axum-tower-sessions-edge/README.md

# axum-tower-sessions-edge
[![Rust](https://github.com/seemueller-io/axum-tower-sessions-edge/actions/workflows/test.yaml/badge.svg)](https://github.com/seemueller-io/axum-tower-sessions-edge/actions/workflows/test.yaml)
[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](https://opensource.org/licenses/MIT)

Warning: This API may be unstable.

Validates incoming requests for defined routes and forwards traffic to the service defined as `PROXY_TARGET`.

> Targets `wasm32-unknown-unknown`

## Features
- [OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749) 
- [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636)
- [OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662)

## Quickstart
   ```bash
git clone https://github.com/seemueller-io/axum-tower-sessions-edge.git
cd axum-tower-sessions-edge
bun install
# Create a `.dev.vars` file in the project root with the following variables:
#CLIENT_ID="your-client-id"
#CLIENT_SECRET="your-client-secret"
#AUTH_SERVER_URL="https://your-zitadel-instance-url"
#ZITADEL_ORG_ID="your-organization-id"
#ZITADEL_PROJECT_ID="your-project-id"
#APP_URL="http://localhost:3000"

# Update the wrangler.jsonc and replace the value of PROXY_TARGET with a worker script name. 

npx wrangler dev 
# Open `http://localhost:3000` in your browser. If everything is configured correctly, you should be taken to a Zitadel login page.
```

### Extras

Run your own Zitadel: `docker compose up -d`
> You will need to configure:
> - Organization 
> - Project 
> - Application - _Choose PKCE (with code)_


### Building
Sometimes the error messages are challenging to surface. Here are some alternative build commands that might help.  
```bash
# Default build
npx wrangler build

# Build command as defined in wrangler.jsonc
cargo clean && cargo install -q worker-build && worker-build --release

# Hacky but effective (targets the common runtime)
cargo build --release --target wasm32-unknown-unknown
```

## Acknowledgements

This project is made possible thanks to:

- **Open Source Community**: For the various dependencies and tools that make this project possible.
- [The Rust ecosystem](https://www.rust-lang.org/ecosystem) and its crates
- [ZITADEL](https://zitadel.com/): For providing the robust identity management platform that powers this authentication
  proxy 
- [Smartive](https://github.com/smartive): For [zitadel-rs](https://github.com/smartive/zitadel-rust)
- [Cloudflare](https://github.com/cloudflare): For their [Workers](https://workers.cloudflare.com/) platform and KV storage
  solution
- [Fermyon/Spin](https://www.fermyon.com/spin): [http-auth-middleware](https://github.com/fermyon/http-auth-middleware) (Reference implementation)
- [The Axum web framework](https://github.com/tokio-rs/axum)
- [The Tower middleware ecosystem](https://github.com/tower-rs)
- Various other open-source projects listed in [Cargo.toml](./Cargo.toml)


## License

MIT License

Copyright (c) 2025 Geoff Seemueller

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.