Skip to main content

Auth and Session

Implemented:

  • AuthProvider seam with dev-token and OIDC implementations.
  • AuthContext with actor, role, tenant, allowed tenants, session/token IDs, provider, and expiry metadata.
  • OIDC JWT verification with issuer, audience, expiration, signature, and JWKS cache checks.
  • OIDC accepts only configured asymmetric RS*/PS* algorithms.
  • Role claim mapping must resolve to exactly one OneProtect role.
  • Centralized role helpers for read/write enforcement.
  • /api/v1/session for frontend-visible actor/role/tenant context. For auditors with an active OP-057 access window, the response also includes redaction-safe active_auditor_session metadata used by OP-066n countdown UX; JWT expires_at remains token expiry, not auditor access expiry.
  • Optional local Keycloak profile with realm oneprotect-dev, client oneprotect-console, and tenant/role/actor claim mappers.

Local/dev:

  • ONEPROTECT_AUTH_MODE=dev-token is allowed only in local/dev/test unless explicitly overridden.
  • Raw header auth is disabled by default and exists only as local/dev compatibility.
  • docker compose --profile auth up -d keycloak imports deploy/keycloak/realm-oneprotect-dev.json.
  • Local Keycloak users are tenant-admin@example.test, operator@example.test, and auditor@example.test; all use placeholder password local-only-password.
  • Local Keycloak tokens map tenant_id, role, and preferred_username into AuthContext.

Planned:

  • Service-account token conventions for automation.
  • Production Keycloak/managed OIDC realm lifecycle and secret handling.
  • OPA-backed ABAC/policy decisions.

Source architecture note: docs/architecture/auth-session-seam.md.