Add OAuth JWT auth for dashboard API

Dashboard and API auth were tied to Supabase-specific HMAC JWT configuration
(`SUPABASE_JWT_SECRETS`) and Supabase-specific headers. That made it hard to
support other auth providers and forced provider-specific settings to spread
across several environment variables.

This change introduces one generic auth-provider JWT verification path that
supports both OIDC-compliant issuers (asymmetric keys, JWKS auto-discovered)
and non-OIDC HMAC-signed JWTs. It keeps the old Supabase headers as
compatibility aliases, while adding provider-neutral bearer token and team
header schemes.

- Add shared auth-provider JWT verification with OIDC and bearer (HMAC)
  verifier strategies under `packages/auth/pkg/auth/`.
- Replace API/dashboard service-level `SUPABASE_JWT_SECRETS` with one
  structured `AUTH_PROVIDER_CONFIG` JSON value, defaulted (in Terraform) to
  the existing Supabase JWT secret wrapped in a `bearer` entry.
- Support multiple OIDC issuers and multiple bearer-token sources at once,
  useful during migrations and multi-tenant deployments.
- For OIDC entries, fetch the discovery document at startup, cross-check
  `issuer`, and resolve `jwks_uri` from it. JWKS HTTPS is required.
  Lookups/caching/refresh use `github.com/MicahParks/keyfunc/v3`/`jwkset`.
  Fail-fast on discovery errors.
- Per-entry audience matching with `MatchAny` (default) or `MatchAll`.
- Per-entry `claimMappings.username.claim` (default `sub`) resolves directly
  to an internal UUID; no email fallback.
- Wire auth-provider bearer token and `X-Team-Id` team header in both API
  and dashboard API, while keeping Supabase headers as compatibility aliases.

Example with one OIDC issuer and one bearer source (e.g. during migration or
key rotation):

```json
{
  "jwt": [
    {
      "issuer": {
        "url": "https://issuer.example.com",
        "discoveryURL": "https://issuer.example.com/.well-known/openid-configuration",
        "audiences": ["dashboard-api"],
        "audienceMatchPolicy": "MatchAny"
      },
      "claimMappings": { "username": { "claim": "sub" } },
      "jwksCacheDuration": "5m"
    }
  ],
  "bearer": [
    {
      "hmac": { "secrets": ["legacy-secret"] },
      "claimMappings": { "username": { "claim": "sub" } }
    }
  ]
}
```

Co-authored-by: Jakub Dobry <dobrac@users.noreply.github.com>

Author: tvi

iac/modules/job-api/jobs/api.hcl

@@ -151,7 +151,6 @@ job "api" {
         AUTH_DB_READ_REPLICA_CONNECTION_STRING  = "${postgres_read_replica_connection_string}"
         AUTH_DB_MAX_OPEN_CONNECTIONS           = "${auth_db_max_open_connections}"
         AUTH_DB_MIN_IDLE_CONNECTIONS           = "${auth_db_min_idle_connections}"
-        SUPABASE_JWT_SECRETS                    = "${supabase_jwt_secrets}"
 
         LOKI_URL                      = "${loki_url}"
         CLICKHOUSE_CONNECTION_STRING  = "${clickhouse_connection_string}"

iac/modules/job-api/main.tf

@@ -1,6 +1,7 @@
 locals {
   default_job_env_vars = {
-    GIN_MODE : "release"
+    GIN_MODE             = "release"
+    AUTH_PROVIDER_CONFIG = jsonencode(var.auth_provider_config)
   }
 
   job_env_vars = merge(local.default_job_env_vars, var.job_env_vars)
@@ -27,7 +28,6 @@ resource "nomad_job" "api" {
     api_docker_image                        = var.api_docker_image
     postgres_connection_string              = var.postgres_connection_string
     postgres_read_replica_connection_string = var.postgres_read_replica_connection_string
-    supabase_jwt_secrets                    = var.supabase_jwt_secrets
     posthog_api_key                         = var.posthog_api_key
     analytics_collector_host                = var.analytics_collector_host
     analytics_collector_api_token           = var.analytics_collector_api_token

iac/modules/job-api/variables.tf

@@ -67,9 +67,35 @@ variable "postgres_read_replica_connection_string" {
   sensitive = true
 }
 
-variable "supabase_jwt_secrets" {
-  type      = string
+variable "auth_provider_config" {
+  type = object({
+    jwt = optional(list(object({
+      issuer = object({
+        url                 = string
+        discoveryURL        = optional(string)
+        audiences           = list(string)
+        audienceMatchPolicy = optional(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+      jwksCacheDuration = optional(string)
+    })))
+    bearer = optional(list(object({
+      hmac = object({
+        secrets = list(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+    })))
+  })
   sensitive = true
+  default   = null
 }
 
 variable "posthog_api_key" {

iac/modules/job-dashboard-api/main.tf

@@ -8,7 +8,7 @@ locals {
     AUTH_DB_READ_REPLICA_CONNECTION_STRING  = var.auth_db_read_replica_connection_string
     SUPABASE_DB_CONNECTION_STRING           = var.supabase_db_connection_string
     CLICKHOUSE_CONNECTION_STRING            = var.clickhouse_connection_string
-    SUPABASE_JWT_SECRETS                    = var.supabase_jwt_secrets
+    AUTH_PROVIDER_CONFIG                    = jsonencode(var.auth_provider_config)
     REDIS_URL                               = var.redis_url
     REDIS_CLUSTER_URL                       = var.redis_cluster_url
     REDIS_TLS_CA_BASE64                     = var.redis_tls_ca_base64

iac/modules/job-dashboard-api/variables.tf

@@ -50,9 +50,35 @@ variable "clickhouse_connection_string" {
   sensitive = true
 }
 
-variable "supabase_jwt_secrets" {
-  type      = string
+variable "auth_provider_config" {
+  type = object({
+    jwt = optional(list(object({
+      issuer = object({
+        url                 = string
+        discoveryURL        = optional(string)
+        audiences           = list(string)
+        audienceMatchPolicy = optional(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+      jwksCacheDuration = optional(string)
+    })))
+    bearer = optional(list(object({
+      hmac = object({
+        secrets = list(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+    })))
+  })
   sensitive = true
+  default   = null
 }
 
 variable "enable_auth_user_sync_background_worker" {
@@ -64,6 +90,7 @@ variable "enable_billing_http_team_provision_sink" {
   type    = bool
   default = false
 }
+
 variable "otel_collector_grpc_port" {
   type    = number
   default = 4317

iac/provider-aws/main.tf

@@ -182,12 +182,20 @@ module "nomad" {
   clickhouse_node_pool   = local.clickhouse_pool_name
   clickhouse_jobs_prefix = local.clickhouse_jobs_prefix
 
-  api_cluster_size               = var.api_cluster_size
-  api_internal_grpc_port         = var.api_internal_grpc_port
-  api_repository_name            = module.init.api_repository_name
-  db_migrator_repository_name    = module.init.db_migrator_repository_name
-  postgres_connection_string     = module.init.postgres_connection_string
-  supabase_jwt_secrets           = module.init.supabase_jwt_secrets
+  api_cluster_size            = var.api_cluster_size
+  api_internal_grpc_port      = var.api_internal_grpc_port
+  api_repository_name         = module.init.api_repository_name
+  db_migrator_repository_name = module.init.db_migrator_repository_name
+  postgres_connection_string  = module.init.postgres_connection_string
+  auth_provider_config = {
+    bearer = [
+      {
+        hmac = {
+          secrets = split(",", trimspace(module.init.supabase_jwt_secrets))
+        }
+      }
+    ]
+  }
   admin_token                    = module.init.admin_token
   sandbox_access_token_hash_seed = module.init.sandbox_access_token_hash_seed
 

iac/provider-aws/nomad/main.tf

@@ -126,7 +126,7 @@ module "api" {
   environment                    = var.environment
   api_docker_image               = data.aws_ecr_image.api.image_uri
   postgres_connection_string     = var.postgres_connection_string
-  supabase_jwt_secrets           = var.supabase_jwt_secrets
+  auth_provider_config           = var.auth_provider_config
   nomad_acl_token                = var.nomad_acl_token
   admin_token                    = var.admin_token
   redis_url                      = var.redis_url

iac/provider-aws/nomad/variables.tf

@@ -188,9 +188,35 @@ variable "postgres_connection_string" {
   sensitive = true
 }
 
-variable "supabase_jwt_secrets" {
-  type      = string
+variable "auth_provider_config" {
+  type = object({
+    jwt = optional(list(object({
+      issuer = object({
+        url                 = string
+        discoveryURL        = optional(string)
+        audiences           = list(string)
+        audienceMatchPolicy = optional(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+      jwksCacheDuration = optional(string)
+    })))
+    bearer = optional(list(object({
+      hmac = object({
+        secrets = list(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+    })))
+  })
   sensitive = true
+  default   = null
 }
 
 variable "admin_token" {

iac/provider-gcp/nomad/main.tf

@@ -6,6 +6,16 @@ locals {
   enable_billing_http_team_provision_sink = var.enable_billing_http_team_provision_sink
   dashboard_api_billing_server_url        = local.enable_billing_http_team_provision_sink ? trimspace(data.google_secret_manager_secret_version.billing_server_url[0].secret_data) : ""
   dashboard_api_billing_server_api_token  = local.enable_billing_http_team_provision_sink ? trimspace(data.google_secret_manager_secret_version.billing_server_api_token[0].secret_data) : ""
+  default_auth_provider_config = {
+    bearer = [
+      {
+        hmac = {
+          secrets = split(",", trimspace(data.google_secret_manager_secret_version.supabase_jwt_secrets.secret_data))
+        }
+      }
+    ]
+  }
+  auth_provider_config = var.auth_provider_config != null ? var.auth_provider_config : local.default_auth_provider_config
 }
 
 # API
@@ -117,7 +127,7 @@ module "api" {
   api_docker_image                        = data.google_artifact_registry_docker_image.api_image.self_link
   postgres_connection_string              = data.google_secret_manager_secret_version.postgres_connection_string.secret_data
   postgres_read_replica_connection_string = trimspace(data.google_secret_manager_secret_version.postgres_read_replica_connection_string.secret_data)
-  supabase_jwt_secrets                    = trimspace(data.google_secret_manager_secret_version.supabase_jwt_secrets.secret_data)
+  auth_provider_config                    = local.auth_provider_config
   posthog_api_key                         = trimspace(data.google_secret_manager_secret_version.posthog_api_key.secret_data)
   environment                             = var.environment
   analytics_collector_host                = trimspace(data.google_secret_manager_secret_version.analytics_collector_host.secret_data)
@@ -166,7 +176,7 @@ module "dashboard_api" {
   auth_db_read_replica_connection_string  = trimspace(data.google_secret_manager_secret_version.postgres_read_replica_connection_string.secret_data)
   supabase_db_connection_string           = trimspace(data.google_secret_manager_secret_version.supabase_db_connection_string.secret_data)
   clickhouse_connection_string            = local.clickhouse_connection_string
-  supabase_jwt_secrets                    = trimspace(data.google_secret_manager_secret_version.supabase_jwt_secrets.secret_data)
+  auth_provider_config                    = local.auth_provider_config
   redis_url                               = local.redis_url
   redis_cluster_url                       = local.redis_cluster_url
   redis_tls_ca_base64                     = trimspace(data.google_secret_manager_secret_version.redis_tls_ca_base64.secret_data)

iac/provider-gcp/nomad/variables.tf

@@ -473,6 +473,37 @@ variable "supabase_db_connection_string_secret_version" {
   type = any
 }
 
+variable "auth_provider_config" {
+  type = object({
+    jwt = optional(list(object({
+      issuer = object({
+        url                 = string
+        discoveryURL        = optional(string)
+        audiences           = list(string)
+        audienceMatchPolicy = optional(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+      jwksCacheDuration = optional(string)
+    })))
+    bearer = optional(list(object({
+      hmac = object({
+        secrets = list(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+    })))
+  })
+  sensitive = true
+  default   = null
+}
+
 variable "enable_auth_user_sync_background_worker" {
   type    = bool
   default = false
@@ -482,6 +513,7 @@ variable "enable_billing_http_team_provision_sink" {
   type    = bool
   default = false
 }
+
 variable "volume_token_issuer" {
   type = string
 }