A high-performance authentication and authorization gateway built in Rust. AuthGuard acts as a reverse proxy that validates JWT tokens from Keycloak and enforces access control based on user groups, now integrated with Nginx for production-ready routing.
- 🔐 JWT Validation: Validates tokens from Keycloak using JWKS via Axum/Hyper.
- 🛡️ Group-Based Auth: Restricts access based on Keycloak hierarchy (e.g.,
/TI/Infraestrutura). - ⚡ High Performance: Built with Rust, Axum, and Redis for low-latency checks.
- 📊 Rate Limiting: Per-IP rate limiting handled by Nginx (100 req/s for API, 30 req/s for validation).
- 📈 Observability: Prometheus metrics endpoint for monitoring.
- 🔄 Google IDP: Out-of-the-box support for Google Login with
kc_idp_hint.
git clone git@github.com:Steph7478/AuthGuard.git
cd authguarddocker-compose --profile (dev/prod/local) up -d./test_auth.shAuthGuard provides clean, user-friendly login endpoints:
| Endpoint | Description |
|---|---|
/login |
Standard Keycloak login |
/login/google |
Direct login with Google (skips Keycloak selection screen) |
Note: Ensure
http://localhost/callbackis added to Valid Redirect URIs in your Keycloak Client settings.
| Endpoint | Method | Security Policy |
|---|---|---|
/auth/* |
ANY | Handled by Nginx -> Proxy to Keycloak |
/admin |
ANY | Requires /TI/Infraestrutura group |
/metrics |
GET | Public (Prometheus Format) |
/* |
ANY | Valid JWT required -> Proxy to Target Service |
AuthGuard sits behind an Nginx instance. When a request hits http://localhost:
- Nginx routes
/auth/*directly to Keycloak. - Nginx routes all other calls to AuthGuard (Rust).
- AuthGuard validates the
Authorizationheader using Keycloak's JWKS. - If the token is valid and the group is authorized (extracted from the
groupsclaim), the request proceeds to the Target Service.
| Location | Purpose |
|---|---|
/login |
Redirects to Keycloak login page |
/login/google |
Redirects to Keycloak with Google IDP hint |
/callback |
OAuth2 callback handled by AuthGuard |
/validate |
Token validation endpoint |
/metrics |
Prometheus metrics endpoint |
/health |
Health check endpoint |
/auth/* |
Proxies directly to Keycloak |
/_validate |
Internal auth request endpoint with rate limiting |
/api/* |
Protected API endpoints with auth validation and rate limiting |
- API endpoints: 100 requests/second with burst of 20
- Validate endpoint: 30 requests/second with burst of 10
All rate limits are applied per IP address using Nginx's limit_req module.