Matteo Steinbach
A "secure" Rust implementation of Google OAuth 2.0 authentication using Warp web framework and JWT validation.
- OAuth 2.0 authentication flow with PKCE
- JWT validation with Google's public keys
- Session state management
- HTML templating with Askama
- Environment configuration
- Error handling with proper rejection
- Rust 1.65+
- Cargo
- Google Cloud Platform account
- Registered OAuth client credentials
-
Clone the repository
git clone https://github.com/yourusername/google-oauth-rs.git cd google-oauth-rs -
Install dependencies
cargo build
-
Create
.envfileCLIENT_ID=your_google_client_id CLIENT_SECRET=your_google_client_secret
-
Google Cloud Setup
- Create OAuth credentials at Google Cloud Console
- Add
http://localhost:8080/callbackto authorized redirect URIs - Enable "OpenID Connect" in the consent screen
cargo runServer will start at: http://localhost:8080
.
├── src/
│ ├── main.rs # Application entry point and route configuration
│ ├── handlers.rs # Request handlers and business logic
│ ├── jwks.rs # JWKS fetching and key management
│ └── templates/ # Askama HTML templates
│ └── callback.html # Post-auth user display template
├── static/ # Static files (CSS, images)
│ ├── logo.png # Application logo
│ └── style.css # CSS styles
├── target/ # Compiled output
├── .env # Environment configuration
└── Cargo.toml # Dependency management # Dependency management
- Configures Warp web server and routes
- Sets up shared application state
- Combines routes:
/#- Initiate OAuth flow/callback- OAuth redirect handler- Static file serving
- Manages dependency injection
Contains core authentication logic:
login_handler:- Generates PKCE challenges
- Creates authorization URL
- Manages CSRF states
callback_handler:- Validates state parameter
- Exchanges authorization code for tokens
- Validates JWT using JWKS
- Renders user information
fetch_jwks: Retrieves JSON Web Key Set from Google- Key caching and management
- JWT header validation
Askama template displaying:
- User's name
- User's email
- Authentication status
logo.png: Application logostyle.css: CSS styles for the application
| Variable | Description | Example Value |
|---|---|---|
CLIENT_ID |
Google OAuth client ID | 1234567890-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com |
CLIENT_SECRET |
Google OAuth client secret | ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcd |
JWKS_URI |
Google's JWKS endpoint | https://www.googleapis.com/oauth2/v3/certs |
- User visits
/# - Application:
- Generates PKCE verifier/challenge
- Creates state token
- Redirects to Google's authorization endpoint
- User authenticates with Google
- Google redirects to
/callbackwith code and state - Application:
- Validates state parameter
- Exchanges code for tokens
- Validates JWT signature
- Verifies token claims
- Displays user information
- PKCE (Proof Key for Code Exchange)
- CSRF protection with state parameter
- JWT signature verification
- Token expiration validation
- Audience validation
- Secure secret management
- HTTPS-only cookie handling
| Crate | Purpose |
|---|---|
warp |
Web server framework |
oauth2 |
OAuth client implementation |
jsonwebtoken |
JWT validation |
askama |
HTML templating |
dotenv |
Environment variable management |
serde |
Serialization/deserialization |
reqwest |
HTTP client for JWKS fetching |
Common Issues:
- Missing .env file: Copy
.env.exampleto.env - Invalid credentials: Verify Google OAuth client config
- Port conflicts: Ensure port 8080 is available
- Certificate issues: Use latest root certificates
- Dependency issues: Run
cargo update
MIT License - See LICENSE for details
Note: Implementation not properly tested for vulnerabilities only use at your own risk as in with edges but should be fine probably; It's also made by a mid rust programmer which is me so I hope its fine; I will put it public on my github once the deadline is past.