Skip to content

@claude Expose a federated AuthN contract for sibling apps (FuzeKeys): shared Authentik issuer/JWKS + published token-validator #112

Description

@izzywdev

Originator: FuzeKeys auth integration (FuzeKeys must delegate authN to the shared Authentik, not roll its own).

Context / why: FuzeFront's auth is a BFF — backend/src/services/oidc.ts exchanges the Authentik code server-side and backend/src/routes/auth.ts mints a private HS256 JWT (jwt.sign({userId}, JWT_SECRET)), verified in backend/src/middleware/auth.ts. There is no JWKS, no aud/iss, no introspection, and no shared validator a sibling service can use without sharing JWT_SECRET.

Asks:

  1. Document the canonical federation model: are sibling apps (FuzeKeys) independent OIDC clients of the same Authentik (validate Authentik RS256 via JWKS), or meant to consume FuzeFront's minted token? State it authoritatively.
  2. If independent-client: publish a versioned token-validation contract (issuer, expected aud per app, JWKS URL, sub→user mapping) + a reference validator (a @fuzefront/authn TS helper and a documented FastAPI/Python equivalent).
  3. If consume-FuzeFront-token: expose POST /api/auth/introspect (or RS256 + JWKS) so siblings never need JWT_SECRET.

Acceptance criteria:

  • A documented, versioned AuthN integration contract a FastAPI service can implement.
  • Either a published validator package or a JWKS/introspection endpoint (no JWT_SECRET sharing).
  • Worked example: FuzeKeys validates a family token end-to-end.

Notifications requested: please @-mention me when the contract is frozen and again when it is deployed to the cluster.

STATE: blocks FuzeKeys flipping AUTH_MODE=authentik. Asserted against live izzywdev/FuzeFront master (the FuzeKeys-vendored submodule is pinned older and lacks this surface).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions