Anshul Goyal I love to code and use new technologies.

9 Rust authentication libraries that are ready for production

4 min read 1323

9 Production-Ready Rust Authentication Libraries

Rust is a low-level language with high-level ergonomics. It’s fast and reliable and supports asynchronous I/O arriving in stable Rust. As such, Rust is quickly becoming the premier choice for performance-focused network and web applications.

Virtually all web apps require some form of authentication, especially in an age of ever-increasing awareness around data privacy. Rust has a wide and growing range of high-quality, production-ready crates available for authentication and authorization.

In this guide, we’ll evaluate nine stable, production-ready authentication libraries based on the following criteria:

  • Popularity
  • Completeness
  • Maintenance
  • Support for stable Rust

We’ll also preview some crates that aren’t yet production-ready but should be on your radar.

Let’s dive in!

  • Production-ready: Yes
  • Async support: No

cookie is a crate for creating and parsing HTTP cookies. It’s used for managing sessions, encrypting, and signing cookies.

cookie is a production-ready crate with thousands of downloads. It serves as a foundation for building session-based authentication strategies. The crate supports saving and recording changes in cookies. It’s web framework-agnostic and supports actix, rocket, and all other frameworks.

2. jsonwebtoken

  • Production-ready: Yes
  • Async support: No

JSON Web Tokens are very popular for authorization; many OAuth provider issues JWT. jsonwebtoken provides support for verifying and creating JWT tokens.

The crate supports all standard signing algorithms as well as both symmetric and asymmetric encryption algorithms. It comes with built-in validation of standard claims and strongly typed and highly configurable APIs. It also features full implementation of RFC 7519.

jsonwebtoken is a highly stable and widely used library with thousands of downloads. Best of all, it has an active team of maintainers with huge community support.

We made a custom demo for .
No really. Click here to check it out.

3. oauth2

  • Production-ready: Yes
  • Async support: Yes

oauth2 provides a complete implementation of the OAuth 2 protocol. It supports async and sync I/O, obtaining access tokens, verifying state, and obtaining refresh tokens.

Features include full implementation of RFC 6749 and strongly typed. The crate has support for state and crf_state validation as well as PKCE challenge. Furthermore, a custom HTTP client with default support for reqwest and curl is baked into the crate.

Finally, oauth2 is framework-agnostic and supports using a password and username directly.

Examples of other oAuth providers include:

oauth2 is easy to use and provides a complete OAuth 2 client solution, including refresh tokens, managing claims, scopes, and grants.

4. otpauth

  • Production-ready: Yes
  • Async support: No

otpauth provides support for both HOTP and TOTP algorithms. It’s used to generate one-time passwords (OTPs). It can generate time-based OTPs with support for changing validation time.

otpauth‘s APIs are easy to use and intuitive, and it features full impementation of HOTP and TOTP.

5. yup-oauth2

  • Production-ready: Yes
  • Async support: Yes

yup-oauth2 provides the implementation of OAuth 2.0 for server-to-server. It’s used to implement a client library for different services, such as google-api-rs.

The crate supports both service accounts and installed applications and works with any service that implements OAuth 2.0 for server-to-server authentication. yup-ouath is typically used for authentication on devices with limited input capabilities using device flow. It’s used in services such as Google cloud platform, Firebase, and other Google services using service flow. It also supports application where the authentication token cannot be saved securely using installed application flow.

6. Asap

  • Production-ready: Yes
  • Async support: No

ASAP is an authentication mechanism created and maintained by Atlassian. It supports nonstandard claims and performs validation and token generation at lightning-fast speed.

ASAP is based on the jsonwebtoken crate. It fully supports ASAP specifications.

7. JWKS-Client

  • Production-ready: Yes
  • Async support: Yes

JWKS-Client provides support for validating JSON web tokens using a JWKS (JSON web keyset). The primary function of the crate is symmetric signature validation for JWT tokens using a JWKS.

The crate is primarily used for Google and Firebase OAuth but can be used with any other provider easily. It takes the URL of the key arguments and verifies the token. It also supports key caching.

8. openssl

  • Production-ready: Yes
  • Async support: No

The openssl crate is Rust binding for the OpenSSL library. It provides full support for signing tokens, hashing passwords, generating random auth tokens, and encrypting data.

Many authentication libraries use OpenSSL for signing and hashing data. jsonwebtoken uses OpenSSL for signing tokens.

The openssl crate has support for both static and dynamic linking. It also supports the available version of OpenSSL or downloads the required version.

9. pgen

  • Production-ready: Yes
  • Async support: No

pgen generates passphrases using the EFF’s wordlists for random passphrases.

3 Rust authentication libraries to keep on your radar

The following libraries are not yet stable but have promising features and should be on your radar. As Rust grows, it will support more and more standards.

1. boringauth

  • Production-ready: No
  • Async support: No

boringauth is a one-stop solution for any app’s authentication-related needs. It supports passpharse authentication and both HTOP- and TOP-based authentication. It also features a customizable period, hashing algorithm, output length, and initial timestamps.

boringauth can be used in CLI and desktop apps. It doesn’t have full support for HTOP and TOPT just yet. Suport for universal two-factor authentication is also forthcoming.

2. oxide-auth

  • Production-ready: No
  • Async support: No

The oxide-auth crate provides implementation of OAuth for the server. It has support for many web frameworks, including Actix, Iron, Rocket, and Rouille.

Put simply, oxide-auth makes managing OAuth tokens on the server easy. It also supports handling token for custom servers.

Though its APIs aren’t stable yet, oxide-auth is a solid library. Support crates for web frameworks are still works in progress.

3. Frank JWT

  • Production-ready: No
  • Async support: No

Frank JWT is used for verifying and generating JWT. It can read keys automatically from path.

This crate is not yet production-ready since it doesn’t support validation of iss , sub, and many other claims.

Summary

To summarize, below is a comprehensive table to help you compare the features, capabilities, and pros and cons of the Rust authentication libraries discussed in this guide.

Name Production-ready? Type Async support? Primary use(s) Drawbacks Benefits Maintained?
cookie Yes Helper No
  • Creating a custom session- and cookies-based auth
  • Saving JWT in encrypted cookies
  • Tracking users
  • Only a helper library
  • Wide user base
  • Support for parser and creating cookies

Yes

oauth2 Yes OAuth support Yes
  • Obtaining OAuth tokens
  • Supports multiple HTTPS request clients (request, curl, custom)
  • Supports any OAuth provider that supports OAuth 2
  • No support for verifying obtained tokens
  • Full implementation of OAuth 2

Yes

oauth-client No OAuth support No
  • OAuth support
  • No support for verifying obtained tokens
  • Not actively maintained

No

oauth-client-async No OAuth support Yes
  • Async version of oauth-client
  • Not actively maintained
  • Relatively few users
  • No support for verifying obtained tokens

No

oxide-auth No OAuth server Yes
  • Building servers based on OAuth
  • Support for various frameworks (oxide-auth-actix, oxide-auth-iron, oxide-auth-rocket, oxide-auth-rouille)
  • No stable API

Yes

inth-oauth2 No OAuth server Yes
  • OAuth client server
  • Supports Google, GitHub, and Imgur out of the box
  • Pluggable interface with community support for Slack and other providers
  • Not maintained

No

yup-oauth2 Yes OAuth server Yes
  • OAuth for Google services
  • Token caching
  • No out-of-the-box auth provider support
  • Support for installed applications
  • Service account<be>
  • Used by google-api-rs

Yes

Frank JWT No JWT helper No
  • JWT creation and validation
  • Symmetric and asymmetric alog
  • No support for fetching keys from JWKS
  • Support for numerous algorithms

Yes

jsonwebtoken Yes JWT helper No
  • JWT creation and validation
  • Symmetric and asymmetric alog
  • No support for fetching keys from JWKS
  • Great community support
  • Wide use

Yes

otpauth Yes OTP auth No
  • OTP creation and validation
  • No support for secret generation
  • Supports both TOPT and HTOP

Yes

boringauth No OTP auth No
  • OTP creation and validation
  • Highly configurable
  • Support for pasword
  • Supports both TOPT and HTOP

Yes

ASAP Yes ASAP auth Yes
  • ASAP tokens(JWT with custom claims)
  • No support for JWKS
  • Super-fast
  • Supported by Atlassian

Yes

JWKS-Client Yes JWT auth middleware Yes
  • JWT validation using JWKS
  • Works only for RocketU
  • Uses JWKS

Yes

openssl Yes Cryptography No
  • Hashing passwords
  • Generating salts
  • Binding for OpenSSL library
Yes
pgen Yes Paraphrases generator No
  • Passphrase generation
  • Based on EFF list

Yes

 

: Full visibility into your web apps

LogRocket is a frontend application monitoring solution that lets you replay problems as if they happened in your own browser. Instead of guessing why errors happen, or asking users for screenshots and log dumps, LogRocket lets you replay the session to quickly understand what went wrong. It works perfectly with any app, regardless of framework, and has plugins to log additional context from Redux, Vuex, and @ngrx/store.

In addition to logging Redux actions and state, LogRocket records console logs, JavaScript errors, stacktraces, network requests/responses with headers + bodies, browser metadata, and custom logs. It also instruments the DOM to record the HTML and CSS on the page, recreating pixel-perfect videos of even the most complex single-page apps.

.
Anshul Goyal I love to code and use new technologies.

Leave a Reply