authkestra is a modular, framework-agnostic authentication orchestration system designed to be idiomatic to Rust, emphasizing explicit control flow, strong typing, and composability over dynamic middleware strategies common in other ecosystems.
The easiest way to use Authkestra is via the authkestra facade crate. It re-exports all sub-crates behind feature flags, allowing you to manage your authentication stack from a single dependency.
Add this to your Cargo.toml:
[dependencies]
# Use the facade with the features you need
authkestra = { version = "0.1.1", features = ["axum", "github"] }For advanced users, individual crates are still available and can be used independently if preferred.
- Modular Design: Concerns are strictly separated into crates:
authkestra-engine,authkestra-resource,authkestra-session, and framework adapters likeauthkestra-axumandauthkestra-actix. - Explicit Flow Control: Dependencies and authentication context are injected explicitly via Extractors (Axum/Actix) or constructor arguments, eliminating "magic" middleware.
- Flexible Chaining: Use the
AuthEngineGuardto chain multiple authentication strategies (Token, Session, Basic, Custom) in any order. - Provider Agnostic: Easily integrate new OAuth providers by implementing the
OAuthProvidertrait. - Session Management: Flexible session storage via the
SessionStoretrait, with built-in support for in-memory, Redis, and SQL viasqlx. - Stateless Tokens: Comprehensive JWT support and offline validation.
| Crate | Responsibility |
|---|---|
authkestra |
Primary Facade: Re-exports all other crates behind features. |
authkestra-engine |
Foundational types, traits and the AuthEngine orchestrator. |
authkestra-resource |
Resource server enforcement and validation (JWT, etc). |
authkestra-session |
Session persistence layer abstraction. |
authkestra-token |
JWT signing and token abstraction. |
authkestra-providers-github |
Concrete implementation for GitHub OAuth. |
authkestra-providers-google |
Concrete implementation for Google OAuth. |
authkestra-providers-discord |
Concrete implementation for Discord OAuth. |
authkestra-axum |
Axum-specific integration, including AuthSession extractors. |
authkestra-actix |
Actix-specific integration. |
authkestra-oidc |
OpenID Connect discovery and provider support. |
To see Authkestra in action, check out the examples directory:
- Axum Basic Setup:
cargo run --example axum_basic_setup - Actix Basic Setup:
cargo run --example actix_basic_setup - Axum with GitHub OAuth:
cargo run --example axum_oauth2_github - Axum with Google OIDC:
cargo run --example axum_oidc_google - Axum with Redis Session:
cargo run --example axum_session_redis - Client Credentials Flow:
cargo run --example axum_client_credentials - Device Flow:
cargo run --example axum_device_flow - Axum Resource Server:
cargo run --example axum_resource_server
The architecture favors compile-time guarantees over runtime flexibility:
- Trait-Based Extension: Customization is achieved by implementing traits, not by configuring dynamic strategies.
- Explicit Injection: Authentication context is never implicitly available; users must explicitly request it via extractors (e.g.,
AuthSession(session): AuthSession). - Framework Agnostic Core:
authkestra-engineis pure Rust logic, completely independent of any web framework. - Typestate Builder Pattern: The
AuthEngineis built using typestates to enforce compile-time safety (e.g., session methods are only available if a session store is configured).
This project is dual-licensed under either:
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.