Skip to content

Implement distributed authentication trust via TrustedIssuers#248

Merged
rthellend merged 4 commits intomainfrom
trusted-auth
Jan 29, 2026
Merged

Implement distributed authentication trust via TrustedIssuers#248
rthellend merged 4 commits intomainfrom
trusted-auth

Conversation

@rthellend
Copy link
Collaborator

@rthellend rthellend commented Jan 28, 2026
edited
Loading

Description

This change allows multiple tlsproxy instances to trust authentication tokens (AUTH tokens) issued by each other. Trust is established at the Identity Provider (IdP) level (OIDC, SAML, Passkey), allowing fine-grained control over which external issuers are trusted for specific backends.

Key changes:

  • Configuration: Added 'trustedIssuers' list to ConfigOIDC, ConfigSAML, and ConfigPasskey. Each entry specifies an 'issuer' URL and a 'jwksUri'.
  • TokenManager:
    • Added support for managing and automatically refreshing JSON Web Key Sets (JWKS) from trusted issuers using background goroutines.
    • Added 'IssuerForKey(kid)' to dynamically identify the issuer associated with a signing key.
    • Updated 'getKey' to support public key lookup from trusted issuers.
  • CookieManager:
    • Updated 'validateAuthToken' to dynamically determine the token's issuer based on its 'kid'.
    • Enforces strict 'jwt.WithIssuer' and 'jwt.WithAudience' validation using the identified issuer (AUD == ISS for Auth tokens).
    • Verifies that the identified issuer is explicitly trusted by the provider associated with the CookieManager.
  • Security: Maintained strict local-only validation for ID tokens and Authorization headers to preserve existing security boundaries.
  • Documentation: Updated README.md with the new configuration options and examples.
  • Testing: Added comprehensive unit tests for the trusted issuer validation logic in CookieManager.

Refactor trusted issuer validation and extraction logic

Extracted duplicated validation logic in Config.Check and extraction logic in Proxy.Reconfigure into helper functions to improve maintainability and readability.

Type of change

  • New feature
  • Feature improvement
  • Bug fix
  • Documentation
  • Cleanup / refactoring
  • Other (please explain)

How is this change tested ?

  • Unit tests
  • Manual tests (explain)
  • Tests are not needed

@rthellend
Implement distributed authentication trust via TrustedIssuers
8f00c66 
This change allows multiple tlsproxy instances to trust authentication
tokens (AUTH tokens) issued by each other. Trust is established at the
Identity Provider (IdP) level (OIDC, SAML, Passkey), allowing fine-grained
control over which external issuers are trusted for specific backends.

Key changes:
- Configuration: Added 'trustedIssuers' list to ConfigOIDC, ConfigSAML,
  and ConfigPasskey. Each entry specifies an 'issuer' URL and a 'jwksUri'.
- TokenManager:
  - Added support for managing and automatically refreshing JSON Web Key
    Sets (JWKS) from trusted issuers using background goroutines.
  - Added 'IssuerForKey(kid)' to dynamically identify the issuer
    associated with a signing key.
  - Updated 'getKey' to support public key lookup from trusted issuers.
- CookieManager:
  - Updated 'validateAuthToken' to dynamically determine the token's
    issuer based on its 'kid'.
  - Enforces strict 'jwt.WithIssuer' and 'jwt.WithAudience' validation
    using the identified issuer (AUD == ISS for Auth tokens).
  - Verifies that the identified issuer is explicitly trusted by the
    provider associated with the CookieManager.
- Security: Maintained strict local-only validation for ID tokens and
  Authorization headers to preserve existing security boundaries.
- Documentation: Updated README.md with the new configuration options
  and examples.
- Testing: Added comprehensive unit tests for the trusted issuer
  validation logic in CookieManager.

Refactor trusted issuer validation and extraction logic

Extracted duplicated validation logic in Config.Check and extraction logic
in Proxy.Reconfigure into helper functions to improve maintainability and
readability.
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Jan 28, 2026

Summary of Changes

Hello @rthellend, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant new feature enabling distributed authentication trust across multiple tlsproxy instances. It allows proxies to validate authentication tokens issued by other configured and trusted identity providers, enhancing the system's flexibility for deployments requiring cross-instance authentication. The changes involve updates to configuration structures, token management, and cookie validation logic, ensuring secure and dynamic trust establishment.

Highlights

  • Distributed Authentication Trust: Introduced the ability for multiple tlsproxy instances to trust authentication tokens (AUTH tokens) issued by each other, establishing trust at the Identity Provider (IdP) level (OIDC, SAML, Passkey).
  • Configuration Updates: Added a 'trustedIssuers' list to ConfigOIDC, ConfigSAML, and ConfigPasskey configurations, allowing specification of an 'issuer' URL and a 'jwksUri' for each trusted external IdP.
  • TokenManager Enhancements: The TokenManager now supports managing and automatically refreshing JSON Web Key Sets (JWKS) from trusted issuers using background goroutines. It also includes IssuerForKey(kid) to dynamically identify the issuer associated with a signing key and an updated getKey to support public key lookup from trusted issuers.
  • CookieManager Validation Logic: The validateAuthToken function in CookieManager has been updated to dynamically determine a token's issuer based on its 'kid', enforce strict jwt.WithIssuer and jwt.WithAudience validation, and verify that the identified issuer is explicitly trusted by the associated provider.
  • Security Considerations: Existing security boundaries are maintained by preserving strict local-only validation for ID tokens and Authorization headers.
  • Documentation and Testing: The README.md has been updated with new configuration options and examples, and comprehensive unit tests have been added for the trusted issuer validation logic in CookieManager.
  • Code Refactoring: Duplicated validation and extraction logic within the configuration and proxy reconfiguration processes has been extracted into helper functions to improve maintainability and readability.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 28, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a significant new feature: distributed authentication trust via TrustedIssuers. This allows multiple tlsproxy instances to trust authentication tokens from each other, which is a great addition for distributed setups. The implementation looks solid, with changes spanning configuration, token management, and cookie validation. The addition of background JWKS refreshing is well-handled. I've included a few suggestions to improve error message clarity and add some robustness checks. Overall, this is a well-executed feature with good test coverage.

@rthellend rthellend marked this pull request as ready for review January 29, 2026 02:04
@rthellend rthellend merged commit 0008016 into main Jan 29, 2026
5 checks passed
@rthellend rthellend deleted the trusted-auth branch January 29, 2026 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rthellend