Conversation
There was a problem hiding this comment.
Pull request overview
Adds optional, configurable OIDC-based authentication/authorization middleware to SchemaBot’s HTTP API. When enabled, requests must present a valid JWT (via OIDC discovery/JWKS), and write operations require membership in a configured admin group; when disabled, behavior remains fully open as today.
Changes:
- Introduces
pkg/authwith anAuthorizerinterface plusNoneAuthorizer(default) andOIDCAuthorizerimplementations. - Wires the authorizer middleware into the HTTP server startup and adds
authconfiguration + validation inpkg/api/config.go. - Adds unit tests covering OIDC validation, group-based authorization, excluded paths, and context helpers.
Reviewed changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/cmd/commands/serve.go | Builds the configured authorizer and wraps the HTTP mux with auth middleware before OTel instrumentation. |
| pkg/auth/auth.go | Defines the Authorizer interface for HTTP middleware-based auth. |
| pkg/auth/context.go | Adds User + context helpers (WithUser, UserFromContext) for downstream handlers. |
| pkg/auth/none.go | Implements a no-op authorizer that injects an anonymous user. |
| pkg/auth/oidc.go | Implements OIDC discovery/JWT verification + admin-group enforcement for write endpoints; skips auth for infra/webhook paths. |
| pkg/auth/context_test.go | Tests user context set/get helpers. |
| pkg/auth/none_test.go | Tests no-op authorizer behavior. |
| pkg/auth/oidc_test.go | Tests token validation, expiry, admin-group enforcement, excluded paths, and custom groups claim. |
| pkg/auth/config_test.go | Tests validation behavior for api.AuthConfig. |
| pkg/api/config.go | Adds Auth config block and validation for supported auth types and required fields. |
| go.mod / go.sum | Adds OIDC + JOSE dependencies (coreos/go-oidc/v3, go-jose/go-jose/v4). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Set up authentication middleware based on config. | ||
| // The auth middleware wraps the mux so it runs before any handler. | ||
| // Webhook/health/metrics endpoints are excluded within the middleware itself. | ||
| authz, err := buildAuthorizer(ctx, serverConfig.Auth, logger) |
| raw, ok := claims[a.groupsClaim] | ||
| if !ok { | ||
| // Groups claim not present — the user has no group memberships. | ||
| return nil, nil |
| func writeAuthError(w http.ResponseWriter, status int, message string) { | ||
| w.Header().Set("Content-Type", "application/json") | ||
| w.WriteHeader(status) | ||
| resp := map[string]string{"error": message} |
Comment on lines
+214
to
+216
| if err := json.NewEncoder(w).Encode(resp); err != nil { | ||
| slog.Error("failed to write auth error response", "error", err) | ||
| } |
| } | ||
| return nil | ||
| default: | ||
| return fmt.Errorf("unknown auth type %q (supported: oidc)", a.Type) |
Add optional OIDC authentication for SchemaBot's API endpoints. When configured, requires valid JWT tokens for API access and restricts write operations to members of a configured admin group. Server-side auth (pkg/auth/): - Authorizer interface with NoneAuthorizer (default) and OIDCAuthorizer - JWT validation via JWKS discovery (coreos/go-oidc/v3) - Read endpoints require any valid token, write endpoints require admin group - Webhook and health endpoints bypass auth - Fully backwards compatible — disabled by default Local testing with Dex: - Dex OIDC provider in docker-compose (--profile oidc) - Two test users: admin (write access) and viewer (read-only) - Token helper script for browser-based auth flow - Separate schemabot-oidc service on port 13380 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add optional OIDC authentication middleware for SchemaBot's API endpoints, with a local Dex OIDC provider for testing.
Server-side auth (
pkg/auth/):Authorizerinterface withNoneAuthorizer(default) andOIDCAuthorizercoreos/go-oidc/v3) — works with any OIDC providerauthconfig is not setLocal testing with Dex:
docker compose --profile oidc upstarts Dex + auth-enabled SchemaBotadmin@example.com(write access) andviewer@example.com(read-only)./scripts/get-oidc-token.sh🤖 Generated with Claude Code