Skip to content

[DRAFT] docs(authentication): add authentication layer enhancement proposal#52

Open
chadcrum wants to merge 1 commit into
dcm-project:mainfrom
chadcrum:flpath-4194-idm-iam-enhancement
Open

[DRAFT] docs(authentication): add authentication layer enhancement proposal#52
chadcrum wants to merge 1 commit into
dcm-project:mainfrom
chadcrum:flpath-4194-idm-iam-enhancement

Conversation

@chadcrum
Copy link
Copy Markdown

@chadcrum chadcrum commented May 21, 2026
edited
Loading

Note: This enhancement could change depending outcome of architecture change discussion

Summary

Enhancement proposal for DCM's authentication layer — FLPATH-4194.

  • Gateway auth via oauth2-proxy — Traefik ForwardAuth delegates to oauth2-proxy for JWT validation, JWKS caching, and OIDC lifecycle. No custom auth service needed.
  • Actor middleware — shared Go package replaces NoopAuthenticationFunc in all services. Resolves JWT sub claim → actor DB lookup → request context (with LRU cache).
  • Tenant isolationTenantScope() query middleware with CI lint enforcement and Phase 3 tenant leak integration tests.
  • Built-in local user store — username/password → DCM-issued JWT for bootstrap and testing, toggleable via DCM_BUILTIN_AUTH.
  • Actor/tenant lifecycle — active, suspended, deactivated states with middleware enforcement.
  • Four-phase migration — schema → permissive → tenant isolation → enforcing, each independently rollbackable.
  • CLI authenticationdcm login via OIDC Device Authorization Grant.
  • Keycloak as V1 identity provider, with Kuadrant/Authorino documented as a deferred alternative.

Jira

FLPATH-4194 (epic: FLPATH-3254)

Test plan

  • Mermaid diagrams render correctly
  • Cross-references to related enhancements are valid
  • cspell passes
  • Team review of open questions (1-5)

🤖 Generated with Claude Code

@chadcrum @claude
docs(authentication): add authentication layer enhancement proposal
e2a98dd 
Introduces the IDM/IAM authentication enhancement for DCM covering:

- oauth2-proxy as ForwardAuth handler (no custom auth service needed)
- Actor middleware for identity resolution (sub → DB lookup → context)
- Tenant isolation via TenantScope() with CI lint enforcement
- Built-in local user store for bootstrap and testing (DCM_BUILTIN_AUTH flag)
- Actor/tenant lifecycle (active, suspended, deactivated)
- Four-phase migration: schema → permissive → tenant isolation → enforcing
- CLI authentication via OIDC Device Authorization Grant
- Keycloak as V1 identity provider

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Chad Crum <chadcrum@users.noreply.github.com>
@chadcrum chadcrum changed the title docs(authentication): add authentication layer enhancement proposal [DRAFT] docs(authentication): add authentication layer enhancement proposal May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gciavarrini gciavarrini Awaiting requested review from gciavarrini gciavarrini is a code owner

@machacekondra machacekondra Awaiting requested review from machacekondra machacekondra is a code owner

@ygalblum ygalblum Awaiting requested review from ygalblum ygalblum is a code owner

@jenniferubah jenniferubah Awaiting requested review from jenniferubah jenniferubah is a code owner

@croadfeldt croadfeldt Awaiting requested review from croadfeldt croadfeldt is a code owner

@Fale Fale Awaiting requested review from Fale Fale is a code owner

@pkliczewski pkliczewski Awaiting requested review from pkliczewski pkliczewski is a code owner

@gabriel-farache gabriel-farache Awaiting requested review from gabriel-farache gabriel-farache is a code owner

@ebichman-1 ebichman-1 Awaiting requested review from ebichman-1

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chadcrum