Originator: FuzeKeys auth integration (FuzeKeys must delegate authN to the shared Authentik, not roll its own).
Context / why: FuzeFront's auth is a BFF — backend/src/services/oidc.ts exchanges the Authentik code server-side and backend/src/routes/auth.ts mints a private HS256 JWT (jwt.sign({userId}, JWT_SECRET)), verified in backend/src/middleware/auth.ts. There is no JWKS, no aud/iss, no introspection, and no shared validator a sibling service can use without sharing JWT_SECRET.
Asks:
- Document the canonical federation model: are sibling apps (FuzeKeys) independent OIDC clients of the same Authentik (validate Authentik RS256 via JWKS), or meant to consume FuzeFront's minted token? State it authoritatively.
- If independent-client: publish a versioned token-validation contract (issuer, expected
aud per app, JWKS URL, sub→user mapping) + a reference validator (a @fuzefront/authn TS helper and a documented FastAPI/Python equivalent).
- If consume-FuzeFront-token: expose
POST /api/auth/introspect (or RS256 + JWKS) so siblings never need JWT_SECRET.
Acceptance criteria:
- A documented, versioned AuthN integration contract a FastAPI service can implement.
- Either a published validator package or a JWKS/introspection endpoint (no
JWT_SECRET sharing).
- Worked example: FuzeKeys validates a family token end-to-end.
Notifications requested: please @-mention me when the contract is frozen and again when it is deployed to the cluster.
STATE: blocks FuzeKeys flipping AUTH_MODE=authentik. Asserted against live izzywdev/FuzeFront master (the FuzeKeys-vendored submodule is pinned older and lacks this surface).
Originator: FuzeKeys auth integration (FuzeKeys must delegate authN to the shared Authentik, not roll its own).
Context / why: FuzeFront's auth is a BFF —
backend/src/services/oidc.tsexchanges the Authentik code server-side andbackend/src/routes/auth.tsmints a private HS256 JWT (jwt.sign({userId}, JWT_SECRET)), verified inbackend/src/middleware/auth.ts. There is no JWKS, noaud/iss, no introspection, and no shared validator a sibling service can use without sharingJWT_SECRET.Asks:
audper app, JWKS URL,sub→user mapping) + a reference validator (a@fuzefront/authnTS helper and a documented FastAPI/Python equivalent).POST /api/auth/introspect(or RS256 + JWKS) so siblings never needJWT_SECRET.Acceptance criteria:
JWT_SECRETsharing).Notifications requested: please @-mention me when the contract is frozen and again when it is deployed to the cluster.
STATE: blocks FuzeKeys flipping
AUTH_MODE=authentik. Asserted against liveizzywdev/FuzeFrontmaster (the FuzeKeys-vendored submodule is pinned older and lacks this surface).