spec(security): SSO/JWT authentication migration

[jsell-rh]

Summary

• Defines desired state for migrating from OpenShift OAuth proxy to direct SSO/JWT authentication
• BFF pattern: Next.js acts as OIDC confidential client, browser gets httpOnly session cookie
• K8s impersonation: backend SA + Impersonate-User/Group preserves all existing RBAC enforcement without cluster OIDC federation
• Dual-path auth: JWT validation first, K8s TokenReview fallback for API keys
• Feature-flagged migration for incremental rollout across environments
• Supersedes ADR-0002 (raw token passthrough → impersonation)

Files

File	Purpose
specs/security/sso-authentication.spec.md	Behavioral spec: 12 requirements, 30 scenarios
workflows/security/sso-migration.workflow.md	Implementation guide: consumer map, RBAC manifests, backend flow

Critic pass findings addressed

• SSAR cache key includes impersonated identity (prevents cross-user authz leak)
• serviceaccounts added to impersonate RBAC (required for API key flows)
• API Key Authentication requirement added (dual-path: JWT → TokenReview)
• E2E test auth requirement added (server-side injection, no browser-exposed tokens)
• Implementation details moved from spec to workflow doc

Test plan

• Review spec requirements against existing security spec (specs/security/security.spec.md)
• Verify impersonation RBAC rules are sufficient for all backend handler patterns
• Confirm SSAR cache key change doesn't regress performance
• Validate claim mapping against actual Red Hat SSO token claims

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	86ac6f9
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/6a037a00160dda0008ebccc3

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 51092387-8f8d-4c5b-aabd-38ff79ed12e4

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jsell/spec/sso-authentication

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch jsell/spec/sso-authentication

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}