Proxy should only work with claims #40

New issue

Closed

opened 2026-04-29 20:43:33 +00:00 by mik-tf · 1 comment

mik-tf commented

2026-04-29 20:43:33 +00:00

Owner

Today the proxy carries two parallel authorization vocabularies:

Per-route auth machinery: auth_mode (none/bearer/oauth/signature), oauth_provider, allowed_pubkeys, plus per-provider allowed_emails.
Claims: resolved via users → groups → roles → claims, injected as X-Hero-Claims. Per home#191, no backend currently enforces on it.

Direction: the proxy should only work with claims. Authentication is whatever produces claims; routes declare what claims they require; backends consume X-Hero-Claims. The first vocabulary collapses into the second.

@lee Kristof suggested you could have a look at this.

Today the proxy carries two parallel authorization vocabularies: - Per-route auth machinery: `auth_mode` (none/bearer/oauth/signature), `oauth_provider`, `allowed_pubkeys`, plus per-provider `allowed_emails`. - Claims: resolved via users → groups → roles → claims, injected as `X-Hero-Claims`. Per [home#191](https://forge.ourworld.tf/lhumina_code/home/issues/191), no backend currently enforces on it. Direction: the proxy should only work with claims. Authentication is whatever produces claims; routes declare what claims they require; backends consume `X-Hero-Claims`. The first vocabulary collapses into the second. @lee Kristof suggested you could have a look at this.