Implementing OAuth2 with Rust for Secure Web App Authentication

rust oauth2 web-server

A concise guide on implementing OAuth2 with Rust for beginners, covering setup, code examples, and security essentials for secure web app authentication.

Introduction

OAuth2 has become the industry standard for authorization. It allows users to grant third-party applications limited access to their resources without sharing credentials. Here, we'll walk through implementing OAuth2 in Rust using the actix-web framework for our web server.

Step 1: Understanding OAuth2 Basics

OAuth2 involves several roles:

  • Resource Owner: Typically the user.
  • Client: Your web application.
  • Authorization Server: The service providing OAuth (e.g., Google, GitHub).
  • Resource Server: Where the user’s data resides.

Step 2: Setup Your Rust Project

First, create a new Rust project:

cargo new rust_oauth2_example
cd rust_oauth2_example

Add necessary dependencies in Cargo.toml:

[dependencies]
actix-web = "4"
serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"
dotenv = "0.15.0"
reqwest = { version = "0.11", features = ["json"] }

Step 3: Configure Environment Variables

Create a .env file for your OAuth2 client details:

CLIENT_ID=your_client_id_here
CLIENT_SECRET=your_client_secret_here
REDIRECT_URI=http://localhost:8080/callback

Step 4: Implement OAuth2 Flow

Authorization Code Flow:

  1. Redirect User for Authorization
use actix_web::{web, App, HttpServer, HttpResponse, Responder};
use dotenv::dotenv;
use std::env;
 
#[get("/login")]
async fn login() -> impl Responder {
    dotenv().ok();
    let client_id = env::var("CLIENT_ID").expect("CLIENT_ID must be set");
    let redirect_uri = env::var("REDIRECT_URI").expect("REDIRECT_URI must be set");
 
    let auth_url = format!(
        "https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id={}&redirect_uri={}&scope=email%20profile",
        client_id, redirect_uri
    );
    
    HttpResponse::Found()
        .append_header(("Location", auth_url))
        .finish()
}
  1. Handle Callback and Exchange Code for Tokens
#[get("/callback")]
async fn callback(query: web::Query<HashMap<String, String>>) -> impl Responder {
    if let Some(code) = query.get("code") {
        let client_secret = env::var("CLIENT_SECRET").expect("CLIENT_SECRET must be set");
        let client_id = env::var("CLIENT_ID").expect("CLIENT_ID must be set");
 
        let client = reqwest::Client::new();
        let params = [
            ("code", code),
            ("client_id", &client_id),
            ("client_secret", &client_secret),
            ("redirect_uri", "http://localhost:8080/callback"),
            ("grant_type", "authorization_code"),
        ];
 
        match client.post("https://oauth2.googleapis.com/token")
            .form(&params)
            .send()
            .await {
            Ok(response) => {
                if let Ok(tokens) = response.json::<HashMap<String, String>>().await {
                    if let Some(access_token) = tokens.get("access_token") {
                        // Here you might want to store this token or use it directly
                        return format!("Access Token: {}", access_token);
                    }
                }
            },
            Err(_) => return "Failed to exchange code for token".to_string(),
        }
    }
    "Authorization code not found or token exchange failed".to_string()
}
  1. Server Setup
#[actix_web::main]
async fn main() -> std::io::Result<()> {
    HttpServer::new(|| {
        App::new()
            .service(login)
            .service(callback)
    })
    .bind("127.0.0.1:8080")?
    .run()
    .await
}

Step 5: Understanding the Flow

  • User Clicks Login: They are redirected to the authorization server (e.g., Google).
  • User Grants Access: Google redirects back to your app with an authorization code.
  • Code Exchange: Your app exchanges this code for an access token.
  • Access Protected Resources: Use this token to access user data or perform actions on behalf of the user.

Security Considerations:

  • Use HTTPS: Always use HTTPS to prevent man-in-the-middle attacks.
  • Validate Redirect URI: Ensure the redirect URI matches exactly what's registered with the OAuth provider.
  • Keep Secrets Secret: Never expose CLIENT_SECRET in client-side code or version control.
  • State Parameter: Use a state parameter to prevent CSRF attacks (not shown here for simplicity but crucial in production).

Step 6: Run Your Application

cargo run

Navigate to http://localhost:8080/login in your browser, which should redirect you to the OAuth provider's login page.

This guide provides a basic implementation of OAuth2 with Rust. For a production environment, consider:

  • Adding error handling and user feedback.
  • Implementing refresh tokens for long-lived access.
  • Using libraries like openidconnect-rs for more standardized OAuth2/OpenID Connect interactions.
  • Securing your endpoints with the obtained access tokens.

Remember, OAuth2 can be complex with various flows (like the implicit grant, client credentials, etc.), but this example focuses on the authorization code flow, which is common for web applications.