Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,13 +26,13 @@ Works with **any** gRPC service via proto descriptor files. No code generation,
- **CORS** with a configurable origin allow-list
- **Rate limiting (Shield)**: per-client endpoint classes + per-identifier limits, in-process by default or Redis-backed (feature `redis`) for multi-instance
- **JWT auth**: validate `Bearer` tokens via an Ed25519 PEM key or JWKS auto-discovery, enforce per-route `require_auth` / `required_roles`, and forward claims as headers
- **OIDC discovery**: serve `/.well-known/openid-configuration` and a JWKS endpoint (Ed25519) built from config, to front an identity provider
- **Zero code changes** between services: same binary, different config

## Roadmap

These have config scaffolding in place but are not yet enforced by the proxy. Tracked for implementation; do not rely on them yet.

- **OIDC discovery**: `/.well-known/openid-configuration` + JWKS endpoint for IdP proxies
- **Forward-auth / external AuthZ / BFF sessions**
- **Context propagation**: W3C trace-context and deadline (`grpc-timeout`) across the REST↔gRPC boundary

Expand Down Expand Up @@ -121,17 +121,16 @@ auth:
require_auth: true
required_roles: ["admin"]

# OIDC discovery [roadmap]: config is parsed but no endpoints are served yet
# OIDC discovery: serves /.well-known/openid-configuration + a JWKS endpoint
oidc_discovery:
enabled: true
issuer: "https://idp.example.com"
jwks_uri: "https://idp.example.com/.well-known/jwks.json" # path is served locally
signing_key:
algorithm: "EdDSA"
public_key_pem_file: "/etc/proxy/oidc-signing.pub.pem"
```

> The `oidc_discovery` section is tagged **[roadmap]**: accepted by the config loader today but not yet wired into the request path. See the [Roadmap](#roadmap) for status.

Generate the descriptor file from your proto:

```bash
Expand Down
11 changes: 11 additions & 0 deletions src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@

pub mod auth;
pub mod config;
pub mod oidc;
pub mod openapi;
pub mod shield;
pub mod transcode;
Expand Down Expand Up @@ -211,6 +212,15 @@ impl ProxyServer {
// OpenAPI + docs routes (if enabled).
let openapi_routes = self.build_openapi_routes(&pool);

// OIDC discovery routes (if enabled). Public, like the health endpoints.
let oidc_routes = match &self.config.oidc_discovery {
Some(cfg) => oidc::Oidc::build(cfg)
.map_err(|e| anyhow::anyhow!("invalid oidc_discovery config: {e}"))?
.map(|o| o.routes())
.unwrap_or_default(),
None => Router::new(),
};

// Rate limiting (Shield), if configured and enabled.
let shield = match &self.config.shield {
Some(cfg) => shield::Shield::build(cfg)
Expand All @@ -229,6 +239,7 @@ impl ProxyServer {
let mut router = Router::new()
.merge(health_routes)
.merge(openapi_routes)
.merge(oidc_routes)
.merge(transcode_routes)
.layer(cors);

Expand Down
Loading