authkestra is a modular, framework-agnostic authentication orchestration system designed to be idiomatic to Rust, emphasizing explicit control flow, strong typing, and composability over dynamic middleware strategies common in other ecosystems.
The easiest way to use Authkestra is via the authkestra facade crate. It re-exports all sub-crates behind feature flags, allowing you to manage your authentication stack from a single dependency.
Add this to your Cargo.toml:
[dependencies]
# Use the facade with the features you need
authkestra = { version = "0.1.1", features = ["axum", "github"] }For advanced users, individual crates are still available and can be used independently if preferred.
- Modular Design: Concerns are strictly separated into crates:
authkestra-core,authkestra-flow,authkestra-guard,authkestra-session,authkestra-token, and framework adapters likeauthkestra-axumandauthkestra-actix. - Explicit Flow Control: Dependencies and authentication context are injected explicitly via Extractors (Axum/Actix) or constructor arguments, eliminating "magic" middleware.
- Flexible Chaining: Use the
AuthkestraGuardto chain multiple authentication strategies (Token, Session, Basic, Custom) in any order. - Provider Agnostic: Easily integrate new OAuth providers by implementing the
OAuthProvidertrait. - Session Management: Flexible session storage via the
SessionStoretrait, with built-in support for in-memory, Redis, and SQL viasqlx. - Stateless Tokens: Comprehensive JWT support and offline validation.
| Crate | Responsibility |
|---|---|
authkestra |
Primary Facade: Re-exports all other crates behind features. |
authkestra-core |
Foundational types, traits (Identity, OAuthProvider, SessionStore). |
authkestra-flow |
Orchestrates OAuth2/OIDC flows (Authorization Code, PKCE). |
authkestra-guard |
Authentication guard and strategies (JWT offline validation, etc). |
authkestra-session |
Session persistence layer abstraction. |
authkestra-token |
JWT signing and token abstraction. |
authkestra-providers-github |
Concrete implementation for GitHub OAuth. |
authkestra-providers-google |
Concrete implementation for Google OAuth. |
authkestra-providers-discord |
Concrete implementation for Discord OAuth. |
authkestra-axum |
Axum-specific integration, including AuthSession extractors. |
authkestra-actix |
Actix-specific integration. |
authkestra-oidc |
OpenID Connect discovery and provider support. |
To see Authkestra in action, check out the examples directory:
- Get Started
- Axum Combined Flow (Authkestra + AuthkestraGuard)
- Axum with GitHub OAuth
- Actix with GitHub OAuth
- OIDC Generic Provider
- Device Flow
The architecture favors compile-time guarantees over runtime flexibility:
- Trait-Based Extension: Customization is achieved by implementing traits, not by configuring dynamic strategies.
- Explicit Injection: Authentication context is never implicitly available; users must explicitly request it via extractors (e.g.,
AuthSession(session): AuthSession). - Framework Agnostic Core:
authkestra-flowis pure Rust logic, completely independent of any web framework.
This project is dual-licensed under either:
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.