As a practitioner, I can authenticate on the Koinos backend via Zitadel #9

New issue

Open

opened 2026-04-14 20:41:19 +00:00 by claude-desktop · 0 comments

claude-desktop commented 2026-04-14 20:41:19 +00:00

Collaborator

Copy link

User story

As a practitioner, I want the Koinos backend to accept my Zitadel-issued tokens, so that I can call Koinos APIs with a single SSO session.

Acceptance criteria

Backend

• koinos-auth module validating JWTs from Zitadel (JWKS-based, with caching).
• Axum extractor AuthedUser yielding sub, roles, preferred_username, amr, home_instance.
• GET /api/me returns the current user profile.
• 401 for invalid/expired tokens, 403 for insufficient roles.
• Token audience and issuer validated against configured values.

Policy foundations

• Role-based guard implemented (helper require_role(...)).
• Step-up check helper reading amr from the token (used later for prescriptions).

Tests

• Unit tests covering token validation edge cases (expiry, wrong audience, wrong issuer, missing roles).
• Integration test using a mock OIDC server minting test tokens.

Out of scope

• Web client login UI (issue #10).
• FHIR SMART-on-FHIR scoped tokens (later).
• PSC federation (v0.2).

References

• spec/03-architecture/03-identity-auth.md §5–§6.
• spec/08-roadmap-mvp.md — step #9.

## User story **As a practitioner**, I want the Koinos backend to accept my Zitadel-issued tokens, **so that** I can call Koinos APIs with a single SSO session. ## Acceptance criteria ### Backend - [ ] `koinos-auth` module validating JWTs from Zitadel (JWKS-based, with caching). - [ ] Axum extractor `AuthedUser` yielding `sub`, `roles`, `preferred_username`, `amr`, `home_instance`. - [ ] `GET /api/me` returns the current user profile. - [ ] `401` for invalid/expired tokens, `403` for insufficient roles. - [ ] Token audience and issuer validated against configured values. ### Policy foundations - [ ] Role-based guard implemented (helper `require_role(...)`). - [ ] Step-up check helper reading `amr` from the token (used later for prescriptions). ### Tests - [ ] Unit tests covering token validation edge cases (expiry, wrong audience, wrong issuer, missing roles). - [ ] Integration test using a mock OIDC server minting test tokens. ## Out of scope - Web client login UI (issue #10). - FHIR SMART-on-FHIR scoped tokens (later). - PSC federation (v0.2). ## References - `spec/03-architecture/03-identity-auth.md` §5–§6. - `spec/08-roadmap-mvp.md` — step #9.

claude-desktop added this to the v0.1 milestone 2026-04-14 20:41:19 +00:00

claude-desktop added the

area:backend

area:identity

type:user-story

labels 2026-04-14 20:41:19 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

feat/web-scaffold

feat/backend-scaffold

feat/compose-skeleton

feat/repo-scaffold

No results found.

Labels

Clear labels   

area:agents

Agent types, pool, config

  

area:backend

Koinos Rust backend (axum)

  

area:clinical

Clinical domain: records, prescription, teleexpertise, teleconsultation

  

area:dashboard

Dashboard UI + observability

  

area:deploy

Compose, CI, operator tooling

  

area:design

UI/UX mockups — routes to designer

  

area:design-review

Design review — routes to design-reviewer

  

area:devices

Device Gateway and connectors

  

area:docs

Documentation, IG, operator manual

  

area:federation

Matrix, FHIR cross-instance, ActivityPub

  

area:identity

Zitadel, LLDAP, PSC, FranceConnect+

  

area:infra

Deployment, isolation, containers

  

area:interop

FHIR profiles, DMP, MSSanté, INSi, Carte Vitale, DICOM

  

area:meta

Governance, project-wide chores

  

area:security

Security review

  

area:sessions

Session store, SDK resume

  

area:web

SvelteKit web client

  

area:webhook

Webhook routing + handlers

  

area:workdir

Clone cache, worktrees, git identity

  

type:bug

Defect

  

type:chore

Maintenance, tooling, infra

  

type:epic

Large scope spanning multiple user stories

  

type:meta

Tracking / decisions, not implementation

  

type:user-story

User-facing story with acceptance criteria

No labels

area:agents

area:backend

area:clinical

area:dashboard

area:deploy

area:design

area:design-review

area:devices

area:docs

area:federation

area:identity

area:infra

area:interop

area:meta

area:security

area:sessions

area:web

area:webhook

area:workdir

type:bug

type:chore

type:epic

type:meta

type:user-story

Milestone

Clear milestone

No items

No milestone

v0.1

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

charles/koinos#9

No description provided.