Technology
A modular Rust workspace with purpose-built crates for authentication, distributed state, and system-native cryptography.
Server Architecture
A modern async Rust server built on Axum, Tokio, and SQLx with native TLS.
Axum 0.8 + Tokio
Fully asynchronous HTTP server built on Axum with Tower middleware for compression, tracing, and rate limiting. HTTP/1.1 and HTTP/2 via Hyper.
Multi-Database Backends
SQLx 0.8 with runtime-dispatch support for SQLite (zero-config), PostgreSQL, and MariaDB. Compile-time checked queries with per-engine migration sets.
Rustls + System OpenSSL
TLS via Rustls 0.23 backed by native-ossl — no vendored cryptography. Leverages your distribution's OpenSSL security updates and FIPS-validated modules.
Stateless Token Architecture
Self-contained JWTs with no per-token server-side storage. Authorization codes and refresh tokens are AES-256-GCM encrypted with AEAD.
Systemd Socket Activation
Listenfd support for systemd socket activation. Zero-downtime restarts and privilege separation out of the box.
TOML Configuration
Comprehensive, well-documented configuration file with sensible defaults covering server, database, TLS, auth, gossip, SPIFFE, and HBAC.
Authentication Stack
Multiple authentication backends — Kerberos SSO, passkeys, federation, LDAP, and PAM.
Kerberos / SPNEGO
Server-side GSSAPI accept context via MIT Kerberos FFI. gssproxy delegation, S4U2Self support, and per-thread ccache management for concurrent requests.
WebAuthn / Passkeys
W3C WebAuthn Level 2 with COSE key types EC2/P-256, OKP/Ed25519, and RSA. Credentials merged from FreeIPA LDAP ipapasskey attributes and the local database.
Upstream IdP Federation
OIDC Discovery and static endpoint overrides for plain OAuth2 providers. SSRF protection, assertion validation, and encrypted upstream token storage in CRDT state.
FreeIPA LDAP
Async LDAP client (ahdapa-ldap) wrapping the OpenLDAP C library via Tokio spawn_blocking. Simple bind and GSSAPI SASL authentication with zeroize-on-drop.
PAM & systemd UserDB
Optional PAM authentication backend (ahdapa-pam) and systemd io.systemd.UserDatabase Varlink client (ahdapa-varlink) for local identity sources.
DPoP & Mutual-TLS
RFC 9449 proof-of-possession with JWS signature verification and RFC 8705 certificate-bound access tokens. Both cnf.jkt and cnf.x5t#S256 in the same token.
CRDT Gossip Replication
Built-in distributed state management with no external coordinator — every node is equal.
OR-Map & LWW-Register
Signing keys and client registry use Observed-Remove Maps with tombstone-based deletion. Active signing key and wrapping key tracked by Last-Write-Wins Registers.
Op-Based HBAC CRDT
The hbac-crdt crate implements FreeIPA-compatible access control rules as an op-based CRDT with vector clock causality and operation tagging.
CMS Gossip Encryption
Inter-node gossip wrapped in CMS SignedData(EnvelopedData) — ECDSA P-256 sender authentication with ML-KEM-768 per-recipient encryption and AES-256-GCM content encryption.
Delta Sync
Nodes track each other's generation counters for sparse delta synchronization. Full-state fallback for new or divergent nodes.
Distributed Revocation
JTI blocklist and session revocations propagated to all cluster nodes via gossip. Dashmap concurrent hash maps for JTI replay prevention.
Cluster State
Signing keys, client registry, scope definitions, HBAC rules, SPIFFE bundles, upstream tokens, and revocation lists — all converge automatically across nodes.
JOSE / JWT Engine
Post-quantum ready token signing with automatic key rotation and JWKS publishing.
Classical Algorithms
RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, and EdDSA for token signing and client authentication.
Post-Quantum Signing
ML-DSA-44, ML-DSA-65, and ML-DSA-87 (FIPS 204) via native-ossl. Key generation and signing use the system OpenSSL's ML-DSA provider.
Automatic Key Rotation
Changing the signing algorithm triggers key rotation on next startup. Old public keys retained in JWKS for backward verification of in-flight tokens.
ACME Authority Tokens
RFC 9118 EnhancedJWTClaimConstraints DER encoding for ACME tkauth-01 challenge tokens. Kerberos principal binding with mustInclude and permittedValues.
SPIFFE Integration
Trust domain authority with Workload API, X.509-SVIDs, JWT-SVIDs, and federation.
Workload API (gRPC)
Tonic-based Unix domain socket gRPC server. Issues X.509-SVIDs and JWT-SVIDs to local workloads authenticated via SO_PEERCRED and /proc/<pid>/exe.
Trust Domain Authority
ECDSA P-256 CA keypair for SVID issuance. Trust bundle published at /.well-known/spiffe-bundle and replicated across nodes via gossip.
SPIFFE-to-OAuth2 Bridge
Workloads presenting X.509-SVIDs via mTLS are recognized as OAuth2 clients, bridging service mesh identity to the token ecosystem.
Federation
SPIFFE federation relationships with periodic foreign trust bundle fetching. Cached bundles gossiped so any node can validate federated SVIDs.
Admin WebUI
Modern enterprise admin panel built with React 19, PatternFly 6, and TypeScript 5.
React 19 + TypeScript 5
Latest React with full type safety. Client-side routing via React Router 7 for seamless single-page navigation.
PatternFly 6
Red Hat's open source enterprise UI component library. Consistent, accessible design patterns for forms, tables, navigation, and modals.
Vite 6 Build
Lightning-fast development server and optimized production builds with PostCSS and PurgeCSS for minimal CSS output.
Self-Service Profile
Authenticated users can view and edit their IPA attributes — name, contact, SSH keys, certificates, and password — with runtime editability from IPA attributelevelrights.
Workspace Crates
A modular Rust workspace where each crate has a clear responsibility.
| Crate | Purpose |
|---|---|
| ahdapa | Main OAuth2/OIDC server — Axum routes, token issuance, challenge validation |
| ahdapa-jose | JWK/JWS/JWT primitives with ML-DSA post-quantum support |
| ahdapa-gssapi | Kerberos/SPNEGO FFI bindings for server-side accept context |
| ahdapa-ldap | Async LDAP client wrapping OpenLDAP for FreeIPA user and group lookup |
| ahdapa-cms | CMS SignedData/EnvelopedData for ML-KEM-768 gossip encryption |
| ahdapa-spiffe | SPIFFE/SPIRE identity — SVIDs, trust bundles, Workload API |
| ahdapa-spiffe-proxy | SPIFFE Workload API proxy for non-Ahdapa hosts |
| ahdapa-common | Shared utilities — SecretBuffer, certificate helpers, TLS config |
| ahdapa-pam | Optional PAM authentication backend via libpam FFI |
| ahdapa-varlink | Optional systemd io.systemd.UserDatabase Varlink client |
| hbac-crdt | Op-based CRDT for FreeIPA-compatible HBAC access control rules |
| ahdapactl | Admin CLI for cluster management, client registration, and HBAC |
Shared Libraries
Ahdapa builds on two purpose-built libraries shared with the Akāmu ACME server.
Synta
High-performance ASN.1 codec, X.509 certificate parsing and building, RFC 5280 path validation, and post-quantum ML-DSA signature formats. Used by Ahdapa for mTLS certificate validation, SPIFFE SVID issuance, and CMS gossip encryption.
synta on Codeberg →native-ossl
Safe, idiomatic Rust access to system-installed OpenSSL. Provides JWT signing, AEAD encryption, KEM operations, and TLS — no vendored code. Leverages your distribution's FIPS-validated modules and security updates.
native-ossl on Codeberg →