Nicolas Cantu
68cb5737c5
- New service smart-ide-sso-gateway (port 37148): JWKS verify, /health, /v1/token/verify, /v1/upstreams, /proxy/<key>/... - CORS on JSON responses when SSO_CORS_ORIGIN is set; optional empty bearer for langextract upstream - Docs: feature, API, repo index; wire sso-docv-enso and services scope - Extend config/services.local.env.example with OIDC and gateway vars
31 lines
1.3 KiB
Markdown
31 lines
1.3 KiB
Markdown
# smart-ide-sso-gateway
|
||
|
||
HTTP gateway that validates **user** access tokens from the docv / Enso OIDC issuer, then proxies requests to internal `smart_ide` micro-services using each service’s **technical** credentials (Bearer or `X-API-Key`).
|
||
|
||
## Responsibilities
|
||
|
||
- Verify `Authorization: Bearer <access_token>` with JWKS (`OIDC_ISSUER`, optional `OIDC_AUDIENCE`, optional `OIDC_JWKS_URI`).
|
||
- Expose `GET /health` without auth.
|
||
- Expose `GET /v1/token/verify` and `GET /v1/upstreams` with user Bearer.
|
||
- Proxy `ANY /proxy/<upstream_key>/<path>` to the configured upstream, replacing the user token with the service token and adding `X-OIDC-Sub` / `X-OIDC-Email` when present in the JWT.
|
||
|
||
## Run
|
||
|
||
```bash
|
||
cd services/smart-ide-sso-gateway
|
||
cp .env.example .env # edit OIDC_ISSUER and service tokens
|
||
set -a && source .env && set +a
|
||
npm ci
|
||
npm run build
|
||
npm start
|
||
```
|
||
|
||
Default listen: `http://127.0.0.1:37148`.
|
||
|
||
Upstream URLs and tokens reuse the same environment variables as the rest of the monorepo (`ORCHESTRATOR_*`, `TOOLS_BRIDGE_*`, `LOCAL_OFFICE_URL` / `LOCAL_OFFICE_API_KEY`, etc.). See `src/upstreams.ts`.
|
||
|
||
## Documentation
|
||
|
||
- Feature: [`docs/features/sso-gateway-service.md`](../../docs/features/sso-gateway-service.md)
|
||
- API: [`docs/API/sso-gateway-api.md`](../../docs/API/sso-gateway-api.md)
|