Feat/auth server integration#1013
Draft
charming-wicket-5502 wants to merge 5 commits into
Draft
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a new “Cosmian authentication server” integration across the KMS server and ckms client by adding a dedicated server middleware (CosmianAuth) and a client-side ckms login cosmian flow.
Changes:
- Add server-side
CosmianAuthmiddleware that validates Bearer JWTs using JWKS (including a “nokid” verification strategy that tries all keys). - Extend configuration (CLI/TOML + wizard) to enable Cosmian auth and control JWKS fetching (including an “accept invalid certs” option).
- Add client-side login helper (
cosmian_login) and CLI subcommand (ckms login cosmian) to extract the_ea_cookie value and store/forward it as an access token.
Reviewed changes
Copilot reviewed 19 out of 20 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
crate/server/src/start_kms_server.rs |
Wires Cosmian auth into the authenticated scopes and builds a dedicated JWKS manager for it. |
crate/server/src/middlewares/mod.rs |
Exposes the new CosmianAuth middleware. |
crate/server/src/middlewares/jwt/jwks.rs |
Adds JWKS options (accept_invalid_certs) and a find_any() helper for key iteration. |
crate/server/src/middlewares/cosmian_auth/mod.rs |
Introduces the Cosmian auth middleware module. |
crate/server/src/middlewares/cosmian_auth/cosmian_auth_middleware.rs |
Actix middleware wrapper that injects AuthenticatedUser after token validation. |
crate/server/src/middlewares/cosmian_auth/cosmian_auth_token.rs |
Token parsing + validation logic (no-kid behavior, algorithm allowlist, claim mapping). |
crate/server/src/main.rs |
Updates test config construction to include cosmian_auth. |
crate/server/src/config/wizard/mod.rs |
Plumbs wizard output into server config for Cosmian auth. |
crate/server/src/config/wizard/auth_wizard.rs |
Adds interactive wizard support for Cosmian auth server + JWKS options. |
crate/server/src/config/params/server_params.rs |
Adds cosmian_auth_config to computed server params. |
crate/server/src/config/command_line/mod.rs |
Registers the new Cosmian auth config module. |
crate/server/src/config/command_line/cosmian_auth_config.rs |
Defines CosmianAuthConfig and its CLI/env/TOML mapping. |
crate/server/src/config/command_line/clap_config.rs |
Adds cosmian_auth to ClapConfig and debug output. |
crate/clients/client/src/http_client/mod.rs |
Re-exports Cosmian login helpers/config. |
crate/clients/client/src/http_client/login.rs |
Implements CosmianLoginConfig + cosmian_login() extracting _ea_ cookie. |
crate/clients/client/src/http_client/client.rs |
Adds cosmian_conf to client config deserialization. |
crate/clients/clap/src/actions/login.rs |
Changes ckms login into subcommands (oauth / cosmian). |
crate/clients/ckms/src/tests/login_tests.rs |
Updates existing tests to call ckms login oauth. |
CHANGELOG/feat_auth-server-integration.md |
Adds branch changelog entry describing the feature. |
.gitignore |
Ignores .github/agents/. |
Comment on lines
19
to
28
| #[derive(Debug)] | ||
| pub struct JwksManager { | ||
| pub(crate) uris: Vec<String>, | ||
| pub(crate) jwks: RwLock<HashMap<String, JwkSet>>, | ||
| pub(crate) last_update: RwLock<Option<DateTime<Utc>>>, | ||
| pub(crate) proxy_params: Option<ProxyParams>, | ||
| /// When `true`, the JWKS fetch client skips TLS certificate verification. | ||
| /// Only set this for development/test environments (e.g. self-signed certs). | ||
| pub(crate) accept_invalid_certs: bool, | ||
| } |
Comment on lines
+653
to
+658
| let jwks_uri = cosmian_cfg.jwks_uri().ok_or_else(|| { | ||
| KmsError::ServerError( | ||
| "Cosmian auth is enabled but no server URL is configured".to_owned(), | ||
| ) | ||
| })?; | ||
| let proxy_params = kms_server.params.proxy_params.clone(); |
Comment on lines
+649
to
+675
| // Determine if Cosmian Auth Server should be used for authentication. | ||
| let (use_cosmian_auth, cosmian_auth_jwks_manager) = if let Some(ref cosmian_cfg) = | ||
| kms_server.params.cosmian_auth_config | ||
| { | ||
| let jwks_uri = cosmian_cfg.jwks_uri().ok_or_else(|| { | ||
| KmsError::ServerError( | ||
| "Cosmian auth is enabled but no server URL is configured".to_owned(), | ||
| ) | ||
| })?; | ||
| let proxy_params = kms_server.params.proxy_params.clone(); | ||
| let mgr = Arc::new( | ||
| JwksManager::new_with_options( | ||
| vec![jwks_uri], | ||
| proxy_params.as_ref(), | ||
| cosmian_cfg.cosmian_auth_accept_invalid_certs, | ||
| ) | ||
| .await | ||
| .map_err(|e| { | ||
| KmsError::ServerError(format!( | ||
| "Failed to initialise Cosmian auth JWKS manager: {e}" | ||
| )) | ||
| })?, | ||
| ); | ||
| (true, Some(mgr)) | ||
| } else { | ||
| (false, None) | ||
| }; |
Comment on lines
+11
to
+18
| /// ```toml | ||
| /// [cosmian_auth] | ||
| /// server_url = "https://localhost:8443" | ||
| /// accept_invalid_certs = false # set true only for dev/test | ||
| /// ``` | ||
| /// | ||
| /// The JWKS endpoint is derived automatically from `server_url` as | ||
| /// `{server_url}/.well-known/jwks.json` unless overridden via `jwks_uri`. |
Comment on lines
+129
to
+133
| let server_url: String = Input::with_theme(&theme) | ||
| .with_prompt("Cosmian auth server URL (e.g. https://auth.example.com)") | ||
| .interact_text() | ||
| .map_err(|e| KmsError::ServerError(format!("Prompt error: {e}")))?; | ||
| let jwks_uri: String = Input::with_theme(&theme) |
Comment on lines
+390
to
+394
| let url = format!( | ||
| "{}/login?realm={}", | ||
| config.server_url.trim_end_matches('/'), | ||
| config.realm | ||
| ); |
| cmd.env(CKMS_CONF_ENV, &conf_path).arg("login").arg("oauth"); | ||
|
|
||
| let output = recover_cmd_logs(&mut cmd); | ||
| assert!( |
Comment on lines
+124
to
+130
| // Fetch all public keys — Cosmian tokens have no `kid` so we try them all. | ||
| let jwks = jwks_manager.find_any()?; | ||
| if jwks.is_empty() { | ||
| // JWKS cache might be stale; attempt one refresh. | ||
| jwks_manager.refresh().await?; | ||
| } | ||
| let jwks = jwks_manager.find_any()?; |
Manuthor
reviewed
Jun 25, 2026
Manuthor
left a comment
Manuthor
left a comment
Contributor
There was a problem hiding this comment.
Just a few basic suggestions, not much
Great job!
|
|
||
| #[command(flatten)] | ||
| #[clap(flatten)] | ||
| pub cosmian_auth: CosmianAuthConfig, |
Contributor
There was a problem hiding this comment.
CosmianAuth being a little vague. Do you think we can find an alternative at least for this CosmianAuthConfig?
What about CosmianAuthServerConfig or CosmianSessionAuthConfig?
About auth server name, we definitely need to find a proper name for the auth server. Should we stick to Cosmian Authentication server or Cosmian IdP since it tends to be an IdP?
| /// realm = "kms" | ||
| /// ``` | ||
| #[derive(Serialize, Deserialize, Eq, PartialEq, Debug, Clone)] | ||
| pub struct CosmianLoginConfig { |
Contributor
There was a problem hiding this comment.
Suggested change
| pub struct CosmianLoginConfig { | |
| pub struct CosmianAuthServerLoginConfig { |
?
Contributor
There was a problem hiding this comment.
We can rename the filename to be more accurate
Contributor
There was a problem hiding this comment.
Rename to .../cosmian_auth_server/middleware.rs please
Comment on lines
+69
to
+85
| let auth_header = req | ||
| .headers() | ||
| .get(header::AUTHORIZATION) | ||
| .and_then(|h| h.to_str().ok()) | ||
| .unwrap_or(""); | ||
|
|
||
| // Parse "Bearer <token>". | ||
| let mut parts = auth_header.splitn(2, ' '); | ||
| let scheme = parts.next().unwrap_or(""); | ||
| let token = parts.next().unwrap_or("").trim(); | ||
|
|
||
| if !scheme.eq_ignore_ascii_case("Bearer") || token.is_empty() { | ||
| return Err(KmsError::Unauthorized( | ||
| "Cosmian auth: missing or malformed Authorization header (expected Bearer token)" | ||
| .to_owned(), | ||
| )); | ||
| } |
Contributor
There was a problem hiding this comment.
We could mutualize this code with similar token-extraction code from api_token_auth.rs (probably create a shared function)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #879