feat(DATAGO-116403): add sam_access_token validation to middleware #738
Conversation
- Validate sam_access_token before falling back to IdP token - Extract roles from token, resolve scopes via authorization_service - Feature flag controlled via trust_manager.config.access_token_enabled - Fully backwards compatible with existing IdP token flow 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR adds support for validating sam_access_token in the authentication middleware as an alternative to IdP tokens. The implementation attempts sam_access_token validation first (local JWT verification) before falling back to the existing IdP token flow, ensuring full backwards compatibility. The feature is controlled by the trust_manager.config.access_token_enabled flag.
Key Changes:
- Added sam_access_token validation path in middleware using trust_manager
- Extracts roles from token claims and resolves scopes via authorization_service
- Maintains backwards compatibility through fallback mechanism
| except Exception as e: | ||
| # Not a sam_access_token or verification failed | ||
| # Fall through to IdP token validation below | ||
| log.debug(f"AuthMiddleware: Token is not a sam_access_token: {e}") |
There was a problem hiding this comment.
The error message in the log statement is misleading. The exception could indicate either an invalid sam_access_token or a valid sam_access_token with verification problems (expired, wrong signature, etc.). Consider making the message more accurate, such as 'sam_access_token validation failed' or including the exception type to distinguish between different failure modes.
| log.debug(f"AuthMiddleware: Token is not a sam_access_token: {e}") | |
| log.debug( | |
| f"AuthMiddleware: sam_access_token validation failed " | |
| f"({type(e).__name__}): {e}" | |
| ) |
| user_identity=claims["sub"], | ||
| gateway_context={}, | ||
| roles=roles, | ||
| ) |
There was a problem hiding this comment.
If authorization_service is None, scopes remains an empty list without any logging or indication. Consider adding a debug log when authorization_service is unavailable to make the behavior explicit and aid in troubleshooting, similar to how trust_manager availability is handled.
| ) | |
| ) | |
| else: | |
| log.debug( | |
| "AuthMiddleware: authorization_service not available; " | |
| "proceeding with empty scopes for sam_access_token user '%s'", | |
| claims["sub"], | |
| ) |
|
Summary
trust_manager.config.access_token_enabledTest plan
🤖 Generated with Claude Code