Skip to content

feat(proxy): add SPIFFE/SPIRE workload identity auth for upstream routes#1272

Open
SequeI wants to merge 1 commit into
mainfrom
spiffe/spire
Open

feat(proxy): add SPIFFE/SPIRE workload identity auth for upstream routes#1272
SequeI wants to merge 1 commit into
mainfrom
spiffe/spire

Conversation

@SequeI

@SequeI SequeI commented Jun 26, 2026

Copy link
Copy Markdown
Member

Linked Issue

Closes #1095

Summary

Adds two SPIFFE-based auth flows to the reverse proxy, all configured
under a single spiffe route field:

  • JWT-SVID injection: fetches a JWT-SVID from the SPIRE Workload API
    and injects it as a bearer token (or any header) into upstream requests.
    Tokens are cached and refreshed before expiry.

  • OAuth2 client assertion (RFC 7523): uses the JWT-SVID as a
    client_assertion in an OAuth2 client_credentials grant, exchanging
    it for an access token at a configured IdP.

All flows are fail-closed: if the SPIRE socket is unreachable at
startup, or credential acquisition fails at request time, the proxy returns
503 rather than forwarding unauthenticated.

Test Plan

Checklist

  • An issue exists and is linked above
  • All commits are signed-off, using DCO
  • All new code follows the project's coding standards (CLAUDE.md) and is covered by tests
  • Public-facing changes are paired with documentation updates
  • Release note has been added to CHANGELOG.md if needed

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

PR Review Summary

Size

Metric Value
Lines added +4312
Lines removed -545
Total changed 4857
Classification Large (> 300 lines)

Affected crates

  • crates/nono (core library) — careful review required. This is the security-critical sandbox primitive. A bug here bypasses OS-level isolation for every downstream user.
  • crates/nono-proxydownstream consumers depend on this crate. API or behaviour changes will affect external callers; treat any breaking change with extra scrutiny.
  • crates/nono-cli — CLI changes. Verify argument parsing, flag documentation, and UX behaviour across supported platforms.

Blast radius — Broad

This PR touches: source code,CI / build tooling,configuration / policy files


Updated automatically on each push to this PR.

@SequeI SequeI marked this pull request as draft June 26, 2026 11:34
@lukehinds lukehinds self-requested a review June 29, 2026 08:44
@SequeI SequeI marked this pull request as ready for review June 29, 2026 11:37
claude[bot]

This comment was marked as off-topic.

nogent-nolabs-ai[bot]

This comment was marked as outdated.

Comment thread crates/nono-proxy/src/tls_intercept/handle.rs Outdated
Adds two SPIFFE-based auth flows to the reverse proxy, all configured
under a single `spiffe` route field:

- **JWT-SVID injection**: fetches a JWT-SVID from the SPIRE Workload API
  and injects it as a bearer token (or any header) into upstream requests.
  Tokens are cached and refreshed before expiry.

- **OAuth2 client assertion** (RFC 7523): uses the JWT-SVID as a
  `client_assertion` in an OAuth2 `client_credentials` grant, exchanging
  it for an access token at a configured IdP.

All flows are fail-closed: if the SPIRE socket is unreachable at
startup, or credential acquisition fails at request time, the proxy returns
503 rather than forwarding unauthenticated.

Signed-off-by: Aleksy Siek <aleksy@alwaysfurther.ai>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SPIFFE and SPIRE Integration for nono

2 participants