Skip to content

feat(dir): multiprovider OIDC-based external authorization module#1034

Open
tkircsi wants to merge 8 commits intomainfrom
feat/oidc-auth
Open

feat(dir): multiprovider OIDC-based external authorization module#1034
tkircsi wants to merge 8 commits intomainfrom
feat/oidc-auth

Conversation

@tkircsi
Copy link
Contributor

@tkircsi tkircsi commented Mar 10, 2026

Summary

Adds an OIDC-based ext-authz service with Casbin RBAC and an Envoy integration test setup.

Features

  • OIDC ext-authz: gRPC service that validates JWT payloads, applies Casbin policies, and enforces deny lists
  • Multiple issuers: Zitadel and GitHub OIDC via Envoy jwt_authn
  • Header handling: Strip x-jwt-payload on JWT routes, strip Authorization before backend
  • Dev path: /api/test accepts x-jwt-payload for testing without real JWTs

Changes

  • New auth/authzserver/ module (config, rbac, payload, oidc_server)
  • Integration test setup: docker-compose, mock-directory, Envoy config
  • Envoy config fixes for v1.31 compatibility

@github-actions github-actions bot added the size/XL Denotes a PR that changes 2000+ lines label Mar 10, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 10, 2026
edited
Loading

The latest Buf updates on your PR. Results from workflow Buf CI / verify-proto (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed⏩ skipped⏩ skipped✅ passedMar 20, 2026, 5:20 PM

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 10, 2026
View reviewed changes
@codecov
Copy link

codecov bot commented Mar 11, 2026

Codecov Report

❌ Patch coverage is 85.63380% with 51 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
auth/cmd/envoy-authz/main.go 0.0% 18 Missing ⚠️
auth/authzserver/payload.go 91.8% 9 Missing and 3 partials ⚠️
auth/cmd/envoy-authz/test/mock-directory.go 0.0% 9 Missing ⚠️
auth/authzserver/rbac.go 84.2% 5 Missing and 1 partial ⚠️
auth/authzserver/config.go 91.2% 2 Missing and 1 partial ⚠️
auth/authzserver/oidc_server.go 97.2% 2 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

@tkircsi tkircsi marked this pull request as ready for review March 11, 2026 17:39
@tkircsi tkircsi requested a review from a team as a code owner March 11, 2026 17:39
ramizpolic
ramizpolic reviewed Mar 12, 2026
View reviewed changes
ramizpolic
ramizpolic reviewed Mar 12, 2026
View reviewed changes
ramizpolic
ramizpolic reviewed Mar 12, 2026
View reviewed changes
ramizpolic
ramizpolic reviewed Mar 12, 2026
View reviewed changes
ramizpolic
ramizpolic approved these changes Mar 12, 2026
View reviewed changes
Copy link
Member

@ramizpolic ramizpolic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGMT w/ nits

@tkircsi tkircsi force-pushed the feat/oidc-auth branch 2 times, most recently from d283e0d to 17a51d8 Compare March 19, 2026 13:53
tkircsi added 2 commits March 19, 2026 15:41
@tkircsi
feat(dir): multiprovider OIDC-based external authorization module
caab8b5 
Signed-off-by: Tibor Kircsi <tkircsi@cisco.com>
@tkircsi
fix: duplicated code block
2958c36 
Signed-off-by: Tibor Kircsi <tkircsi@cisco.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ramizpolic ramizpolic ramizpolic approved these changes

Assignees

No one assigned

Labels

size/XL Denotes a PR that changes 2000+ lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tkircsi @ramizpolic