Nicolas Cantu
3b3e1e67de
- Add services/claw-harness-api/upstream → chinanpc/claude-code-rust (shallow) - Document claw submodule and MIT Rust harness in service-claw-harness + feature doc - agent-regex-search: map design principles to rg implementation vs indexed search - SSO gateway: no user/project account storage; product DBs own identity context
33 lines
1.4 KiB
Markdown
33 lines
1.4 KiB
Markdown
# smart-ide-sso-gateway
|
||
|
||
HTTP gateway that validates **user** access tokens from the docv / Enso OIDC issuer, then proxies requests to internal `smart_ide` micro-services using each service’s **technical** credentials (Bearer or `X-API-Key`).
|
||
|
||
## Responsibilities
|
||
|
||
- Verify `Authorization: Bearer <access_token>` with JWKS (`OIDC_ISSUER`, optional `OIDC_AUDIENCE`, optional `OIDC_JWKS_URI`).
|
||
- Expose `GET /health` without auth.
|
||
- Expose `GET /v1/token/verify` and `GET /v1/upstreams` with user Bearer.
|
||
- Proxy `ANY /proxy/<upstream_key>/<path>` to the configured upstream, replacing the user token with the service token and adding `X-OIDC-Sub` / `X-OIDC-Email` when present in the JWT.
|
||
|
||
User accounts, project membership, and product databases stay in **each application’s backend** (docv, Enso, etc.); this gateway does not store them.
|
||
|
||
## Run
|
||
|
||
```bash
|
||
cd services/smart-ide-sso-gateway
|
||
cp .env.example .env # edit OIDC_ISSUER and service tokens
|
||
set -a && source .env && set +a
|
||
npm ci
|
||
npm run build
|
||
npm start
|
||
```
|
||
|
||
Default listen: `http://127.0.0.1:37148`.
|
||
|
||
Upstream URLs and tokens reuse the same environment variables as the rest of the monorepo (`ORCHESTRATOR_*`, `TOOLS_BRIDGE_*`, `LOCAL_OFFICE_URL` / `LOCAL_OFFICE_API_KEY`, etc.). See `src/upstreams.ts`.
|
||
|
||
## Documentation
|
||
|
||
- Feature: [`docs/features/sso-gateway-service.md`](../../docs/features/sso-gateway-service.md)
|
||
- API: [`docs/API/sso-gateway-api.md`](../../docs/API/sso-gateway-api.md)
|