Routes

Auth middleware exposes four HTTP endpoints.

GET /auth — OIDC authentication

Handles the initial authentication when a user accesses a workspace via OIDC.

Flow:

  1. The reverse proxy forwards the request (with OIDC headers set by the IdP integration).

  2. The middleware extracts the OIDC token from the Authorization header.

  3. It verifies the token with the configured OIDC provider.

  4. It extracts the user identity (username, groups, UID) from the OIDC claims.

  5. It calls ConnectionAccessReview on the Extension API to check workspace authorization.

  6. On success, it generates a JWT session cookie scoped to the workspace path.

  7. It returns 200 OK — the proxy forwards the original request to the workspace.

Error responses:

  • 401 — missing or invalid OIDC token

  • 403 — user not authorized for this workspace

GET /bearer-auth — Bearer token authentication

Handles authentication via a pre-signed bearer token URL.

Flow:

  1. A user opens a bearer token URL (generated by the Extension API).

  2. The reverse proxy forwards the request to /bearer-auth.

  3. The middleware extracts the token query parameter from the forwarded URI.

  4. It calls BearerTokenReview on the Extension API to validate the token and get the user identity.

  5. It verifies the token’s path matches the request path.

  6. On success, it generates a long-lived JWT session cookie.

  7. It returns 200 OK.

Error responses:

  • 400 — missing token parameter

  • 401 — token not authenticated

  • 403 — token path mismatch

GET /verify — Session verification

Called by the reverse proxy on every request to a workspace.

Flow:

  1. The middleware extracts the JWT session cookie scoped to the workspace path.

  2. It validates the token signature, expiration, path prefix, and domain.

  3. If the token is within the refresh window, it re-checks authorization via ConnectionAccessReview on the Extension API and issues a refreshed token.

  4. It returns 200 OK — the proxy forwards the request.

Token refresh behavior:

  • If the access review fails transiently, the middleware marks the token as skip-refresh and continues (the user’s session remains valid until expiry).

  • If the access review explicitly denies access, the middleware clears the cookie and returns 403.

Error responses:

  • 401 — no cookie, invalid token, or expired token

  • 403 — path or domain mismatch, or access revoked during refresh

GET /health — Health check

Returns 200 OK when the server is running. Used by Kubernetes liveness and readiness probes.