Initial commit: axum OIDC hello application

2026-05-01 09:20:22 +00:00
commit 8dae38712f
5 changed files with 3546 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@@ -0,0 +1,27 @@
 # Base URL of the OIDC provider (e.g. Keycloak realm URL)
 OIDC_PROVIDER_URL=http://localhost:8080
 # OAuth2 client credentials (required)
 OIDC_CLIENT_ID=your-client-id
 OIDC_CLIENT_SECRET=your-client-secret
 # Full callback URL — must match the redirect URI configured at the provider
 OIDC_REDIRECT_URI=http://localhost:3000/auth/callback
 # Secret key for encrypting session cookies (at least 32 bytes)
 OIDC_COOKIE_KEY=change-me-to-a-random-64-char-string
 # Maximum session age in minutes
 OIDC_SESSION_MAX_AGE=3600
 # Space-separated OAuth2 scopes to request
 OIDC_SCOPES=openid profile
 # URL to redirect to after logout
 OIDC_POST_LOGOUT_REDIRECT_URI=/
 # Path to the SQLite database file for session storage
 OIDC_SQLITE_PATH=sessions.db
 # Base path for auth routes (default: /auth)
 OIDC_AUTH_BASE_PATH=/auth
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,3 @@
 /target/
 sessions.db
 .env
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -0,0 +1,13 @@
 [package]
 name = "axum-oidc-hello"
 version = "0.1.0"
 edition = "2021"
 [dependencies]
 axum = "0.8"
 axum-oidc-client = { version = "0.5", features = ["sql-cache-sqlite"] }
 tokio = { version = "1", features = ["full"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 base64 = "0.22"
 anyhow = "1"
--- a/src/main.rs
+++ b/src/main.rs
@@ -0,0 +1,100 @@
 use std::env;
 use std::sync::Arc;
 use axum::{http::StatusCode, routing::get, Json, Router};
 use axum_oidc_client::authentication::AuthenticationLayer;
 use axum_oidc_client::authentication::builder::OAuthConfigurationBuilder;
 use axum_oidc_client::authentication::logout::handle_default_logout::DefaultLogoutHandler;
 use axum_oidc_client::auth_cache::AuthCache;
 use axum_oidc_client::auth_session::AuthSession;
 use axum_oidc_client::cache::{TwoTierAuthCache, config::TwoTierCacheConfig};
 use axum_oidc_client::sql_cache::{SqlAuthCache, SqlCacheConfig};
 use axum_oidc_client::authentication::CodeChallengeMethod;
 use base64::Engine;
 use serde::Serialize;
 #[derive(Serialize)]
 struct HelloResponse {
    preferred_username: String,
 }
 fn env_or(key: &str, default: &str) -> String {
    env::var(key).unwrap_or_else(|_| default.to_string())
 }
 fn env_required(key: &str) -> String {
    env::var(key).unwrap_or_else(|_| panic!("Environment variable {key} is required"))
 }
 async fn hello(session: AuthSession) -> Result<Json<HelloResponse>, StatusCode> {
    let id_token = &session.id_token;
    let payload = id_token.split('.').nth(1).ok_or(StatusCode::UNAUTHORIZED)?;
    let payload_json = base64::engine::general_purpose::URL_SAFE_NO_PAD
        .decode(payload)
        .map_err(|_| StatusCode::UNAUTHORIZED)?;
    let claims: serde_json::Value =
        serde_json::from_slice(&payload_json).map_err(|_| StatusCode::UNAUTHORIZED)?;
    let preferred_username = claims["preferred_username"]
        .as_str()
        .map(String::from)
        .ok_or(StatusCode::UNAUTHORIZED)?;
    Ok(Json(HelloResponse { preferred_username }))
 }
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
    let provider_url = env_required("OIDC_PROVIDER_URL");
    let client_id = env_required("OIDC_CLIENT_ID");
    let client_secret = env_required("OIDC_CLIENT_SECRET");
    let redirect_uri = env_or("OIDC_REDIRECT_URI", "http://localhost:3000/auth/callback");
    let cookie_key = env_required("OIDC_COOKIE_KEY");
    let session_max_age: i64 = env_or("OIDC_SESSION_MAX_AGE", "3600").parse().unwrap_or(3600);
    let scopes_default = env_or("OIDC_SCOPES", "openid profile");
    let scopes: Vec<&str> = scopes_default.split_whitespace().collect();
    let post_logout_redirect = env_or("OIDC_POST_LOGOUT_REDIRECT_URI", "/");
    let sqlite_path = env_or("OIDC_SQLITE_PATH", "sessions.db");
    let auth_base_path = env_or("OIDC_AUTH_BASE_PATH", "/auth");
    let config = OAuthConfigurationBuilder::default()
        .with_issuer(&provider_url)
        .await?
        .with_client_id(&client_id)
        .with_client_secret(&client_secret)
        .with_redirect_uri(&redirect_uri)
        .with_private_cookie_key(&cookie_key)
        .with_scopes(scopes)
        .with_code_challenge_method(CodeChallengeMethod::S256)
        .with_session_max_age(session_max_age)
        .with_post_logout_redirect_uri(&post_logout_redirect)
        .with_base_path(&auth_base_path)
        .build()?;
    let sql_cache = SqlAuthCache::new(SqlCacheConfig {
        connection_string: format!("sqlite://{sqlite_path}"),
        ..Default::default()
    })
    .await?;
    sql_cache.init_schema().await?;
    let cache: Arc<dyn AuthCache + Send + Sync> = Arc::new(TwoTierAuthCache::new(
        Some(Arc::new(sql_cache)),
        TwoTierCacheConfig::default(),
    )?);
    let logout_handler = Arc::new(DefaultLogoutHandler);
    let app = Router::new()
        .route("/hello", get(hello))
        .layer(AuthenticationLayer::new(
            Arc::new(config),
            cache,
            logout_handler,
        ));
    let listener = tokio::net::TcpListener::bind("0.0.0.0:3000").await?;
    println!("Listening on http://0.0.0.0:3000");
    axum::serve(listener, app).await?;
    Ok(())
 }