Skip to main content

Module auth

solo_api

Module auth 

Source
Expand description

Pluggable auth for Solo’s HTTP transport (v0.8.0 P3).

Two modes (configured via [auth] block in solo.config.toml):

  • Bearer — single shared token; one tenant per daemon. Identical wire-behavior to v0.7.x bearer auth, re-implemented here so the middleware that emits AuthenticatedPrincipal covers both modes.
  • OIDC — standard OpenID Connect; any provider via discovery URL. JWKS keys are cached (TTL honors Cache-Control: max-age= from the discovery doc, falls back to 1 hour). A cache miss on an unknown kid triggers an immediate refetch (handles IdP key rotation without operator intervention).

MCP uses bearer-only at v0.8.0 — the MCP spec has no story for OIDC. CLI is implicitly trusted (no auth — admin tier).

Wire shape:

  1. Axum middleware (auth_middleware) runs ahead of the TenantExtractor. It validates the Authorization header and inserts an AuthenticatedPrincipal into the request extensions.
  2. TenantExtractor then prefers principal.tenant_claim (set in OIDC mode from the configured JWT claim) over the X-Solo-Tenant header. Bearer-mode principals carry the daemon’s default tenant.

See docs/dev-log/0090-v0.8.0-implementation-plan.md Section 2 P3 for the spec. ADR-0004 (added in P7) documents how auth ties into per-tenant writer-actor isolation.

Modules§

bearer
Bearer-token validation. Forward port of v0.7.x’s ValidateRequestHeaderLayer::custom(BearerToken::new(token)) flow, re-shaped to emit an AuthenticatedPrincipal so downstream layers (audit log, tenant extractor) can treat bearer + OIDC identically.
middleware
Axum middleware: dispatch to the configured AuthValidator, insert the resulting AuthenticatedPrincipal into request extensions, or short-circuit with the appropriate HTTP status.
oidc
OIDC validation: discovery URL → JWKS → signature + claim checks.

Structs§

AuthenticatedPrincipal
Result of a successful auth check, attached to the request as an axum::Extension. The TenantExtractor in http.rs reads this to resolve the request’s target tenant ahead of the X-Solo-Tenant header. P4 (audit log) reads principal.subject for the audit-log “who” field.

Enums§

AuthConfig
Configuration for one auth mode. Stored in solo_storage::SoloConfig under the [auth] block.
AuthError
Failure modes for both bearer and OIDC validation. The middleware maps these to HTTP status codes (401 for client-supplied-credential failures, 403 for tenant-claim issues, 500 for upstream IdP issues).