Skip to content

@claude Add machine/service-account (agent) identities + client-credentials to the family auth model (Authentik + Permit) #113

Description

@izzywdev

Originator: FuzeKeys MCP Secrets-Broker.

Context / why: FuzeKeys' identity-vault MCP broker needs LLM agents to authenticate as machine identities acting on behalf of a user, under policy. FuzeFront's model (services/oidc.ts, utils/permit/*) only knows human users synced from Authentik — no service-account/client-credentials path, no "agent acts_on_behalf_of user" concept.

Asks:

  1. Bless Authentik service accounts + OAuth2 client-credentials as the family-standard machine-identity primitive; document registration + rotation.
  2. Provide guidance/helpers to sync a machine identity into Permit as a distinct principal (not a human user).
  3. Define the Agent —delegate_of→ User ReBAC relationship in the shared Permit environment (resource types + relationship) so an agent's reach derives from the user it represents.

Acceptance criteria:

  • Documented way to register an agent service account in Authentik + obtain a client-credentials token.
  • A Permit delegate_of relationship/role model in the shared env, with a worked permit.check(agent, action, resource) that denies cross-user/cross-tenant.
  • No bespoke bearer-token scheme required of consumers.

Notifications requested: @-mention me on contract-freeze of the agent-identity model and on deployment.

STATE: blocks FuzeKeys broker agent-auth (interim: a hashed-token fallback). Cross-links the federated-AuthN issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions