feat: OIDC provider

[alukach]

What I'm changing

Turns the data proxy into an OIDC provider so it can authenticate to the Source Cooperative API on behalf of each user, and adds an STS token-exchange endpoint so clients can trade an OIDC token for temporary S3-style credentials.

Highlights

• OIDC provider — the proxy now mints and signs RSA JWTs and publishes them at GET /.well-known/openid-configuration and GET /.well-known/jwks.json, so the Source API (and other relying parties) can verify them. Supports zero-downtime key rotation by serving both the active and previous key in the JWKS.
• Per-user API auth — replaces the single static api_secret with a flexible ApiAuth that signs a short-lived JWT scoped to the calling principal. Upstream API calls are now made as that user instead of with a shared secret.
• STS token exchange — new /.sts endpoint with a _default role that trusts the auth provider, letting an authenticated user obtain temporary credentials.

Also included

• New config module parses keys/secrets once per isolate (RSA PEM parsed a single time).
• Object writes now return an S3 405 MethodNotAllowed instead of a misleading 404 (the proxy is read-only).
• Upstream auth failures (401/403) now surface as S3 403 AccessDenied rather than a 500.
• Cache keys are identity-scoped and URL-safe (hex-encoded subject).
• Bumps multistore to 0.4.0, refreshes dependencies / cargo audit allowlist, and updates CI + deploy workflows to forward the new secrets.

Warning

this adds required env vars/secrets — OIDC_PROVIDER_KEY, OIDC_PROVIDER_KID, OIDC_PROVIDER_ISSUER, SESSION_TOKEN_KEY, AUTH_ISSUER. The worker will not boot without them. See the README → OIDC Provider for setup and the key-rotation procedure.

How to test it

1. Access the accompanying frontend PR (feat: OIDC auth source.coop#283) preview: https://source-cooperative-git-feat-oidc-auth-radiantearth.vercel.app/

2. Authenticate & access Restricted product (e.g. https://source-cooperative-git-feat-oidc-auth-radiantearth.vercel.app/alukach/alukach-experimentation). Verify ****

3. Set the env vars/secrets above (the README has a one-liner to generate an RSA key).

4. Discovery: curl https://<host>/.well-known/openid-configuration and /.well-known/jwks.json return the issuer and the active (+ previous, during rotation) keys.

5. Token exchange: exchange an OIDC token at /.sts and confirm temporary credentials are returned.

6. Behavior: a signed object download still streams; a PUT/POST/DELETE returns 405; a request the API rejects returns 403 AccessDenied (not 500).

PR Checklist

• This PR has no breaking changes.
• I have updated or added new tests to cover the changes in this PR.
• This PR affects the Source Cooperative Frontend & API,
  and I have opened issue/PR #XXX to track the change.

Related Issues

• [Proposed Feature] Support auth from data proxy via OIDC tokens source.coop#237

[github-actions]

🚀 Latest commit deployed to https://source-data-proxy-pr-132.source-coop.workers.dev

• Date: 2026-06-10T21:05:54Z
• Commit: 7c1ef84

[tylere]

Comments generated by Cursor / Fable 5 analysis:

I reviewed PR #132 "feat: OIDC provider" (alukach, +1,263/−1,085 across 20 files, all 13 checks green, no reviews yet). It's the proxy half of the pair with source.coop#283: the worker becomes its own OIDC issuer (discovery + JWKS, RSA-signed JWTs), replaces the shared SOURCE_API_SECRET with per-user short-lived JWTs, and adds a /.sts token-exchange endpoint.

Overall

The architecture is sound and well-documented, and the code quality is high — identity-scoped cache keys, proper S3 error mapping, key rotation with dual JWKS, and unusually thorough justifications in audit.toml. I'd want the items below addressed or answered before merge, though — #1 and #2 in particular.

Security findings

1. The _default STS role doesn't restrict token audience (high).

In src/sts.rs:

trusted_oidc_issuers: vec![oidc_issuer],
required_audience: None,
subject_conditions: vec![],
allowed_scopes: vec![], // unlimited
Any ID token issued by AUTH_ISSUER — for any OAuth client registered with Ory, not just the source.coop server flow — can be exchanged at /.sts for credentials acting as that subject. If a third-party app ever gets registered as an Ory client, an ID token a user grants to that app becomes exchangeable for the user's data-proxy credentials (classic audience-confusion). Recommend setting required_audience to the client_id used by the paired source.coop flow, or explicitly documenting why it's deferred.

2. Key-rotation runbook conflicts with the deploy workflow (medium).

deploy.yml now re-uploads OIDC_PROVIDER_KEY and SESSION_TOKEN_KEY from GitHub secrets via wrangler secret bulk on every deploy. The README rotation procedure says to rotate with wrangler secret put — if someone follows it without also updating the GitHub secret, the next deploy silently reverts to the old key. Also inconsistent: OIDC_PROVIDER_KEY_PREVIOUS is not in the bulk upload, so the previous key is managed out-of-band while the active key is CI-managed. The README should make GitHub secrets the source of truth.

3. CORS now advertises write methods to all origins.

access-control-allow-methods grew PUT, POST, DELETE with allow-origin: * and allow-headers: *. The proxy is read-only (writes 405), so presumably this is for POST to /.sts — but it's applied globally. Worth narrowing, or noting why.

4. SESSION_TOKEN_KEY rotation isn't documented.

Rotating it invalidates all outstanding sealed STS credentials (the frontend's sc_proxy_creds cookies). Fine operationally, but the README rotation section only covers the OIDC key.

Correctness / design

7. Restricted reads still hit the backend anonymously.

registry.rs keeps skip_signature = "true" for all requests (the TODO acknowledges it). So "restricted" is enforced only at the API-metadata layer; the backing bucket must still be anonymously readable by the proxy. That seems to be the intended interim state (follow-up exists in PR #147 / draft #332), but it's worth stating in the PR description since "restricted product support" is the headline of the paired PR.

8. /.sts path match is exact.

parts.path == "/.sts" — /.sts/ or /.sts? variants fall through to bucket mapping and would 404/405 confusingly. Minor; consider normalizing.

9. Analytics pollution from special paths.

Location broadcast skips parts.path.starts_with("/."), but log_analytics doesn't — .well-known and .sts requests get logged with account = ".well-known". Minor data-quality issue.

10. cache_key_with_subject appends ?subject= — breaks if api_url ever carries a query string.

True today that none do; a debug assert or comment would prevent a future foot-gun. The hex-encoding rationale itself is good.

11. 60s JWT TTL is tight.

JwtSigner::from_pem(&pem, kid, 60) — if there's clock skew between the Cloudflare edge and the source.coop API and the verifier enforces iat/nbf strictly, requests will intermittently 403. Worth confirming the API verifier allows leeway.

14. load_config panics on missing env.

Every expect turns a misconfigured worker into per-request panics/500s rather than a failed boot. The deploy-and-smoke-test workflow mitigates this, and the PR warns about it, so this is acceptable — just be aware preview/staging/prod all need the secrets before this merges (deploy will fail otherwise).

CI nits

• sed -i 's/^command = .*/command = "echo skip"/' wrangler.toml rewrites all command = lines; there's only one today, but it's fragile.
• The SECRETS='{"OIDC_PROVIDER_KEY": ${{ toJSON(...) }}...' single-quoted shell interpolation breaks if a secret ever contains a single quote. PEM/base64 values won't, but printf from a file or a heredoc would be more robust.
• Nice improvement: reusing the build artifact for integration tests and replacing the poll loop with curl --retry --retry-connrefused.

What I'd merge as-is

The error-mapping change (401/403 → S3 AccessDenied instead of 500, writes → 405 instead of 404), the OnceLock config/JWKS caching (RSA PEM parsed once per isolate), the removal of the spawn_local+oneshot bridge in registry.rs, and the DataMode → Visibility rename are all clean improvements independent of the headline feature.