Skip to content

RS256 / JWKS SSO for the cloud control plane (closes #2)#6

Merged
abhay-codes07 merged 1 commit into
mainfrom
feat/rs256-jwks-sso
Jul 12, 2026
Merged

RS256 / JWKS SSO for the cloud control plane (closes #2)#6
abhay-codes07 merged 1 commit into
mainfrom
feat/rs256-jwks-sso

Conversation

@abhay-codes07

Copy link
Copy Markdown
Owner

Closes #2.

Adds asymmetric RS256 JWT verification to the cloud plane's SSO (M30), alongside the existing HS256 path.

Why

M30's SSO verifies HS256 (symmetric shared secret). Most identity providers — Auth0, Okta, Cognito, Clerk in RS mode — issue RS256 tokens and publish their public keys as a JWKS. To integrate with a real IdP we need asymmetric verification.

What

  • verify_rs256_jwt builds an RSA public key from an RFC 7517 JWK (n, e), selects the key by the token's kid, verifies the PKCS1v15 / SHA-256 signature, and checks exp/iss/aud.
  • jwt_principal now dispatches on the token's own alg header: HS256VOLO_JWT_SECRET; RS256VOLO_JWT_JWKS (a JSON JWKS document). Both can be configured at once and coexist. Neither set → the anonymous local-dev path, unchanged.
  • Shared exp/iss/aud checks factored into _validate_claims (used by both algorithms).
  • generate_rsa_jwks / mint_rs256_jwt for local issuance + tests. cryptography added as a cloud dependency.

Tests

7 new: RS256 roundtrip against a JWKS, wrong-key / tamper / wrong-issuer / expired rejection, jwt_principal RS256 dispatch, HS256+RS256 coexistence, no-config anonymous, and RS256 enforced end-to-end over the API (401 without a token, team created with one). Cloud suite 29 passed; full suite 535 passed, mypy clean, ruff clean.

Refs ADR-0035.

Adds asymmetric RS256 JWT verification alongside the existing HS256 path, so the
cloud plane integrates with real identity providers (Auth0, Okta, Cognito,
Clerk in RS mode) that sign with a private key and publish their public keys as
a JWKS. verify_rs256_jwt builds an RSA public key from an RFC 7517 JWK (n, e),
selects the key by the token's kid, verifies the PKCS1v15/SHA256 signature, and
checks exp/iss/aud. jwt_principal now dispatches on the token's own alg header:
HS256 uses VOLO_JWT_SECRET, RS256 uses VOLO_JWT_JWKS; both can be configured at
once and coexist. With neither set the anonymous local-dev path is unchanged.

Shared claim validation is factored into _validate_claims (used by both algs).
generate_rsa_jwks / mint_rs256_jwt support local issuance and tests. Adds
cryptography as a cloud dependency. 7 tests. Closes #2.
Copilot AI review requested due to automatic review settings July 12, 2026 15:24

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@github-actions

Copy link
Copy Markdown

🛫 Volo reliability — ❌ NO-SHIP

Replayed 7 adversarial scenarios against the agent (threshold ≥ 0.90).

Metric Score
Trajectory determinism 1.000
Decision determinism 1.000
Faithfulness 0.000
Consistency under repetition 1.000

Cost — replayed deterministically at $0 (no live API calls).

baseline 1783869908864-f8bdb0c4-949d-463e-a27f-71bb2f7e9b89 • generated by Volo

@abhay-codes07 abhay-codes07 merged commit 25a3842 into main Jul 12, 2026
3 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

RS256 / JWKS SSO for the cloud control plane

2 participants