc-discovery: allow user to specify retry strategy by @dspicher in #12
• Fix typo in lib.rs -> "puiblic" to "public" by @Tockra in #14
• Cargo.toml: allow users to specify tls implementation by @dspicher in #13
• Cargo.toml: update reqwest dependency by @dspicher in #19
• Allow token validation outside the axum middleware context by @Tockra in #18
• Changed response codes in error case by @Tockra in #22
• Allow to configure where the auth token will be passed by @Tockra in #23
• Prevent keycloak requests by @Tockra in #29

New Contributors

• @dspicher made their first contribution in #12
• @Tockra made their first contribution in #14

Full Changelog: v0.5.0...v0.6.0

v0.5.0

Changes

Properties from the KeycloakToken which were in fact optional are now represented through an extra (serde-flattened) generic type (@fMeow #9)).

The new ProfileAndEmail type is used as the generics default, which will match the previous behavior of this library.

You can now provide an additional struct in which remaining token claims are deserialized. Here is an example that shows how you can define such a struct and use it by explicitly setting the new generic type parameter of KeycloakToken when both creating the layer as well as handling a request.

#[derive(Deserialize, Clone)]
struct MyExtra {
    pub email: String,
    pub preferred_username: String,
    pub foo: String
}

pub async fn protected(Extension(token): Extension<KeycloakToken<String, MyExtra>>) -> Response {
    (StatusCode::OK,format!("Hello {}", token.extra.foo)).into_response()
}

let router = Router::new().route("/protected", get(protected)).layer(
        KeycloakAuthLayer::<String, MyExtra>::builder()
            .instance(instance)
            .passthrough_mode(PassthroughMode::Block)
            .persist_raw_claims(false)
            .expected_audiences(vec![])
            .required_roles(vec![])
            .build(),
);

v0.4.1

Changes

• Running OIDC discovery triggered through an undecodable JWT should no longer lead to a dead-lock

First contributions

• @fMeow [fix: decoding keys dead lock when OIDC running discovery] (#8)

v0.4.0

axum-keycloak-auth can now automatically perform OIDC discovery!
This means that DecodingKeys must and can no longer be supplied manually.
Check the documentation for updated instructions on how to set up a protected router.

If setting up a custom decoding key was a requirement for you, and you want to see the possibility of that preserved as a feature, let me know by opening an issue.

Changes

• OIDC discovery (automatically retried on JWT-decode failures)
• Support a list of audiences when parsing the token claims
• Updated the snafu dependency from 0.7 to 0.8

First contributions

• @eboskma [Support a list of audiences] (#3)

v0.3.0

axum-keycloak-auth is now compatible with the 0.7 release of axum!

Changes

• Updated the axum dependency from 0.6 to 0.7
• Updated the http dependency from 0.2 to 1.0

v0.2.0

Changes

• The KeycloakAuthLayer now requires the new field expected_audiences to be set. JWT claims may include the 'aud' field. Token validation now requires a vec of accepted audience values to be present. Check which values were previously send in your tokens. For example: If your token claims containd "aud": "account", specify that value to be accepted like in

  KeycloakAuthLayer::builder()
        // [...]
        .expected_audiences(vec![String::from("account")])
        .build()

• Updated jsonwebtoken dependency from version 8 to 9
• Updated typed-builder dependency from version 0.14 to 0.18

v0.1.1

Changes:

• Remove obsolete dependency

v0.1.0

Initial release