docs: auth use-case matrix + cross-service asymmetric auth design (closes #41)#43
Merged
Merged
Conversation
…(no bespoke IDP) Determination: #41 already supported by engine auth.m2m (ES256+JWKS+trusted-keys) + workflow-plugin-sso (step.sso_validate_token/refresh/exchange) + the AuthProviderDescriptor provider pattern. Deliver a workflow-scenarios demo (App A issues ES256 / App B verifies cross-service; external-IDP OIDC leg) + a use-case->combination matrix doc, then close #41. Zero bespoke auth code. Cites ADR-0002. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Cycle-1 wrongly claimed auth.m2m trustedKeys+step.auth_validate verifies cross-service (Authenticate uses only own key; sso.oidc needs discovery). Real gap = jwksUri-only verify mode in sso.oidc (NewRemoteKeySet) → App B verifies App A's ES256 token from App A's /oauth/jwks. Fixes client_credentials-secret terminology, refresh scope, aud validation, drops scenario-84 false precedent. ADR-0003 records the sso-jwksUri choice over auth.m2m-multikey / bespoke IDP. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
adversarial-design-review --phase=design: PASS (0C/0I; 3 mechanical Minors folded:
App-A client claims:{aud:app-b}; issuer string exact-match; wrong-issuer assertion).
PR1 sso.oidc jwksUri verify mode (+test+v0.1.7); PR2 workflow-scenarios scenario 102 (App A auth.m2m ES256 issuer + App B sso jwksUri verifier; cross-service accept + wrong-key/aud/issuer/expired reject; verification-console + Playwright + playwright-cli QA); PR3 workflow-plugin-auth use-case->combination matrix + close #41. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
F2 App-A mounts auth.m2m via workflows.http.routes handler: appissuer (scenario-20 pattern; M2MAuthModule is HTTPHandler not http.Handler — no step.delegate); grounded auth.m2m config keys (algorithm/issuer/clients[].claims.aud). F1 unit test proves jwksUri mechanism via existing RS256 mock (alg-agnostic); ES256 proven in scenario 102. F3 deterministic negative tokens via test/mint-token Go helper. F5 App-B /proxy/token pipeline for same-origin browser fetch. F4 registry notify check. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…+ F5 token path F1 (runtime trap): go-oidc NewVerifier defaults to RS256-ONLY when SupportedSigningAlgs unset (verify.go:317) → would reject auth.m2m ES256 tokens while RS256 unit test passes. Fix: ProviderConfig.SigningAlgorithms + SupportedSigningAlgs default [ES256,RS256] in jwksUri branch; app-b provider signingAlgorithms:[ES256]. F5: /proxy/token form-encoding caveat + fallback to out-of-band token fill for the verification console. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…reuse) Documents which combination covers each auth use case: same-app HS256 session; first-run admin bootstrap; passkey/passwordless; app-to-app M2M asymmetric ES256 (auth.m2m issuer + sso.oidc jwksUri verifier, no shared secret — #41); external-IDP human OIDC login; enterprise SSO/SCIM (provider pattern); credential mgmt. T-AUTH-16 marks #41 closed-by-reuse (no bespoke IDP). Refs ADR-0002/0003. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds documentation and decision records showing how to satisfy auth#41 (cross-service asymmetric ES256 JWT verification) by composing existing engine + provider components, and documents the covered auth use-case combinations for this plugin.
Changes:
- Documented an “Auth Use Cases & Combinations” matrix in the README and referenced it from SPEC task tracking.
- Added an implementation plan + design doc for cross-service asymmetric auth via
auth.m2m(issuer/JWKS) +sso.oidcjwksUriverification mode. - Added ADR/decision 0003 formalizing the “verify via sso jwksUri” approach.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| SPEC.md | Adds T-AUTH-16 closure-by-reuse entry and reference links for the new docs/design/ADR. |
| README.md | Adds a use-case → step/module composition matrix and a note on cross-service asymmetric verification. |
| docs/plans/2026-06-02-cross-service-asymmetric-auth.md.scope-lock | Adds scope-lock hash for the new plan document. |
| docs/plans/2026-06-02-cross-service-asymmetric-auth.md | New implementation plan describing the cross-service asymmetric auth path across repos. |
| docs/plans/2026-06-02-cross-service-asymmetric-auth-design.md | New design doc capturing the reuse-based approach and the identified gap. |
| decisions/0003-cross-service-verify-via-sso-jwks-uri.md | New ADR recording the decision to add jwksUri verify-only mode to sso.oidc. |
| .claude/autodev-state/in-progress.jsonl | Updates autodev run-state log entries. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #41 (Phase II IDP) by reuse + documentation, not a bespoke IDP.
Determination
Cross-service asymmetric (ES256) JWT auth, refresh, validation, external IDPs, and the provider pattern are already supported by composing existing components:
auth.m2m= ES256 issuer +/oauth/jwks+ trusted-keysworkflow-plugin-sso=step.sso_validate_token/_refresh_token/_token_exchange; v0.1.8 adds ajwksUriverify-only mode (the one genuine gap — verify a token from a published JWKS with no shared secret / no OIDC discovery; ADR-0003)AuthProviderDescriptor+ okta/auth0/entra/ory-*/scalekit pluginsThis PR
docs/plans/2026-06-02-cross-service-asymmetric-auth-design.md, rev 2, 2 adversarial cycles) + ADR-0003 (verify-via-sso-jwksUri over auth.m2m-multikey / bespoke IDP).Demonstrated
workflow-scenarios scenario 102 (PR #68): App A
auth.m2mES256 issuer ↔ App Bsso.oidcjwksUri verifier across two processes — curl smoke 12/12 (accept + wrong-key/aud/issuer/expired reject) + Playwright 8/8 + playwright-cli QA.PR 3 of 3 (auth#41). No bespoke IDP; no new auth runtime in this plugin.
🤖 Generated with Claude Code