Skip to content

Authz #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
farhoud merged 2 commits into from
Dec 18, 2025
Merged

Authz #6

farhoud merged 2 commits into from
Dec 18, 2025

Conversation

@farhoud
Copy link
Owner

@farhoud farhoud commented Dec 18, 2025

Overview

Implements a comprehensive multi-tenant Role-Based Access Control (RBAC) authorization system for the Scouter platform, enabling secure access control across HTTP APIs and tool execution environments.

Key Features

🔐 Core Authorization System

  • IdentityContext: Request-scoped user context with tenant, roles, and permissions
  • Pure RBAC Logic: Framework-agnostic permission checking with wildcard support (*, resource:*)
  • OAuth Integration: Support for external providers (Auth0, Keycloak, Azure AD) with JWT verification
  • Multi-Tenant: Mandatory tenant scoping for all authorization decisions
    🏗️ Architecture & Design
  • Functional Design: Composition-first approach avoiding heavy OOP inheritance
  • Framework Agnostic: Core logic testable without FastAPI/FastMCP dependencies
  • Neo4j Integration: Graph database as source of truth for users, tenants, roles, and permissions
  • Modular Structure: Clean separation between auth logic, database operations, and framework integrations
    🚀 Framework Support
  • FastAPI: Middleware for automatic identity resolution + dependency injection for permission checks
  • FastMCP: Explicit identity building for tool execution environments
  • Unified API: Same RBAC logic works across both HTTP and tool contexts

📊 Database Schema

Implements mandatory Neo4j graph model:
(Tenant) ←:MEMBER_OF-(User)-:HAS_ROLE→(Role)-:ROLE_IN→(Tenant)

:GRANTS

(Permission)

Usage Examples

FastAPI Route Protection

@router.post("/users")
def create_user(
    identity=Depends(require_permission("user:write"))
):
    return {"user": "created"}

### FastMCP Tool Authorization  
def create_user_tool(identity, payload):
    if not has_permission(identity["permissions"], "user:write"):
        raise PermissionDeniedError()
    # Tool implementation

Files Changed

  • src/scouter/auth/ - Complete authorization module (7 new files)
  • src/scouter/db/auth.py - Neo4j authorization queries
  • src/scouter/db/agent_runs.py - Renamed from persistence.py
  • tests/test_auth.py - Comprehensive test suite
  • pyproject.toml - Added PyJWT dependency

Testing

  • Unit tests for RBAC permission logic
  • Mocked Neo4j operations for database queries
  • Framework-agnostic testing approach

Security Considerations

  • OAuth tokens verified using JWKS
  • Tenant isolation enforced at authorization level
  • No sensitive data in permission strings
  • Framework objects excluded from core auth logic
    Breaking Changes
    None - this is a new feature addition with no existing API modifications.
    Related Issues
    Closes #X - Implement authorization system
    This PR description provides a comprehensive overview while remaining concise and actionable. It covers the what, why, and how of the implementation with clear examples and technical details.

@farhoud
feat: add PyJWT dependency for OAuth token verification
5906b81
@farhoud
feat: implement multi-tenant RBAC authorization system
75aa2a1 
- Add IdentityContext for request-scoped user data
- Implement pure RBAC permission checking functions
- Add FastAPI middleware for OAuth token verification
- Add FastAPI dependencies for permission enforcement
- Provide FastMCP integration examples
- Define authorization-specific exceptions
- Add comprehensive unit tests

refactor: reorganize database module structure

- Move authorization queries to dedicated db/auth.py module
- Rename persistence.py to agent_runs.py for clarity
- Update imports to reflect new module organization
- Separate concerns: connections vs business logic vs auth

chore: update test imports and lock file

- Fix test imports to use new db/auth.py module
- Update uv.lock with new PyJWT dependency
@farhoud farhoud merged commit bd42ee8 into main Dec 18, 2025
0 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@farhoud