Fix OIDC auth fallback when primary authenticator errors

[evanphx]

Summary

• Fix CompositeAuthenticator to try the OIDC authenticator even when the primary authenticator returns an error
• The primary (cloud JWT validator) was failing on GitHub Actions OIDC tokens because the token's key ID doesn't exist in miren.cloud's JWKS, and this error prevented the OIDC authenticator from ever being tried
• If OIDC succeeds after a primary error, the OIDC identity is returned; if both fail, the primary error is returned

Test plan

• Existing composite authenticator tests updated and passing
• New test for primary-error-then-OIDC-fallback scenario
• Deploy from GitHub Actions with OIDC binding and verify auth succeeds

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 93be3ec and 8ab143d.

📒 Files selected for processing (2)

• pkg/oidcauth/composite.go
• pkg/oidcauth/composite_test.go

---

📝 Walkthrough

Walkthrough

CompositeAuthenticator was updated: its oidc field type changed from *OIDCAuthenticator to rpc.Authenticator. Authenticate now collects both primary and OIDC results, only attempting OIDC when the primary returns no identity, and returns the primary error if present otherwise the OIDC error. Tests were adjusted and expanded: a renamed test verifies primary-error-with-nil-OIDC propagation, and a new test covers the case where primary returns an error but OIDC succeeds.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/oidcauth/composite_test.go`:
- Around line 72-109: The test
TestCompositeAuthenticator_PrimaryErrorOIDCSucceeds is misnamed and currently
asserts the error path; update it to actually verify OIDC fallback by injecting
a stub OIDC authenticator that implements Authenticate and returns a successful
rpc.Identity (e.g., Subject "repo:acme/app:ref:refs/heads/main" and Method
rpc.AuthMethodOIDC) so that when primary (mockAuthenticator with err "key with
ID xyz not found") fails, CompositeAuthenticator returns the OIDC identity and
no error; replace the noisy comments and the unused oidcMock with this stub,
construct comp with the stub as the oidc field (use CompositeAuthenticator or
NewCompositeAuthenticator as appropriate), call comp.Authenticate and assert
err==nil and the returned identity matches OIDC values.

In `@pkg/oidcauth/composite.go`:
- Around line 68-78: Guard access to c.oidc before calling its Authenticate
method: in the block where oidcIdentity, oidcErr := c.oidc.Authenticate(ctx, r)
is invoked, first check if c.oidc != nil and only call c.oidc.Authenticate when
non-nil; if c.oidc is nil set oidcIdentity = nil and oidcErr = nil (or a clear
sentinel like ErrNoOIDCConfigured if you prefer) so the existing return logic
that prefers the primary err still works and no panic occurs; reference c.oidc,
Authenticate, oidcIdentity, and oidcErr to locate the change.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between dc1f671 and 93be3ec.

📒 Files selected for processing (2)

• pkg/oidcauth/composite.go
• pkg/oidcauth/composite_test.go