Zero-Trust Authentication Module for Pingoo by khaledez · Pull Request #16 · pingooio/pingoo

khaledez · 2025-10-16T13:24:40Z

Zero-Trust Authentication Module for Pingoo

This PR introduces OAuth/OIDC authentication with zero-trust principles for the Pingoo edge server.

Security Features

Zero-Trust Architecture: Every request validated, no implicit trust
Cryptographic Security:
- AES-256-GCM for session encryption
- HMAC-SHA256 for cookie signatures
- Constant-time comparisons for all secrets
- Memory zeroization for sensitive data
JWT Validation: RS256 signature verification with JWKS caching
Secure Cookies: HttpOnly, Secure
Session Management: In-memory store with expiration and renewal

Architecture

┌─────────────────┐
│  HTTP Request   │
└────────┬────────┘
         │
         ▼
┌─────────────────┐
│ Auth Middleware │  ← Zero-trust validation
└────────┬────────┘
         │
    ┌────┴────┐
    │         │
    ▼         ▼
┌────────┐ ┌────────────┐
│Session │ │OAuth Flow  │
│Manager │ │(if needed) │
└────┬───┘ └──────┬─────┘
     │            │
     ▼            ▼
┌──────────────────────┐
│  Backend Services    │
│ (with user headers)  │
└──────────────────────┘

Components

1. JWKS Provider (`jwks.rs`)

Fetches and caches public keys from OAuth providers.

use auth::{JwksProvider, ProviderConfig};

let providers = vec![
    ProviderConfig::google(),
    ProviderConfig::microsoft(Some("tenant-id")),
    ProviderConfig::auth0("your-domain.auth0.com"),
];

let jwks_provider = Arc::new(JwksProvider::new(providers));

2. JWT Validator (`jwt_validator.rs`)

Validates ID tokens with signature and claims verification.

use auth::{JwtValidator, ValidationConfig};

let config = ValidationConfig {
    allowed_issuers: vec!["https://accounts.google.com".to_string()],
    allowed_audiences: vec!["your-client-id".to_string()],
    clock_skew: Duration::from_secs(300),
    require_exp: true,
    require_nbf: false,
};

let validator = Arc::new(JwtValidator::new(jwks_provider, config));

3. Session Manager (`session/manager.rs`)

Manages encrypted session cookies.

use auth::session::{SessionConfig, SessionManager};

let (encrypt_key, sign_key) = SessionCrypto::generate_keys()?;

let session_config = SessionConfig {
    encrypt_key,
    sign_key,
    domain: Some("example.com".to_string()),
    secure: true,
    duration: Duration::from_secs(86400), // 24 hours
};

let session_manager = Arc::new(SessionManager::new(session_config)?);

4. OAuth Manager (`oauth.rs`)

Handles OAuth2/OIDC authentication flows.

use auth::{OAuthConfig, OAuthManager, OAuthProvider};

let oauth_config = OAuthConfig {
    provider: OAuthProvider::Google,
    client_id: "your-client-id".to_string(),
    client_secret: "your-client-secret".to_string(),
    redirect_url: "https://example.com/auth/callback".to_string(),
    scopes: vec!["openid".to_string(), "email".to_string(), "profile".to_string()],
};

let oauth_manager = Arc::new(OAuthManager::new(
    oauth_config,
    session_manager.clone(),
    Some(validator),
));

5. Auth Middleware (`middleware.rs`)

HTTP middleware for request authentication.

use auth::{AuthMiddleware, AuthMiddlewareConfig};

let auth_config = AuthMiddlewareConfig {
    required: true,
    public_paths: vec![
        "/health".to_string(),
        "/auth/login".to_string(),
        "/auth/callback".to_string(),
        "/auth/logout".to_string(),
    ],
};

let auth_middleware = Arc::new(AuthMiddleware::new(
    session_manager,
    Some(oauth_manager.clone()),
    auth_config,
));

notABot101010 · 2025-10-17T06:41:52Z

Interesting, thank you!

Auth is definitely on the roadmap.

As mentioned in the README, you first need to open an issue so we can discuss implementation details before submitting a PR.

For example, it's highly unlikely that we will ever merge RSA support.

khaledez · 2025-10-20T12:14:06Z

Interesting, thank you!

Auth is definitely on the roadmap.

As mentioned in the README, you first need to open an issue so we can discuss implementation details before submitting a PR.

For example, it's highly unlikely that we will ever merge RSA support.

Sure, I will create an issue. Thank you for taking a look

introduce OAuth support as a Zero-Trust implementation

42fe2c5

khaledez force-pushed the main branch from 9a9eab0 to 42fe2c5 Compare October 16, 2025 13:25

Merge branch 'main' of github.com:pingooio/pingoo

5c7d77b

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Zero-Trust Authentication Module for Pingoo#16

Zero-Trust Authentication Module for Pingoo#16
khaledez wants to merge 2 commits intopingooio:mainfrom
khaledez:main

khaledez commented Oct 16, 2025 •

edited

Loading

Uh oh!

notABot101010 commented Oct 17, 2025 •

edited

Loading

Uh oh!

khaledez commented Oct 20, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

khaledez commented Oct 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Zero-Trust Authentication Module for Pingoo

Security Features

Architecture

Components

1. JWKS Provider (jwks.rs)

2. JWT Validator (jwt_validator.rs)

3. Session Manager (session/manager.rs)

4. OAuth Manager (oauth.rs)

5. Auth Middleware (middleware.rs)

Uh oh!

notABot101010 commented Oct 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

khaledez commented Oct 20, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

khaledez commented Oct 16, 2025 •

edited

Loading

1. JWKS Provider (`jwks.rs`)

2. JWT Validator (`jwt_validator.rs`)

3. Session Manager (`session/manager.rs`)

4. OAuth Manager (`oauth.rs`)

5. Auth Middleware (`middleware.rs`)

notABot101010 commented Oct 17, 2025 •

edited

Loading