rullst-connect

Projects that follow the best practices below can voluntarily self-certify and show that they've achieved an Open Source Security Foundation (OpenSSF) best practices badge.

There is no set of practices that can guarantee that software will never have defects or vulnerabilities; even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. However, following best practices can help improve the results of projects. For example, some practices enable multi-person review before release, which can both help find otherwise hard-to-find technical vulnerabilities and help build trust and a desire for repeated interaction among developers from different companies. To earn a badge, all MUST and MUST NOT criteria must be met, all SHOULD criteria must be met OR be unmet with justification, and all SUGGESTED criteria must be met OR unmet (we want them considered at least). If you want to enter justification text as a generic comment, instead of being a rationale that the situation is acceptable, start the text block with '//' followed by a space. Feedback is welcome via the GitHub site as issues or pull requests There is also a mailing list for general discussion.

We gladly provide the information in several locales, however, if there is any conflict or inconsistency between the translations, the English version is the authoritative version.

If this is your project, please show your badge status on your project page! The badge status looks like this:

Here is how to embed it:

You can show your badge status by embedding this in your markdown file:

[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/13360/badge)](https://www.bestpractices.dev/projects/13360)

or by embedding this in your HTML:

<a href="https://www.bestpractices.dev/projects/13360"><img src="https://www.bestpractices.dev/projects/13360/badge"></a>

These are the

level criteria. You can also view the

level criteria.

Baseline Series: Baseline Level 1 Baseline Level 2 Baseline Level 3

Basics 0/5 ●

General

What is the human-readable name of the project?
Note that other projects may use the same name.

What is a brief description of the project?

Rust Connect is an elegant, async-first, and Developer Experience (DX) focused OAuth2 authentication library for Rust,

What is the URL for the project (as a whole)?
https://rullst.github.io/rullst-connect

What is the URL for the version control repository (it may be the same as the project URL)?
https://github.com/Rullst/rullst-connect

What license(s) is the project released under?
Please use SPDX license expression format; examples include "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", and "(BSD-2-Clause OR Ruby)". Do not include single quotes or double quotes.

What programming language(s) are used to implement the project?
If there is more than one language, list them as comma-separated values (spaces optional) and sort them from most to least used. If there is a long list, please list at least the first three most common ones. If there is no language (e.g., this is a documentation-only or test-only project), use the single character "-". Please use a conventional capitalization for each language, e.g., "JavaScript".

What is the Common Platform Enumeration (CPE) name for the project (if it has one)?
The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. It is used in a number of systems and databases when reporting vulnerabilities.
Other general comments about the project:
Rullst Connect 🦀

Rullst Connect is an elegant, async-first, and Developer Experience (DX) focused OAuth2 authentication library for Rust. It simplifies the integration of social logins into your Rust web applications, providing a standardized interface across multiple providers.

🛡️ Quality & Security Audits

CI & Coverage Security & Analysis Formal & Advanced Testing

 

 

✨ Features
- 🚀 Async & Fast: Built on top of tokio and reqwest.
- 🧩 Standardized: All providers return a unified ConnectUser struct.
- 🛡️ Type-Safe: Robust error handling using thiserror (ConnectError).
- 🔌 Framework Agnostic: Works seamlessly with Rullst, Axum, Actix, Leptos, Dioxus, or any other framework.
- 🔐 Enterprise Security: Built-in OIDC Discovery, JWKS validation, and automated CSRF tower-sessions.
- 📺 Device Flow: Native RFC 8628 support for headless CLI and Smart TV auth.
- 🛠️ Testing: Embedded Mock IdP router for seamless offline local E2E testing.
📚 Important Documents:
- CHANGELOG.md: See what's new.
- ISSUES: Any issue? Please report.
- ROADMAP.md: Discover our path.
- AUDIT.md: Complete security, performance, and maintainability audit report.
📦 Supported Providers

Official support for 11 core providers:
1. Google
2. GitHub
3. Microsoft / Azure AD
4. Apple (Sign in with Apple)
5. Auth0
6. AWS Cognito
7. Facebook
8. X (Twitter) (Strict PKCE requirement)
9. Discord
10. LinkedIn
11. OIDC (OpenID Connect Custom Provider)
🛠️ Installation

Add the package to your Cargo.toml. If you use Rullst, Axum, Actix, or Leptos, you can enable their specific features for native Extractor support!

You can either run:
```
cargo add rullst-connect
```
Or manually add it to your Cargo.toml:
```
[dependencies]
rullst-connect = "10.0.1"
tokio = { version = "1.52", features = ["full"] }
```
🚀 Quick Start

1. Initialize the Provider

Choose your provider and pass your credentials and callback URL:
```
use rullst_connect::prelude::*;

let github = GithubProvider::new(
 "YOUR_CLIENT_ID".to_string(),
 "YOUR_CLIENT_SECRET".to_string(),
 "http://localhost:3000/auth/github/callback".to_string(),
);
```
2. Redirect the User

Get the authorization URL and redirect your user:
```
let url = github.redirect_url();
// Example in Axum: return Redirect::temporary(&url);
```
3. Handle the Callback & Get User

When the user returns to your callback URL with a code query parameter, exchange it for a ConnectUser:
```
let params = rullst_connect::provider::ExchangeParams {
 auth_code: code,
 ..Default::default()
};
match github.get_user(params).await {
 Ok(user) => {
 println!("Welcome, {}!", user.name);
 println!("Email: {:?}", user.email);
 println!("Avatar: {:?}", user.avatar_url);
 }
 Err(_) => return (StatusCode::INTERNAL_SERVER_ERROR, "Failed to get user".to_string()),
}
```
🛡️ CSRF Protection (State Parameter)

To prevent Cross-Site Request Forgery (CSRF) attacks, you should generate a secure random string, save it in a session/cookie, and pass it to the provider.
```
// 1. Generate a random state string and save it in the session
let state = "random_secure_string";

// 2. Get the authorization URL with the state parameter using the builder
let url = github.with_state(state).redirect_url();
// return Redirect::temporary(&url);

// 3. In the callback route, verify if the query param `state` matches your session!
// If you are using the optional `axum` or `actix` features, you can use `verify_state`:
// params.verify_state(&state_from_session)?;
```
🔄 Refreshing Tokens

If an access token expires, you can seamlessly renew it without asking the user to login again by using their refresh_token:
```
let refreshed_user = github.refresh_token("existing_refresh_token_string").await?;
// Tokens are wrapped in `secrecy::SecretString` to prevent accidental log leakage ([REDACTED]).
// When you need to send it to an API, expose it explicitly:
use secrecy::ExposeSecret;
let raw_token = refreshed_user.access_token.expose_secret();
println!("Successfully refreshed token securely!");
```
🔒 PKCE Support (v9.0.0+)

All providers natively support PKCE (Proof Key for Code Exchange) to mitigate authorization code interception attacks. Some providers like X (Twitter) v2 strictly require it.
```
use rullst_connect::pkce::generate_pkce;

// 1. Generate challenge and verifier
let (code_verifier, code_challenge) = generate_pkce();

// 2. Save `code_verifier` in the user's session or a secure HttpOnly cookie!

// 3. Get the URL with PKCE natively using the builder pattern
let auth_url = provider.with_pkce(&code_challenge).redirect_url();

// 4. In the callback route, fetch the user using the saved verifier:
let params = rullst_connect::provider::ExchangeParams {
 auth_code: &code,
 code_verifier: Some(&code_verifier),
 ..Default::default()
};
let user = provider.get_user(params).await.unwrap();
```
🧑‍💻 Full Example with Axum

You can find a complete working server using the Axum framework in the examples directory. Just run:
```
cargo run --example axum_server
```
📦 Releasing a New Version

This project uses cargo-release to automate version bumps, README synchronization, and CHANGELOG management.
The publish workflow in .github/workflows/publish.yml runs when a vX.Y.Z tag is pushed, and it can also be triggered manually from GitHub Actions.

To release a new version, simply run:
```
# install it first if you haven't: cargo install cargo-release
cargo release patch --execute # for v1.0.x patches
cargo release minor --execute # for v1.x.0 features
cargo release major --execute # for vX.0.0 breaking changes
```
This will automatically bump versions, tag the release, and push to GitHub, triggering the crates.io publish workflow.

For the exact release checklist and what to do next time, see RELEASING.md.

🤝 Contributing

Feel free to open Issues and submit Pull Requests! Want to add a new provider? It's easy! Just implement the Provider trait.

📄 License

This project is licensed under the MIT License.
Prerequisites

Criterion [achieve_silver]
Met

Unmet

The project MUST achieve a silver level badge. ^{[achieve_silver]}
Project oversight

Criterion [bus_factor]
Met

Unmet

?

The project MUST have a "bus factor" of 2 or more. (URL required) ^[bus_factor]
A "bus factor" (aka "truck factor") is the minimum number of project members that have to suddenly disappear from a project ("hit by a bus") before the project stalls due to lack of knowledgeable or competent personnel. The truck-factor tool can estimate this for projects on GitHub. For more information, see Assessing the Bus Factor of Git Repositories by Cosentino et al.

Criterion [contributors_unassociated]
Met

Unmet

?

The project MUST have at least two unassociated significant contributors. (URL required) ^{[contributors_unassociated]}
Contributors are associated if they are paid to work by the same organization (as an employee or contractor) and the organization stands to benefit from the project's results. Financial grants do not count as being from the same organization if they pass through other organizations (e.g., science grants paid to different organizations from a common government or NGO source do not cause contributors to be associated). Someone is a significant contributor if they have made non-trivial contributions to the project in the past year. Examples of good indicators of a significant contributor are: written at least 1,000 lines of code, contributed 50 commits, or contributed at least 20 pages of documentation.
Other

Criterion [copyright_per_file]
Met

Unmet

?

The project MUST include a copyright statement in each source file, identifying the copyright holder (e.g., the [project name] contributors). ^{[copyright_per_file]}
This MAY be done by including the following inside a comment near the beginning of each file: "Copyright the [project name] contributors.". See "Copyright Notices in Open Source Software Projects" by Steve Winslow.

Criterion [license_per_file]
Met

Unmet

?

The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project]. ^{[license_per_file]}
This MAY also be done by including a statement in natural language identifying the license. The project MAY also include a stable URL pointing to the license text, or the full license text. Note that the criterion license_location requires the project license be in a standard location. See this SPDX tutorial for more information about SPDX license expressions. Note the relationship with copyright_per_file, whose content would typically precede the license information.

CI & Coverage	Security & Analysis	Formal & Advanced Testing
<br><br>	<br><br><br>	<br><br>
		<br>

Analysis 0/2 ●

Dynamic code analysis

Criterion [dynamic_analysis]
Met

Unmet

N/A

?

The project MUST apply at least one dynamic analysis tool to any proposed major production release of the software produced by the project before its release. ^{[dynamic_analysis]}
A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., American Fuzzy Lop) or a web application scanner (e.g., OWASP ZAP or w3af). In some cases the OSS-Fuzz project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems or be an automated test suite with at least 80% branch coverage. The Wikipedia page on dynamic analysis and the OWASP page on fuzzing identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.

Warning: Requires lengthier justification.

Criterion [dynamic_analysis_enable_assertions]
Met

Unmet

N/A

?

The project SHOULD include many run-time assertions in the software it produces and check those assertions during dynamic analysis. ^{[dynamic_analysis_enable_assertions]}
This criterion does not suggest enabling assertions during production; that is entirely up to the project and its users to decide. This criterion's focus is instead to improve fault detection during dynamic analysis before deployment. Enabling assertions in production use is completely different from enabling assertions during dynamic analysis (such as testing). In some cases enabling assertions in production use is extremely unwise (especially in high-integrity components). There are many arguments against enabling assertions in production, e.g., libraries should not crash callers, their presence may cause rejection by app stores, and/or activating an assertion in production may expose private data such as private keys. Beware that in many Linux distributions NDEBUG is not defined, so C/C++ assert() will by default be enabled for production in those environments. It may be important to use a different assertion mechanism or defining NDEBUG for production in those environments.

Warning: Requires lengthier justification.

This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit @venelouis and the OpenSSF Best Practices badge contributors.

rullst-connect

Basics 0/5 ●

General

Rullst Connect 🦀

🛡️ Quality & Security Audits

✨ Features

📦 Supported Providers

🛠️ Installation

🚀 Quick Start

1. Initialize the Provider

2. Redirect the User

3. Handle the Callback & Get User

🛡️ CSRF Protection (State Parameter)

🔄 Refreshing Tokens

🔒 PKCE Support (v9.0.0+)

🧑‍💻 Full Example with Axum

📦 Releasing a New Version

🤝 Contributing

📄 License

Prerequisites

Project oversight

Other

Change Control 1/4 ●

Public version-controlled source repository

Quality 0/7 ●

Coding standards

Working build system

Automated test suite

Security 0/5 ●

Use basic good cryptographic practices

Secured delivery against man-in-the-middle (MITM) attacks

Other security issues

Analysis 0/2 ●

Dynamic code analysis