feat(auth): add JWT Bearer token authentication support#74
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests.
|
arne-aignx
force-pushed
the
feat/bearer-auth
branch
2 times, most recently
from
31d1397 to
7d84586
Compare
| if jwt_user: | ||
| set_sentry_user(jwt_user, role_claim=auth_settings.role_claim) | ||
| return jwt_user | ||
| logger.debug("Bearer token present but JWT validation failed; falling back to cookie") |
There was a problem hiding this comment.
I am unsure about this logging - debug will likely not be visible in production anyways, but we don't have any context to this log - how would this be useful if we cannot associate this situation to a particular user or service? Should we either remove this line, or add some context to it?
There was a problem hiding this comment.
Not the best. But here we cannot get much more information here, since we cannot decode the user from the token
I updated some other log entries though, to enrich the logs with additional infos.
Information about the service, request etc. can be added by the consumer API services using middleware. I would push back that is a concern of the auth module in foundry core.
There was a problem hiding this comment.
Could we add the trace id automatically perhaps?
There was a problem hiding this comment.
Let's include this in a middleware and automatically add it to the routers we use here.
But I think it's out of scope for this change
@melifaro fyi - since you looked into porting the telemetry package. This could align well with the OTEL instrumentation. And I need to take a step back how to disentangle this from the existing code and it's sentry integration
arne-aignx
force-pushed
the
feat/bearer-auth
branch
2 times, most recently
from
8cddf2d to
0b46839
Compare
Extends api.auth to accept Auth0 JWT Bearer tokens alongside existing cookie-based sessions. Bearer auth is opt-in via AUTH_JWT_ENABLED and AUTH_JWT_AUDIENCE; each require_* dependency tries Bearer first, then falls back to cookie. Adds JWKS fetching with per-domain TTL cache. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
arne-aignx
force-pushed
the
feat/bearer-auth
branch
from
0b46839 to
d55ddd3
Compare
|
2 participants
Summary
api.authto accept Auth0 JWT Bearer tokens alongside existing cookie-based sessionsAUTH_JWT_ENABLED=trueandAUTH_JWT_AUDIENCE=<audience>; eachrequire_*dependency tries Bearer first, then falls back to cookieAUTH0_JWKS_CACHE_TTL = 3600s)AuthSettingsfields:cookie_enabled(primary name, replaces deprecatedenabled),jwt_enabled,jwt_audienceHTTPBearersecurity schemes for all four OpenAPI dependency variantsPyJWT[cryptography]>=2.10,<3,httpx>=0.28,<1Test plan
mise run lintpasses (ruff + pyright)mise run test_unitpasses (all existing + newAuthSettingsand_validate_jwtunit tests)mise run test_integrationpassesAUTH_JWT_ENABLED=false(default): Bearer tokens are ignored, cookie path unchangedAUTH_JWT_ENABLED=truewith valid Bearer token: JWT validated, cookie path skippedAUTH_JWT_ENABLED=truewith invalid/expired Bearer token: falls back to cookie🤖 Generated with Claude Code