Build an API in Rust with JWT Authentication using actix-web

Learn how to implement a simple REST API with JWT Authentication in Rust using the actix web framework and Diesel.

Brought to you by @abhishek.chanda

Read on

Hey everyone! Once the article is here let us know what you think and contribute to the discussion!

Thanks a lot for the article! Amazing timing too, as I literally yesterday felt like I wanted to start writing this hobby project of mine. I had chosen to use Hyper as a “framework” for my API, a lot of what was written here ended up being easily transferrable.

One thing that got me a little stuck was this bit in the code:

    let domain = std::env::var("DOMAIN").expect("DOMAIN must be set");
    let jwks = fetch_jwks(&format!("{}{}", domain.as_str(), ".well-known/jwks.json"))
        .expect("failed to fetch jwks");

From skimming the article, it felt to me like the DOMAIN variable from .env was supposed to match the audience from the token/identifier URL in my API details on the dashboard.

Firstly, the format! given the example would result in Second, I ended up using what would be the authority/domain in my application from the dashboard ( in place of the DOMAIN, which did result in an authentication success.

Given that I’m pretty much entirely green when it comes to JWT and the concepts of implementing this, I might have reached some faulty conclusion however… I wouldn’t know!

The points of interest in my source code can be found here (Sorry, it’s not amazingly pretty).

Just pinged article author about that!

Hi @kent.daleng thanks for pointing that out. You are right that the given example will not work since the URL is wrongly generated. I tested using an actual tenant but forgot the trailing slash while publishing. Here is what we will change in the blog post:

  2. Put a trailing slash in the .env file
  3. Clarify that the trailing slash is required in this case

Thanks a lot for the headsup @abhishek.chanda!

1 Like


Just some nits while reading the blog post:

Thanks for the awesome work!

1 Like

Welcome to our Auth0 Community, Vincent!

Thank you for reading the post and for your feedback :slight_smile: I fixed the 404, the repo was not public yet :pray:

I am rusty in Rust :smile_cat: So, I’ll let @abhishek.chanda drive the other question :sweat_smile:

Thanks for your answer, but the repo is still private :wink:


1 Like

Ah, yes! The one that I opened is different. Let me double-check with the author and I’ll get back to you on that one :slight_smile:

Thanks for reporting that @Bordelons!

I’m sure @abhishek.chanda (the article author) will look at that once he’s online.

Howdy, the repo should be public now :slight_smile:

Btw, we are looking to push an update that uses SQLite instead of PostegreSQL for easier setup. What do you think about this change? :slight_smile:

Hello, Manuel. Thanks for reading and welcome to our Community. Are you providing us insight on your use case or would you like guidance on how to achieve that integration of a frontend Single Page App with a Rust Actix API?

Hi Thank you for the very helpful tutorial !

While playing with the code I encountered to the following problem.

As mentioned in, aud claims can contain array of strings. And Auth0 sometimes returns such JWT but the validation function of alcoholic_jwt does not take into account about that.

Since the gihub repo was moved to the author’s personal server, I could not find a way to raise an issue there.

I am rather newbie and not sure if I could find a workaround by myself. Anyway I am going to look into a fix, or rewrite with jsonwebtoken

Great article, very nice!

I did find 1 nitpick (not 100% sure though). But in the handlers you are mapping the errors like this:

.map_err(|_| HttpResponse::InternalServerError())

But should it not be:

.map_err(|_| ServiceError::InternalServerError)

Both will definitely work but since you took the effort of defining a custom error handler, it might be nice to use it in the handlers as well.

Thanks for writing the article.

Tagging article author for visibility - @abhishek.chanda

If you left out the date_created would you be able to get a post done with only two structs instead of three? (User, NewUser, and InputUser)

Or is there something in diesel that is preventing a struct from being insertable, queryable, derserialize, and serialize?

Thanks for asking the question @twiclo! cc: @abhishek.chanda

Hi @twiclo you are right there. There is no inherent problem for a struct being insertable, queryable, serialize, and deserialize. This is more of a design choice to track the creation date. This often comes up as an auditing requirement, so it makes sense to include it right from the start.

Hi @abhishek.chanda - Thanks for this neat article. One question though - how can i extract the claims from the token in the handler function?