NationTech/harmony
3
0
Fork 2
Code Issues 38 Pull Requests 29 Actions Packages Projects Releases 1 Wiki Activity

feat(harmony_secret): SSO auth hardening — silent refresh, renewal, namespacing #302

Merged
johnride merged 1 commits from pr/harmony-secret-auth into master 2026-05-29 15:11:53 +00:00
Conversation 1 Commits 1 Files Changed 6 +344 -76
stremblay commented 2026-05-28 18:09:55 +00:00
Owner
Copy Link

Summary

Hardens the OpenBao/Zitadel auth path so SSO-authenticated sessions survive
process restarts and overnight gaps without re-triggering the browser device
flow. Internal behavior only — public API is unchanged, so it compiles against
current master.

Changes

  • Silent OIDC refresh: reuse the refresh_token to mint a fresh id_token (and
    OpenBao token) with no device-flow prompt; clearer device-code error surfacing.
  • renew-self on the cached OpenBao token so its lease rolls forward to the
    role's max_ttl instead of expiring at the initial TTL.
  • Best-effort auto-open of the operator's browser at the device-code page
    (falls back to the printed URL on headless/SSH hosts).
  • OIDC session cache keyed by sso_url + client_id (was one shared file that a
    second instance would silently overwrite).
  • LocalFileSecretStore nested per namespace.
  • Validate cached tokens via auth/token/lookup-self (granted by the default
    policy) instead of lookup (needs sudo) — fixes every cached token being
    treated as invalid and forcing a needless re-auth.
  • Remove dead HARMONY_SECRETS_URL var and OidcSession::is_openbao_token_expired.

Context

PR 1 of 4 splitting feat/unified-config-and-secrets. Independent of the other
PRs — merge in any order.

Verification

cargo check --workspace --all-targets --all-features, cargo fmt --check,
cargo test -p harmony_secret (11 passing), clippy clean.

## Summary Hardens the OpenBao/Zitadel auth path so SSO-authenticated sessions survive process restarts and overnight gaps without re-triggering the browser device flow. Internal behavior only — public API is unchanged, so it compiles against current `master`. ## Changes - Silent OIDC refresh: reuse the refresh_token to mint a fresh id_token (and OpenBao token) with no device-flow prompt; clearer device-code error surfacing. - `renew-self` on the cached OpenBao token so its lease rolls forward to the role's max_ttl instead of expiring at the initial TTL. - Best-effort auto-open of the operator's browser at the device-code page (falls back to the printed URL on headless/SSH hosts). - OIDC session cache keyed by `sso_url + client_id` (was one shared file that a second instance would silently overwrite). - `LocalFileSecretStore` nested per namespace. - Validate cached tokens via `auth/token/lookup-self` (granted by the default policy) instead of `lookup` (needs sudo) — fixes every cached token being treated as invalid and forcing a needless re-auth. - Remove dead `HARMONY_SECRETS_URL` var and `OidcSession::is_openbao_token_expired`. ## Context PR 1 of 4 splitting `feat/unified-config-and-secrets`. Independent of the other PRs — merge in any order. ## Verification `cargo check --workspace --all-targets --all-features`, `cargo fmt --check`, `cargo test -p harmony_secret` (11 passing), clippy clean.
stremblay added 1 commit 2026-05-28 18:09:56 +00:00
feat(harmony_secret): SSO auth hardening — silent refresh, renewal, namespacing
All checks were successful
Run Check Script / check (pull_request) Successful in 2m48s
Details
9eb6bda257 
Net-diff PR (1 of 4) splitting feat/unified-config-and-secrets into
reviewable pieces. harmony_secret changes only; compiles against master.

- Silent OIDC refresh + clearer device-code error surfacing
- renew-self on cached OpenBao token; auto-open device-flow browser
- OIDC session cache scoped by sso_url + client_id (was one shared file)
- LocalFileSecretStore nested per namespace
- validate cached token via lookup-self (default policy), not lookup (sudo)
- drop dead HARMONY_SECRETS_URL var and OidcSession::is_openbao_token_expired

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
johnride approved these changes 2026-05-28 20:06:49 +00:00
johnride left a comment
Owner
Copy Link

lgtm, went quickly over it, I'll need to get a better feel once I start using it.

lgtm, went quickly over it, I'll need to get a better feel once I start using it.
johnride merged commit 7cf65c8bdc into master 2026-05-29 15:11:53 +00:00
johnride deleted branch pr/harmony-secret-auth 2026-05-29 15:11:53 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
johnride
Labels
Clear labels
Architecture Decision Record
Good first issue
RFC
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
johnride jvtrudel reda stremblay
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: NationTech/harmony#302
No description provided.
Delete Branch "pr/harmony-secret-auth"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?