add kas registry authorizer

[c-r33d]

Proposed Changes

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the platform's authorization capabilities by introducing a mechanism for scoped authorization resolvers. It specifically targets the Key Access Server (KAS) Registry service, enabling it to register custom resolvers that evaluate requests against KAS-specific dimensions. Additionally, it improves the authentication layer by allowing OAuth client IDs to be used as subjects in authorization policies, providing more granular control over service-to-service interactions.

Highlights

• KAS Registry Authorization: Implemented a new authorization resolver for the Key Access Server (KAS) Registry service, allowing for fine-grained policy enforcement based on KAS attributes.
• OAuth Client ID Support: Added support for treating OAuth client ID claims as first-class subjects in the Casbin authorizer, enabling direct policy authorization for service clients.
• Infrastructure Changes: Introduced a global authorization resolver registry to the OpenTDF server, facilitating the registration of scoped resolvers across different services.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

The policy rules are now refined, With client IDs and KAS aligned. Authorization flows with grace, Securing every digital space.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f3ae7c4a-9982-4375-b792-257c29dde079

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch key-authz

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces support for treating configured OAuth client ID claims as first-class subjects in Casbin authorization, allowing direct policy authorization for service clients. It also implements authorization resolvers for the Key Access Server (KAS) registry service to resolve resource dimensions (such as KAS ID, name, and URI) for policy evaluation. Feedback is provided regarding a potential nil pointer dereference or database query error in getKeyAccessServerAuthzResolver if both the ID and identifier are missing from the request, suggesting an explicit nil check.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

If both msg.GetId() is empty and msg.GetIdentifier() is nil (which can happen if the request is missing both fields), msg.GetIdentifier() will return nil. Passing nil as the identifier to addResolvedKASDimensions (and subsequently to dbClient.GetKeyAccessServer) can lead to a database query error or a potential nil pointer dereference/panic depending on the database client's implementation.

We should explicitly check if msg.GetIdentifier() is nil and return an error early.

	if msg.GetIdentifier() == nil {
		return resolverCtx, errors.New("no key access server identifier provided")
	}

	if err := s.addResolvedKASDimensions(ctx, res, msg.GetIdentifier()); err != nil {
		return resolverCtx, err
	}

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	180.168208ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	100.907315ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	411.178412ms
Throughput	243.20 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	41.652933494s
Average Latency	414.503718ms
Throughput	120.04 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	29.341395149s
Average Latency	292.476866ms
Throughput	170.41 requests/second

[github-actions]

X-Test Results

✅ go@main-pull-3566
✅ go@main-v0.9.0
✅ java@main-pull-3566
✅ js@main-pull-3566
✅ java@main-v0.9.0
bats-test-results
✅ js@main-v0.9.0
cukes-report
opentdfplatform9M1CBC.dockerbuild