Zero-Trust Authentication Module for Pingoo

[khaledez]

Zero-Trust Authentication Module for Pingoo

This PR introduces OAuth/OIDC authentication with zero-trust principles for the Pingoo edge server.

Security Features

• Zero-Trust Architecture: Every request validated, no implicit trust
• Cryptographic Security:
  • AES-256-GCM for session encryption
  • HMAC-SHA256 for cookie signatures
  • Constant-time comparisons for all secrets
  • Memory zeroization for sensitive data
• JWT Validation: RS256 signature verification with JWKS caching
• Secure Cookies: HttpOnly, Secure
• Session Management: In-memory store with expiration and renewal

Architecture

┌─────────────────┐
│  HTTP Request   │
└────────┬────────┘
         │
         ▼
┌─────────────────┐
│ Auth Middleware │  ← Zero-trust validation
└────────┬────────┘
         │
    ┌────┴────┐
    │         │
    ▼         ▼
┌────────┐ ┌────────────┐
│Session │ │OAuth Flow  │
│Manager │ │(if needed) │
└────┬───┘ └──────┬─────┘
     │            │
     ▼            ▼
┌──────────────────────┐
│  Backend Services    │
│ (with user headers)  │
└──────────────────────┘

Components

1. JWKS Provider (jwks.rs)

Fetches and caches public keys from OAuth providers.

use auth::{JwksProvider, ProviderConfig};

let providers = vec![
    ProviderConfig::google(),
    ProviderConfig::microsoft(Some("tenant-id")),
    ProviderConfig::auth0("your-domain.auth0.com"),
];

let jwks_provider = Arc::new(JwksProvider::new(providers));

2. JWT Validator (jwt_validator.rs)

Validates ID tokens with signature and claims verification.

use auth::{JwtValidator, ValidationConfig};

let config = ValidationConfig {
    allowed_issuers: vec!["https://accounts.google.com".to_string()],
    allowed_audiences: vec!["your-client-id".to_string()],
    clock_skew: Duration::from_secs(300),
    require_exp: true,
    require_nbf: false,
};

let validator = Arc::new(JwtValidator::new(jwks_provider, config));

3. Session Manager (session/manager.rs)

Manages encrypted session cookies.

use auth::session::{SessionConfig, SessionManager};

let (encrypt_key, sign_key) = SessionCrypto::generate_keys()?;

let session_config = SessionConfig {
    encrypt_key,
    sign_key,
    domain: Some("example.com".to_string()),
    secure: true,
    duration: Duration::from_secs(86400), // 24 hours
};

let session_manager = Arc::new(SessionManager::new(session_config)?);

4. OAuth Manager (oauth.rs)

Handles OAuth2/OIDC authentication flows.

use auth::{OAuthConfig, OAuthManager, OAuthProvider};

let oauth_config = OAuthConfig {
    provider: OAuthProvider::Google,
    client_id: "your-client-id".to_string(),
    client_secret: "your-client-secret".to_string(),
    redirect_url: "https://example.com/auth/callback".to_string(),
    scopes: vec!["openid".to_string(), "email".to_string(), "profile".to_string()],
};

let oauth_manager = Arc::new(OAuthManager::new(
    oauth_config,
    session_manager.clone(),
    Some(validator),
));

5. Auth Middleware (middleware.rs)

HTTP middleware for request authentication.

use auth::{AuthMiddleware, AuthMiddlewareConfig};

let auth_config = AuthMiddlewareConfig {
    required: true,
    public_paths: vec![
        "/health".to_string(),
        "/auth/login".to_string(),
        "/auth/callback".to_string(),
        "/auth/logout".to_string(),
    ],
};

let auth_middleware = Arc::new(AuthMiddleware::new(
    session_manager,
    Some(oauth_manager.clone()),
    auth_config,
));

[notABot101010]

Interesting, thank you!

Auth is definitely on the roadmap.

As mentioned in the README, you first need to open an issue so we can discuss implementation details before submitting a PR.

For example, it's highly unlikely that we will ever merge RSA support.

[khaledez]

Interesting, thank you!

Auth is definitely on the roadmap.

As mentioned in the README, you first need to open an issue so we can discuss implementation details before submitting a PR.

For example, it's highly unlikely that we will ever merge RSA support.

Sure, I will create an issue. Thank you for taking a look