feat: OIDC provider

.cargo/audit.toml

@@ -0,0 +1,49 @@
+[advisories]
+ignore = [
+    # RUSTSEC-2023-0071: Marvin Attack on the `rsa` crate (medium severity, 5.9)
+    #
+    # This advisory covers a timing side-channel in RSA PKCS#1 v1.5 *decryption*
+    # that could allow an attacker to recover plaintext by observing response
+    # times across many crafted ciphertexts.
+    #
+    # This does not affect us because:
+    #
+    # 1. We only use RSA for *signing* (PKCS#1 v1.5 with SHA-256 via
+    #    `SigningKey::<Sha256>`). The vulnerable code path is in the decryption
+    #    routine, which we never call.
+    #
+    # 2. The private key never processes attacker-controlled input. The proxy
+    #    signs its own JWTs with claims it constructs — no external ciphertext
+    #    is ever decrypted.
+    #
+    # 3. No fixed version exists. The `rsa` crate has not released a patch as
+    #    of 0.9.x. If a fix or alternative crate becomes available upstream in
+    #    `multistore-oidc-provider`, we should adopt it and remove this ignore.
+    #
+    # Revisit when: the `rsa` crate ships a fix, or `multistore-oidc-provider`
+    # migrates to a different RSA/signing implementation (e.g. ES256).
+    "RUSTSEC-2023-0071",
+
+    # RUSTSEC-2026-0097: `rand` is unsound with a custom logger using `rand::rng()`
+    #
+    # This is a soundness warning (not a vulnerability) affecting `rand` 0.8.5
+    # and 0.9.2. The unsoundness is only triggerable when a custom `log`
+    # implementation calls back into `rand::rng()` from within its `log()` method,
+    # creating reentrant access to thread-local RNG state.
+    #
+    # This does not affect us because:
+    #
+    # 1. We pull `rand` in only via transitive dependencies (`rsa`,
+    #    `num-bigint-dig`, `quinn-proto`, `object_store`) — we do not call
+    #    `rand::rng()` directly, and our logging setup does not invoke the RNG
+    #    from inside log handlers.
+    #
+    # 2. No fixed version exists in the 0.8.x or 0.9.x series. The advisory
+    #    lists no Solution; upstream has not released a patch on a compatible
+    #    semver line, and our transitive deps pin these majors.
+    #
+    # Revisit when: `rand` ships a patched 0.8.x/0.9.x release, or our
+    # transitive deps (`rsa`, `quinn-proto`, `object_store`) upgrade to
+    # `rand` 0.10+.
+    "RUSTSEC-2026-0097",
+]

.github/workflows/ci.yml

@@ -65,35 +65,52 @@ jobs:
         run: cargo install worker-build@0.7.5
       - name: Build WASM worker
         run: worker-build --release
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: worker-build
+          path: build/
+          retention-days: 1
 
   integration:
     name: Integration Tests
     runs-on: ubuntu-latest
     needs: [build]
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/download-artifact@v4
         with:
-          targets: wasm32-unknown-unknown
-      - uses: Swatinem/rust-cache@v2
+          name: worker-build
+          path: build/
       - uses: actions/setup-node@v4
         with:
           node-version: "22"
       - uses: astral-sh/setup-uv@v5
       - name: Install wrangler
         run: npm install -g wrangler@3
-      - name: Install worker-build
-        run: cargo install worker-build@0.7.5
+      - name: Generate test secrets
+        # Required by `load_config` in src/config.rs. The actual key material
+        # doesn't matter for these read-only public-data tests — we just need
+        # values that parse, since `JwtSigner::from_pem` and `TokenKey::from_base64`
+        # validate at startup.
+        run: |
+          openssl genpkey -algorithm RSA -out /tmp/oidc.pem -pkeyopt rsa_keygen_bits:2048
+          {
+            printf 'OIDC_PROVIDER_KEY="'
+            cat /tmp/oidc.pem
+            printf '"\n'
+            echo "SESSION_TOKEN_KEY=$(openssl rand -base64 32)"
+            echo "AUTH_ISSUER=https://auth.test.example.com"
+          } > .dev.vars
       - name: Start wrangler dev
         run: |
+          # Skip the build command (the artifact is prebuilt). Scope the
+          # rewrite to the [build] section so other `command =` lines that
+          # may appear later in the config are untouched.
+          sed -i '/^\[build\]/,/^\[/ s/^command = .*/command = "echo skip"/' wrangler.toml
           wrangler dev --port 8787 &
-          for i in $(seq 1 60); do
-            if curl -s --max-time 2 http://localhost:8787/ > /dev/null 2>&1; then
-              echo "Server ready after ${i}s"
-              break
-            fi
-            sleep 1
-          done
+          curl --retry 120 --retry-delay 1 --retry-connrefused --silent --fail http://localhost:8787/ > /dev/null
+          echo "Server ready"
       - name: Run integration tests
         run: uvx --with requests pytest tests/ -v
 

.github/workflows/deploy.yml

@@ -41,6 +41,12 @@ on:
         required: true
       CLOUDFLARE_ACCOUNT_ID:
         required: true
+      OIDC_PROVIDER_KEY:
+        required: true
+      SESSION_TOKEN_KEY:
+        required: true
+      OIDC_PROVIDER_KEY_PREVIOUS:
+        required: false
 
 jobs:
   deploy:
@@ -88,9 +94,57 @@ jobs:
           done
           npx wrangler@3 deploy --config ${{ inputs.wrangler_config }} $EXTRA_ARGS
 
+      - name: Upload worker secrets
+        # GitHub environment secrets are the source of truth — anything set
+        # here is re-uploaded on every deploy, overwriting values set manually
+        # via `wrangler secret put`. OIDC_PROVIDER_KEY_PREVIOUS is included
+        # only while a rotation is in progress (i.e. the GitHub secret exists).
+        env:
+          OIDC_PROVIDER_KEY: ${{ secrets.OIDC_PROVIDER_KEY }}
+          SESSION_TOKEN_KEY: ${{ secrets.SESSION_TOKEN_KEY }}
+          OIDC_PROVIDER_KEY_PREVIOUS: ${{ secrets.OIDC_PROVIDER_KEY_PREVIOUS }}
+        run: |
+          # Fail loudly if a required secret is missing/empty in this GitHub
+          # environment. Without this, jq emits an empty value, `secret bulk`
+          # succeeds, the job goes green — and every request to the worker
+          # panics in load_config (the worker cannot boot without these).
+          [ -n "$OIDC_PROVIDER_KEY" ] || { echo "::error::OIDC_PROVIDER_KEY is not set in the '${{ inputs.environment }}' environment"; exit 1; }
+          [ -n "$SESSION_TOKEN_KEY" ] || { echo "::error::SESSION_TOKEN_KEY is not set in the '${{ inputs.environment }}' environment"; exit 1; }
+          WORKER_ARGS=""
+          if [ -n "${{ inputs.wrangler_env }}" ]; then
+            WORKER_ARGS="--env ${{ inputs.wrangler_env }}"
+          fi
+          if [ -n "${{ inputs.worker_name }}" ]; then
+            WORKER_ARGS="--name ${{ inputs.worker_name }}"
+          fi
+          jq -n '{OIDC_PROVIDER_KEY: env.OIDC_PROVIDER_KEY, SESSION_TOKEN_KEY: env.SESSION_TOKEN_KEY}
+                 + (if (env.OIDC_PROVIDER_KEY_PREVIOUS // "") != "" then {OIDC_PROVIDER_KEY_PREVIOUS: env.OIDC_PROVIDER_KEY_PREVIOUS} else {} end)' \
+            | npx wrangler@3 secret bulk $WORKER_ARGS
+
       - name: Get deploy URL
         id: url
         run: |
           WORKER="${{ inputs.worker_name || 'source-data-proxy' }}"
           URL="https://${WORKER}.${{ vars.CLOUDFLARE_WORKERS_SUBDOMAIN }}.workers.dev"
           echo "deploy_url=$URL" >> "$GITHUB_OUTPUT"
+
+      - name: Smoke test
+        # Confirm the worker actually booted. A missing/malformed secret makes
+        # load_config panic on the first request (Cloudflare 1101 → HTTP 5xx),
+        # so this turns a silently-broken deploy into a red job.
+        run: |
+          URL="${{ steps.url.outputs.deploy_url }}"
+          echo "Smoke-testing $URL"
+          for path in "/" "/.well-known/jwks.json"; do
+            ok=""
+            for attempt in 1 2 3 4 5; do
+              if code=$(curl -fsS -o /dev/null -w '%{http_code}' "$URL$path"); then
+                echo "ok: $path -> $code"
+                ok=1
+                break
+              fi
+              echo "attempt $attempt: $path not ready, retrying in 3s…"
+              sleep 3
+            done
+            [ -n "$ok" ] || { echo "::error::smoke test failed for $URL$path"; exit 1; }
+          done

.github/workflows/preview.yml

@@ -17,12 +17,21 @@ jobs:
     with:
       worker_name: source-data-proxy-pr-${{ github.event.pull_request.number }}
       wrangler_config: wrangler.preview.toml
-      var_overrides: "LOG_LEVEL:DEBUG SOURCE_API_URL:https://staging.source.coop"
-      service_overrides: "PUBLIC_LOG_STREAM:public-log-stream-pr-${{ github.event.pull_request.number }}"
+      var_overrides: >-
+        LOG_LEVEL:DEBUG
+        SOURCE_API_URL:https://staging.source.coop
+        OIDC_PROVIDER_ISSUER:https://source-data-proxy-pr-${{ github.event.pull_request.number }}.source-coop.workers.dev
+        OIDC_PROVIDER_KID:source-proxy-1
+        AUTH_ISSUER:https://auth.staging.source.coop
+      service_overrides: >-
+        PUBLIC_LOG_STREAM:public-log-stream-pr-${{ github.event.pull_request.number }}
       environment: preview
     secrets:
       CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
       CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+      OIDC_PROVIDER_KEY: ${{ secrets.OIDC_PROVIDER_KEY }}
+      SESSION_TOKEN_KEY: ${{ secrets.SESSION_TOKEN_KEY }}
+      OIDC_PROVIDER_KEY_PREVIOUS: ${{ secrets.OIDC_PROVIDER_KEY_PREVIOUS }}
 
   deploy-public-log-stream:
     name: Deploy Public Log Stream

.github/workflows/production.yml

@@ -19,6 +19,9 @@ jobs:
     secrets:
       CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
       CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+      OIDC_PROVIDER_KEY: ${{ secrets.OIDC_PROVIDER_KEY }}
+      SESSION_TOKEN_KEY: ${{ secrets.SESSION_TOKEN_KEY }}
+      OIDC_PROVIDER_KEY_PREVIOUS: ${{ secrets.OIDC_PROVIDER_KEY_PREVIOUS }}
 
   deploy-public-log-stream:
     name: Deploy Public Log Stream

.github/workflows/staging.yml

@@ -19,6 +19,9 @@ jobs:
     secrets:
       CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
       CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+      OIDC_PROVIDER_KEY: ${{ secrets.OIDC_PROVIDER_KEY }}
+      SESSION_TOKEN_KEY: ${{ secrets.SESSION_TOKEN_KEY }}
+      OIDC_PROVIDER_KEY_PREVIOUS: ${{ secrets.OIDC_PROVIDER_KEY_PREVIOUS }}
 
   deploy-public-log-stream:
     name: Deploy Public Log Stream

.gitignore

@@ -5,3 +5,4 @@
 node_modules
 docs/plans
 .worktrees
+.dev.vars

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+  "rust-analyzer.cargo.target": "wasm32-unknown-unknown"
+}