Add verified issuer token and JWKS boundary#107
Conversation
…verified-issuer-token # Conflicts: # .agent-loop/LOOP_STATE.md # .agent-loop/WORK_QUEUE.md
…verified-issuer-token # Conflicts: # .agent-loop/LOOP_STATE.md # .agent-loop/WORK_QUEUE.md
…verified-issuer-token # Conflicts: # .agent-loop/LOOP_STATE.md # .agent-loop/REVIEW_LOG.md # .agent-loop/WORK_QUEUE.md # .agent-loop/initiatives/WS-AUTH-001-workstream-authorization-service/STATUS.md # backend/pyproject.toml # backend/tests/test_config.py
…verified-issuer-token # Conflicts: # .agent-loop/LOOP_STATE.md # .agent-loop/WORK_QUEUE.md
…verified-issuer-token # Conflicts: # .agent-loop/LOOP_STATE.md # .agent-loop/WORK_QUEUE.md
|
Warning Review limit reached
Next review available in: 58 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (27)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR Trust Bundle: WS-AUTH-001-02
Chunk
WS-AUTH-001-02- Verified Issuer Token And JWKS BoundaryGoal
Authenticate externally issued Flow tokens through a pinned, bounded,
fail-closed JWT/JWKS/introspection boundary without granting Workstream product
authority from issuer role claims.
Human-Approved Intent
The user explicitly started AUTH-02, approved D12's exact production
dependencies, and later explicitly resumed this work in its separate worktree.
This AUTH branch activates only AUTH-02; it does not activate later AUTH,
policy, coverage, review, or contribution chunks. Separately authorized
coverage work remains independently owned in its own worktree.
What Changed And Why
This establishes trustworthy authentication before Workstream-owned actor,
grant, permission, and resource-guard chunks begin.
Design Chosen
One application-retained verifier receives trusted issuer/audience/algorithm
configuration. It parses bounded token segments, resolves only eligible keys
from a bounded JWKS response, verifies all mandatory claims, enforces
subject-kind-specific coarse scope, optionally requires exact-identity
introspection, and returns one immutable result. JWKS and introspection use
distinct injectable per-operation clients and never share bearer credentials.
Alternatives Rejected
response bounds, cache, and transport injection.
outside Workstream grants and revocation.
Scope Control
The diff is limited to approved AUTH-02 runtime/config/schema/test/runbook/API
drill files and durable loop memory. Contract amendments explicitly allow the
production app-factory boundary, three null identity-metadata expectations, and
the canonical auth-spec correction. No migration, grant, permission service,
product authorization cutover, review, contribution, payment, or frontend work
is included.
Product Behavior
routes.
VerifiedIssuerTokenor become product authority./api/v1/auth/meno longer copies issuer email ordisplay name; those response fields remain null.
Acceptance Criteria Proof
Tests cover malformed/oversized tokens, pinned algorithms, remote-key header
rejection, mandatory claims, temporal skew, subject kinds/scopes, JWKS key
eligibility/rotation/outage/cooldowns/single-flight/negative cache,
introspection success/mismatch/missing fields/redirect/timeout/oversize,
credential redaction, client separation/closure, bounded metrics, production
startup, dev-fixture exclusion, compatibility allowlists, and API behavior.
Tests And Checks
three additional changed actor/task test nodes.
pip checkpassed.docstring coverage, and
git diff --checkpassed.Test Delta
No tests were removed, skipped, xfailed, or weakened. Null identity-metadata
expectations changed across five test functions: two are in the complete
auth/config run and three are the additional actor/task nodes. The exact
changed-test delta passes independently. New tests exercise previously
uncovered security branches rather than mirroring implementation internals.
CI Integrity
No workflow, threshold, runner, ignore, or failure-bypass change is included.
The only dependency change matches human-approved D12 and installs cleanly.
Reviewer Results
All required tracks pass on reviewed code SHA
47dd5a77c588d1b2b4e7f00489faf4c633f26aa2: senior engineering, QA/test,security/auth, product/ops, architecture, docs, CI integrity, reuse/dedup, and
test delta. First-cycle findings were repaired and independently re-reviewed.
External Review
Not yet published. GitHub checks, CodeRabbit, and human review begin after this
evidence-bound branch is pushed and the ready PR is opened.
Remaining Risks
and later live-proof inputs.
from production app-bound issuer pinning.
Follow-Up Work
AUTH-03 and all later AUTH chunks remain inactive until this PR is externally
reviewed, explicitly merged by the user, and post-merge memory is completed.
Human Review Focus
Inspect algorithm/issuer pinning, JWKS outage and rotation behavior,
introspection credential isolation, application verifier ownership, subject
kind/scope handling, absence of token-role authority, and the approved
dependency move.
Human Merge Ownership
Only the user may approve and merge this PR. Publication is not merge approval.