-
Notifications
You must be signed in to change notification settings - Fork 1
Security
Producers use Authorization: Bearer <idToken> validated against the Identity service. The service calls POST {identityServiceUrl}/v1/accounts/lookup?key={identityServiceApiKey} with the id token. A non-200 response or empty user list returns 401.
Workers use JWTs validated against workerJwksUrl. Required claims:
-
iss: issuer identifier -
aud: includescodeq-worker -
sub: worker identifier -
exp,iat,jti -
eventTypes: list of allowed event types -
scope: space-delimited permissions
Required scopes:
-
codeq:claimfor/tasks/claim -
codeq:heartbeatfor/tasks/:id/heartbeat -
codeq:abandonfor/tasks/:id/abandon -
codeq:nackfor/tasks/:id/nack -
codeq:resultfor/tasks/:id/result -
codeq:subscribefor/workers/subscriptions
The worker ID is derived from sub. Request bodies do not provide workerId.
When allowProducerAsWorker=true, codeQ accepts a producer token for worker endpoints and maps it to a synthetic worker identity with wildcard eventTypes and full worker scopes. This is intended for local/dev environments only.
sub is the ownership identity stored in task records and leases. Two supported patterns:
-
Instance identity (recommended): each worker instance uses a unique
sub. This prevents cross-instance interference and yields strict ownership. -
Pool identity: a worker pool shares a
sub. Any instance may heartbeat or complete tasks claimed by another instance. This is acceptable when the pool is homogeneous.
Optional claim:
-
workerGroup: used only for webhook grouping and routing. It does not grant access on its own.
When workerGroup is present, webhook subscriptions must use the same group id.
- Claim: requested
commandsmust be a subset of tokeneventTypes. - Heartbeat/abandon/nack/result: token
submust matchtask.workerId. - Missing required scope returns
403. - Admin: require
role=ADMINor a separate admin issuer.
Webhook registration requires a worker token. codeQ signs webhook notifications with an HMAC derived from the worker token or a configured shared secret. Workers must validate the signature and timestamp.