[WIP] OIDC Auth provider

iac/modules/job-api/jobs/api.hcl

@@ -151,7 +151,6 @@ job "api" {
         AUTH_DB_READ_REPLICA_CONNECTION_STRING  = "${postgres_read_replica_connection_string}"
         AUTH_DB_MAX_OPEN_CONNECTIONS           = "${auth_db_max_open_connections}"
         AUTH_DB_MIN_IDLE_CONNECTIONS           = "${auth_db_min_idle_connections}"
-        SUPABASE_JWT_SECRETS                    = "${supabase_jwt_secrets}"
 
         LOKI_URL                      = "${loki_url}"
         CLICKHOUSE_CONNECTION_STRING  = "${clickhouse_connection_string}"

iac/modules/job-api/main.tf

@@ -1,6 +1,7 @@
 locals {
   default_job_env_vars = {
-    GIN_MODE : "release"
+    GIN_MODE             = "release"
+    AUTH_PROVIDER_CONFIG = jsonencode(var.auth_provider_config)
   }
 
   job_env_vars = merge(local.default_job_env_vars, var.job_env_vars)
@@ -27,7 +28,6 @@ resource "nomad_job" "api" {
     api_docker_image                        = var.api_docker_image
     postgres_connection_string              = var.postgres_connection_string
     postgres_read_replica_connection_string = var.postgres_read_replica_connection_string
-    supabase_jwt_secrets                    = var.supabase_jwt_secrets
     posthog_api_key                         = var.posthog_api_key
     analytics_collector_host                = var.analytics_collector_host
     analytics_collector_api_token           = var.analytics_collector_api_token

iac/modules/job-api/variables.tf

@@ -67,9 +67,35 @@ variable "postgres_read_replica_connection_string" {
   sensitive = true
 }
 
-variable "supabase_jwt_secrets" {
-  type      = string
+variable "auth_provider_config" {
+  type = object({
+    jwt = optional(list(object({
+      issuer = object({
+        url                 = string
+        discoveryURL        = optional(string)
+        audiences           = list(string)
+        audienceMatchPolicy = optional(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+      jwksCacheDuration = optional(string)
+    })))
+    bearer = optional(list(object({
+      hmac = object({
+        secrets = list(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+    })))
+  })
   sensitive = true
+  default   = null
 }
 
 variable "posthog_api_key" {

iac/modules/job-dashboard-api/main.tf

@@ -8,7 +8,7 @@ locals {
     AUTH_DB_READ_REPLICA_CONNECTION_STRING  = var.auth_db_read_replica_connection_string
     SUPABASE_DB_CONNECTION_STRING           = var.supabase_db_connection_string
     CLICKHOUSE_CONNECTION_STRING            = var.clickhouse_connection_string
-    SUPABASE_JWT_SECRETS                    = var.supabase_jwt_secrets
+    AUTH_PROVIDER_CONFIG                    = jsonencode(var.auth_provider_config)
     REDIS_URL                               = var.redis_url
     REDIS_CLUSTER_URL                       = var.redis_cluster_url
     REDIS_TLS_CA_BASE64                     = var.redis_tls_ca_base64

iac/modules/job-dashboard-api/variables.tf

@@ -50,9 +50,35 @@ variable "clickhouse_connection_string" {
   sensitive = true
 }
 
-variable "supabase_jwt_secrets" {
-  type      = string
+variable "auth_provider_config" {
+  type = object({
+    jwt = optional(list(object({
+      issuer = object({
+        url                 = string
+        discoveryURL        = optional(string)
+        audiences           = list(string)
+        audienceMatchPolicy = optional(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+      jwksCacheDuration = optional(string)
+    })))
+    bearer = optional(list(object({
+      hmac = object({
+        secrets = list(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+    })))
+  })
   sensitive = true
+  default   = null
 }
 
 variable "enable_auth_user_sync_background_worker" {
@@ -64,6 +90,7 @@ variable "enable_billing_http_team_provision_sink" {
   type    = bool
   default = false
 }
+
 variable "otel_collector_grpc_port" {
   type    = number
   default = 4317

iac/provider-aws/main.tf

@@ -182,12 +182,20 @@ module "nomad" {
   clickhouse_node_pool   = local.clickhouse_pool_name
   clickhouse_jobs_prefix = local.clickhouse_jobs_prefix
 
-  api_cluster_size               = var.api_cluster_size
-  api_internal_grpc_port         = var.api_internal_grpc_port
-  api_repository_name            = module.init.api_repository_name
-  db_migrator_repository_name    = module.init.db_migrator_repository_name
-  postgres_connection_string     = module.init.postgres_connection_string
-  supabase_jwt_secrets           = module.init.supabase_jwt_secrets
+  api_cluster_size            = var.api_cluster_size
+  api_internal_grpc_port      = var.api_internal_grpc_port
+  api_repository_name         = module.init.api_repository_name
+  db_migrator_repository_name = module.init.db_migrator_repository_name
+  postgres_connection_string  = module.init.postgres_connection_string
+  auth_provider_config = {
+    bearer = [
+      {
+        hmac = {
+          secrets = split(",", trimspace(module.init.supabase_jwt_secrets))
+        }
+      }
+    ]
+  }
   admin_token                    = module.init.admin_token
   sandbox_access_token_hash_seed = module.init.sandbox_access_token_hash_seed
 

iac/provider-aws/nomad/main.tf

@@ -126,7 +126,7 @@ module "api" {
   environment                    = var.environment
   api_docker_image               = data.aws_ecr_image.api.image_uri
   postgres_connection_string     = var.postgres_connection_string
-  supabase_jwt_secrets           = var.supabase_jwt_secrets
+  auth_provider_config           = var.auth_provider_config
   nomad_acl_token                = var.nomad_acl_token
   admin_token                    = var.admin_token
   redis_url                      = var.redis_url

iac/provider-aws/nomad/variables.tf

@@ -188,9 +188,35 @@ variable "postgres_connection_string" {
   sensitive = true
 }
 
-variable "supabase_jwt_secrets" {
-  type      = string
+variable "auth_provider_config" {
+  type = object({
+    jwt = optional(list(object({
+      issuer = object({
+        url                 = string
+        discoveryURL        = optional(string)
+        audiences           = list(string)
+        audienceMatchPolicy = optional(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+      jwksCacheDuration = optional(string)
+    })))
+    bearer = optional(list(object({
+      hmac = object({
+        secrets = list(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+    })))
+  })
   sensitive = true
+  default   = null
 }
 
 variable "admin_token" {

iac/provider-gcp/nomad/main.tf

@@ -6,6 +6,16 @@ locals {
   enable_billing_http_team_provision_sink = var.enable_billing_http_team_provision_sink
   dashboard_api_billing_server_url        = local.enable_billing_http_team_provision_sink ? trimspace(data.google_secret_manager_secret_version.billing_server_url[0].secret_data) : ""
   dashboard_api_billing_server_api_token  = local.enable_billing_http_team_provision_sink ? trimspace(data.google_secret_manager_secret_version.billing_server_api_token[0].secret_data) : ""
+  default_auth_provider_config = {
+    bearer = [
+      {
+        hmac = {
+          secrets = split(",", trimspace(data.google_secret_manager_secret_version.supabase_jwt_secrets.secret_data))
+        }
+      }
+    ]
+  }
+  auth_provider_config = var.auth_provider_config != null ? var.auth_provider_config : local.default_auth_provider_config
 }
 
 # API
@@ -117,7 +127,7 @@ module "api" {
   api_docker_image                        = data.google_artifact_registry_docker_image.api_image.self_link
   postgres_connection_string              = data.google_secret_manager_secret_version.postgres_connection_string.secret_data
   postgres_read_replica_connection_string = trimspace(data.google_secret_manager_secret_version.postgres_read_replica_connection_string.secret_data)
-  supabase_jwt_secrets                    = trimspace(data.google_secret_manager_secret_version.supabase_jwt_secrets.secret_data)
+  auth_provider_config                    = local.auth_provider_config
   posthog_api_key                         = trimspace(data.google_secret_manager_secret_version.posthog_api_key.secret_data)
   environment                             = var.environment
   analytics_collector_host                = trimspace(data.google_secret_manager_secret_version.analytics_collector_host.secret_data)
@@ -166,7 +176,7 @@ module "dashboard_api" {
   auth_db_read_replica_connection_string  = trimspace(data.google_secret_manager_secret_version.postgres_read_replica_connection_string.secret_data)
   supabase_db_connection_string           = trimspace(data.google_secret_manager_secret_version.supabase_db_connection_string.secret_data)
   clickhouse_connection_string            = local.clickhouse_connection_string
-  supabase_jwt_secrets                    = trimspace(data.google_secret_manager_secret_version.supabase_jwt_secrets.secret_data)
+  auth_provider_config                    = local.auth_provider_config
   redis_url                               = local.redis_url
   redis_cluster_url                       = local.redis_cluster_url
   redis_tls_ca_base64                     = trimspace(data.google_secret_manager_secret_version.redis_tls_ca_base64.secret_data)

iac/provider-gcp/nomad/variables.tf

@@ -473,6 +473,37 @@ variable "supabase_db_connection_string_secret_version" {
   type = any
 }
 
+variable "auth_provider_config" {
+  type = object({
+    jwt = optional(list(object({
+      issuer = object({
+        url                 = string
+        discoveryURL        = optional(string)
+        audiences           = list(string)
+        audienceMatchPolicy = optional(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+      jwksCacheDuration = optional(string)
+    })))
+    bearer = optional(list(object({
+      hmac = object({
+        secrets = list(string)
+      })
+      claimMappings = optional(object({
+        username = object({
+          claim = string
+        })
+      }))
+    })))
+  })
+  sensitive = true
+  default   = null
+}
+
 variable "enable_auth_user_sync_background_worker" {
   type    = bool
   default = false
@@ -482,6 +513,7 @@ variable "enable_billing_http_team_provision_sink" {
   type    = bool
   default = false
 }
+
 variable "volume_token_issuer" {
   type = string
 }

packages/api/Makefile

@@ -35,7 +35,7 @@ build-debug:
 run:
 	make build-debug
 	POSTGRES_CONNECTION_STRING=$(POSTGRES_CONNECTION_STRING) \
-	SUPABASE_JWT_SECRETS=$(SUPABASE_JWT_SECRETS) \
+	AUTH_PROVIDER_CONFIG='{"bearer":[{"hmac":{"secrets":["$(SUPABASE_JWT_SECRETS)"]}}]}' \
 	GOTRACEBACK=crash \
 	GODEBUG=madvdontneed=1 \
 	SANDBOX_ACCESS_TOKEN_HASH_SEED=$(SANDBOX_ACCESS_TOKEN_HASH_SEED) \

packages/api/go.mod

@@ -75,6 +75,8 @@ require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/MicahParks/jwkset v0.11.0 // indirect
+	github.com/MicahParks/keyfunc/v3 v3.8.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Workiva/go-datastructures v1.1.6 // indirect
 	github.com/air-verse/air v1.61.7 // indirect