Skip to content

[Feature] Implement AuthServer for Scoped GitHub Token Issuance #7

Description

@psh9508

Background

To securely fetch source code for our LLM agent, we need a dedicated, decoupled AuthServer. This service will act as the central authority for managing GitHub App credentials (.pem) and issuing short-lived, least-privilege tokens to the LLM Server, preventing the exposure of long-term secrets.

Core Requirements

  1. JWT Generation: Securely sign and generate a JSON Web Token (JWT) using the GitHub App's private key (.pem).
  2. IAT Exchange: Exchange the JWT for an Installation Access Token (IAT) via the GitHub REST API.
  3. Scoped Tokens (Least Privilege): The endpoint must accept target repository names from the LLM server's request and issue an IAT restricted only to those specific repositories (mitigating prompt injection risks).

Tasks

  • Create an API endpoint (e.g., POST /api/auth/github/token).
  • Implement JWT generation logic using the App ID and Private Key.
  • Implement the GitHub API call to fetch a repository-scoped IAT.
  • Setup secure injection for secrets (.pem, App ID, Installation ID) using environment variables or a Secrets Manager.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions