feat(core): propagate token clientID on configured claim via interceptor into shared context metadata

[jakedoublev]

• adds config for a client ID claim in OIDC access tokens (dot notation capable)
• utility functions to set and get the client ID from golang context metadata (which is made available across gRPC service boundaries, unlike golang context keys that are not saved to the context metadata)
• reads config into various interceptors
• each interceptor propagates the clientID from the parsed token for downstream consumers
• improvements to logs alongside azp claim
• unit and integration tests

[gemini-code-assist]

Summary of Changes

Hello @jakedoublev, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the authentication system by enabling the propagation of the client ID from OIDC access tokens into the shared Go context metadata. This ensures that the client ID, derived from a configurable token claim, is consistently available to downstream services, improving the traceability of requests and facilitating more granular policy enforcement and logging. The changes include new configuration, updated interceptor logic, and dedicated utility functions, all backed by thorough testing.

Highlights

• Configurable Client ID Claim: Introduced a new configuration option (ClientIDClaim) in PolicyConfig to specify which OIDC token claim should be used as the client ID, defaulting to 'azp'.
• Client ID Propagation: Implemented mechanisms within HTTP MuxHandler and gRPC ConnectUnaryServerInterceptor to extract the client ID from parsed OIDC tokens and propagate it into the Go context metadata, making it available across service boundaries.
• Context Metadata Utilities: Added new utility functions (ContextWithAuthnMetadata, GetClientIDFromContext) in service/pkg/auth/context_auth.go to manage client ID within shared context metadata, including error handling for retrieval.
• Enhanced Logging: Improved warning logs for permission denied errors by including the configured client ID claim name and the extracted client ID, aiding in debugging and traceability.
• Comprehensive Testing: Added extensive unit and integration tests to validate the correct extraction and propagation of the client ID across different authentication flows (HTTP and gRPC), ensuring robustness.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Token flows unseen,Client ID, now context bound,Traced path, clear and deep.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a mechanism to propagate the client ID from an OIDC token into the gRPC context metadata for use in downstream services. This is achieved by adding a configurable claim for the client ID, utility functions to manage it in the context, and updating the authentication interceptors to perform the extraction and propagation. The logging is also improved to include the client ID, which is great for traceability.

The changes are well-implemented and thoroughly tested with both unit and integration tests. I have a couple of suggestions to improve maintainability by removing some dead code and reducing code duplication. Overall, this is a solid contribution.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	200.03362ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	104.219408ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	370.897702ms
Throughput	269.62 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.48963769s
Average Latency	392.554989ms
Throughput	126.62 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.056329643s
Average Latency	269.304097ms
Throughput	184.80 requests/second

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	186.751446ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	97.996624ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	346.632891ms
Throughput	288.49 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	36.642901539s
Average Latency	364.873519ms
Throughput	136.45 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	25.611577504s
Average Latency	255.540754ms
Throughput	195.22 requests/second

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	177.998051ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	89.637676ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	344.861051ms
Throughput	289.97 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	36.073222473s
Average Latency	358.281966ms
Throughput	138.61 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	25.647894046s
Average Latency	255.494007ms
Throughput	194.95 requests/second

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	176.0789ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	102.996595ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	350.856968ms
Throughput	285.02 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	37.897000534s
Average Latency	376.872703ms
Throughput	131.94 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	26.362902924s
Average Latency	262.78534ms
Throughput	189.66 requests/second

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	174.965767ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	96.817729ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	346.584058ms
Throughput	288.53 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	36.643199676s
Average Latency	364.945885ms
Throughput	136.45 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	25.582191544s
Average Latency	254.712412ms
Throughput	195.45 requests/second

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	173.804839ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	97.020712ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	348.422867ms
Throughput	287.01 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	37.210517337s
Average Latency	369.84222ms
Throughput	134.37 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	25.468870366s
Average Latency	253.511399ms
Throughput	196.32 requests/second