Skip to content

Add OIDC SSO authentication bridge#26

Merged
sciabarracom merged 2 commits into
apache:mainfrom
miki3421:poc/keycloak-oidc-bridge
Jul 9, 2026
Merged

Add OIDC SSO authentication bridge#26
sciabarracom merged 2 commits into
apache:mainfrom
miki3421:poc/keycloak-oidc-bridge

Conversation

@miki3421

@miki3421 miki3421 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR adds an OIDC-based authentication bridge to openserverless-admin-api, enabling Keycloak or another OIDC provider to authenticate users and map them to OpenServerless namespaces.

Changes

  • Add OIDC JWT validation through JWKS.
  • Add deterministic SSO username to namespace mapping.
  • Add OIDC login endpoint compatible with the existing OpenServerless login response shape.
  • Add backend-managed OIDC device-flow endpoints.
  • Support optional namespace auto-provisioning through WhiskUser.
  • Preserve existing username/password authentication behavior.
  • Add unit tests for token validation, namespace mapping, OIDC login, and device flow.

Validation

  • uv run python -m unittest discover tests
  • Result: 20 tests passed.

Notes

This keeps OpenWhisk technical authentication based on uuid:key unchanged. OIDC is introduced at the Admin API boundary as a bridge between external identity and existing OpenServerless namespace credentials.

@sciabarracom sciabarracom merged commit 6585307 into apache:main Jul 9, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants