Skip to content

fix(auth): accept Bearer JWT in /api/auth/sync#2

Closed
jezekra1 wants to merge 10 commits intokagenti/generic-oauthfrom
fix/jwt-auth-sync
Closed

fix(auth): accept Bearer JWT in /api/auth/sync#2
jezekra1 wants to merge 10 commits intokagenti/generic-oauthfrom
fix/jwt-auth-sync

Conversation

@jezekra1
Copy link
Copy Markdown

@jezekra1 jezekra1 commented Apr 16, 2026

Summary

  • The /api/auth/sync endpoint only accepted NextAuth session cookies, but the Humr API server calls it with a Bearer JWT (via Keycloak token exchange). getServerSession() returned null → 401 → user never provisioned in OneCLI.
  • Adds resolveJwtUserInfo() to validate-jwt.ts: verifies JWT and extracts identity claims (sub, email, name) without requiring the user to already exist in the DB.
  • Sync endpoint now tries session auth first, then falls back to JWT auth.

Impact

Without this fix, users authenticated via an external OIDC provider are never created in OneCLI's database, causing all downstream API calls (secrets, MCP connections, Anthropic API key) to fail with 401.

Test plan

  • Verify browser login still works (NextAuth session → sync)
  • Verify API-server token-exchange sync succeeds (Bearer JWT → sync → user created)
  • Verify secrets/MCP connections work after sync

pilartomas and others added 10 commits April 10, 2026 06:49
@pilartomas
feat: replace Google OAuth login with generic OIDC provider
99342db 
Replace the hardcoded Google OAuth provider with a generic OIDC provider
that works with Keycloak, Okta, Auth0, or any OIDC-compliant identity
provider. Google OAuth credentials are preserved for Workspace app
connections (Gmail, Calendar, etc.) which are unaffected.

New env vars: OAUTH_ISSUER, OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET
@pilartomas
feat(gateway): add OAuth resource server support via OIDC JWKS
06cac38 
Make the gateway accept OIDC access tokens (Bearer JWT validated against
the provider's JWKS) in addition to the existing NextAuth session cookies
and API keys. Auth methods are tried in order: oc_ API key, OIDC Bearer
JWT, NextAuth cookie. JWKS is optional — enabled when OAUTH_ISSUER is set.
@pilartomas
fix: rename /api/auth/session to /api/auth/sync to avoid NextAuth rou…
21cf86e 
…te conflict

The custom session-sync endpoint was shadowing NextAuth's built-in
/api/auth/session, preventing SessionProvider from detecting the
logged-in session after OIDC callback — causing the login page to
get stuck instead of redirecting to /overview.
@pilartomas
style(gateway): apply cargo fmt formatting
8336c3d
@pilartomas
feat(gateway): add audience validation to OIDC access token verification
8926234 
Validates the aud claim against OAUTH_AUDIENCE when verifying
JWT access tokens via JWKS. Required when OAUTH_ISSUER is set.
@pilartomas @claude
feat: add OAUTH_JWKS_URL override to bypass OIDC discovery
fbf7129 
Infrastructure cannot reach OAUTH_ISSUER for discovery, so allow
fetching JWKS keys directly via an explicit URL for both web and gateway.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@pilartomas
feat: add OIDC endpoint overrides to bypass discovery
fb12193 
Add OAUTH_AUTHORIZATION_URL, OAUTH_TOKEN_URL, OAUTH_USERINFO_URL env
vars so all OIDC endpoints can be specified directly, allowing the web
app to skip unreachable OIDC discovery entirely.
@pilartomas
feat(web): add OAuth JWT validation to API routes
d389ea4 
API routes now accept OIDC access tokens via Authorization: Bearer header,
matching the gateway's auth flow. Precedence: API key → OAuth JWT → session.
@pilartomas
fix: add OAUTH_AUDIENCE to turbo.json globalPassThroughEnv
37e95e1
@jezekra1
fix(auth): accept Bearer JWT in /api/auth/sync endpoint
ee394ce 
The sync endpoint only accepted NextAuth session cookies. When called
by an external API server via Keycloak token exchange (Bearer JWT),
getServerSession() returned null → 401 → user never provisioned.

- Add resolveJwtUserInfo() to validate-jwt.ts: verifies JWT signature
  and extracts identity claims (sub, email, name) without requiring the
  user to already exist in the database.
- Sync endpoint now tries session auth first, then falls back to JWT,
  so both browser logins and API-to-API sync calls work.

Signed-off-by: Radek Ježek <pc.jezek@gmail.com>
Signed-off-by: Radek Ježek <radek.jezek@ibm.com>
@jezekra1
Copy link
Copy Markdown
Author

jezekra1 commented Apr 16, 2026

Already fixed in 157ed12 on kagenti/generic-oauth.

@jezekra1 jezekra1 closed this Apr 16, 2026
@jezekra1 jezekra1 deleted the fix/jwt-auth-sync branch April 16, 2026 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Kagenti Issue Prioritization
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jezekra1 @rubambiza @pilartomas