feat(spp_oauth): prepare spp_oauth for stable status with RS256 bridge module

[gonzalesedwin1123]

Summary

Prepares spp_oauth for Production/Stable status and ships a new auto-installing bridge module spp_api_v2_oauth that enables RS256 JWT authentication for API V2, including from external Identity Providers (e.g. Keycloak) via configurable trusted-issuer records.

Changes

spp_oauth — stabilization (now 19.0.2.1.0, Production/Stable)

• Naming: Rename abbreviated config parameters (oauth_priv_key → oauth_private_key, oauth_pub_key → oauth_public_key) and model class (RegistryConfig → OAuthConfig) across models, config params, views, data, tests, and docs.
• Placeholder defaults: Empty the default values so get_private_key() / get_public_key() raise a clear OpenSPPOAuthJWTException when keys are not configured, instead of failing later with a cryptic PyJWT error on the placeholder strings.
• Security: Restrict ACL to base.group_system with perm_create=1.
• API surface: Export get_private_key and get_public_key from spp_oauth.tools.
• Error handling: Remove unconditional ERROR logging from OpenSPPOAuthJWTException's constructor — callers decide log level.
• Tests: Add wrong-key verification test, settings-model coverage, exception-logging coverage; improve assertions; remove numbered prefixes.
• Docs: Add DESCRIPTION.md, USAGE.md (QA testing guide), HISTORY.md entry for 19.0.2.1.0.

spp_api_v2_oauth — new bridge module (now 19.0.2.0.0, Beta)

Auto-installs when both spp_api_v2 and spp_oauth are present. Accepts both HS256 (unchanged) and RS256 JWTs, with RS256 dispatched per-issuer so external Identity Providers can be trusted without modifying core code.

• Auth middleware: Overrides get_authenticated_client via FastAPI dependency_overrides. Routes by JWT header alg:
  • HS256 → delegated to original spp_api_v2 verification (unchanged).
  • RS256 → routed by the iss claim:
    • iss == "openspp-api-v2" → verified with the spp_oauth public key (existing behavior).
    • iss matches an active spp.oauth.issuer record → verified via that record's JWKS endpoint or static PEM, with the record's configured client_claim mapped to spp.api.client.client_id.
    • Otherwise → 401.
  • Other algorithms → 401 (explicit allowlist).
• Token endpoint: POST /oauth/token/rs256 with the same client-auth flow, rate limiting, and payload structure as the HS256 endpoint.
• New model: spp.oauth.issuer (admin-only) — name, issuer, audience, key_source (JWKS URI or static PEM), jwks_uri, public_key, algorithms (whitelist), client_claim, jwks_cache_ttl_seconds, http_timeout_seconds, active. Constraints reject HMAC algorithms, none, plain HTTP for non-loopback URLs, and invalid/private-key PEMs.
• JWKS cache: Process-local PyJWKClient cache keyed by issuer record id; invalidated on record write/unlink.
• Security:
  • All claim checks (signature, exp, nbf, iat, aud, iss) are explicitly disabled on the iss-routing decode so the verifying jwt.decode() is the single source of truth for both verification and error messages.
  • Explicit algorithm allowlist per issuer; HS* and none are blocked.
  • JWKS URIs must be https:// (or loopback for dev IdPs).
  • Public keys validated via cryptography.hazmat.primitives.serialization.load_pem_public_key at write time.
  • No DB IDs in tokens.
• Admin UI: New menu under Settings → API V2 → Trusted OAuth Issuers (admin-only).
• Docs: readme/USAGE.md includes a worked Keycloak example.
• Tests: 74 tests covering: existing RS256 + HS256 paths (regression), token generation, issuer-model constraints, external static-PEM verification, external JWKS verification (with mocked PyJWKClient), iss dispatch, inactive/unknown-issuer rejection, client_claim mapping, and isolation of the internal path from external issuers.

Merge from 19.0

• Picked up 19.0.2.0.0 baseline for spp_oauth (Production/Stable, category OpenSPP).
• Re-bumped to 19.0.2.1.0 for the post-19.0.2.0.0 work on this branch (rename + new exports + placeholder fix + ACL tightening).

Test plan

• ./scripts/test_single_module.sh spp_oauth — green
• ./scripts/test_single_module.sh spp_api_v2_oauth — 74/74 passing
• pre-commit run --all-files — all hooks green (ruff, semgrep, bandit, pylint, OpenSPP custom checks)
• Settings UI: Settings → General Settings → SPP OAuth Settings renders and persists new RSA keys.
• Trusted Issuers UI: Settings → API V2 → Trusted OAuth Issuers lists/creates/edits records; constraints reject bad input (HTTP non-loopback, HS*, malformed PEM).
• Existing HS256 API clients continue working unchanged after bridge install.
• POST /oauth/token/rs256 returns a valid RS256 token when keys are configured.
• An RS256 token issued by a registered external spp.oauth.issuer (JWKS or static PEM) authenticates against an api_v2 endpoint; an expired one returns "Token expired"; an unknown iss returns "Untrusted issuer".

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the OpenSPP API's authentication capabilities by introducing support for RS256 JSON Web Tokens (JWTs) through a new bridge module. It also refines the existing OAuth module, improving its maintainability, security, and user experience. The changes aim to provide more robust and flexible authentication options, particularly beneficial for distributed and zero-trust architectures, while ensuring backward compatibility for existing HS256 clients.

Highlights

• New RS256 JWT Authentication Bridge: Introduced a new module, spp_api_v2_oauth, which enables RS256 (asymmetric RSA) JWT authentication for the OpenSPP API V2. This module automatically installs when both spp_api_v2 and spp_oauth are present, providing a dedicated /oauth/token/rs256 endpoint and routing incoming tokens based on their algorithm.
• Enhanced spp_oauth Module Stability: The spp_oauth module has been prepared for stable status with several improvements, including fixing config defaults, enhancing test coverage, and addressing staff engineer review findings related to naming conventions, security, and test quality.
• Improved Naming and Security in spp_oauth: Renamed abbreviated field/parameter names (e.g., oauth_priv_key to oauth_private_key) across models, config, views, data, tests, and documentation. Access Control Lists (ACL) for OAuth settings were restricted from base.group_user to base.group_system with create permissions, enhancing security.
• Comprehensive Testing and Documentation: Extensive test coverage was added for both modules, including wrong-key verification, improved assertions, and tests for RS256 authentication, HS256 regression, token generation, and endpoint logic. New DESCRIPTION.md and USAGE.md files were added to spp_oauth and spp_api_v2_oauth for clearer documentation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces significant enhancements by adding RS256 JWT authentication support through a new spp_api_v2_oauth bridge module, while also improving the existing spp_oauth module. The changes are well-structured, with comprehensive test coverage for both new functionality and regression testing for existing HS256 authentication. Key improvements include stricter access controls on OAuth key configuration, clearer naming conventions, and better error handling. The documentation has also been thoroughly updated. My review focuses on a couple of opportunities to reduce code duplication to further enhance long-term maintainability. Overall, this is an excellent contribution that strengthens the platform's authentication capabilities.

I am having trouble creating individual review comments. Click here to see my feedback.

spp_api_v2_oauth/constants.py (7-8)

The constants JWT_AUDIENCE and JWT_ISSUER are also used in the spp_api_v2 module, where they are currently hardcoded. While defining them as constants here is an improvement, it introduces duplication between modules. To maintain a single source of truth, consider defining these constants in a shared location, perhaps within the spp_api_v2 module itself (since spp_api_v2_oauth depends on it), and importing them here. This would make future updates to these values safer and more maintainable.

spp_api_v2_oauth/routers/oauth_rs256.py (73-81)

The logic to retrieve and parse the token_lifetime_hours configuration parameter, including the try-except block and default value handling, is duplicated from the original HS256 token endpoint in spp_api_v2. To improve maintainability and avoid potential inconsistencies, this logic could be extracted into a shared utility function that both token endpoints can call.

spp_oauth/tools/oauth_exception.py (1-9)

Removing the automatic error logging from the exception's constructor is a good design choice. It correctly places the responsibility of logging on the caller, allowing for more context-specific log levels and messages. However, the exception message itself could be more informative for the developer who needs to debug it. Consider including the original error message when wrapping other exceptions.

class OpenSPPOAuthJWTException(Exception):
    """Raised when an OAuth JWT operation fails (missing keys, invalid tokens, etc.)."""
    pass

spp_oauth/tools/rsa_encode_decode.py (48-49)

The variable name privkey is an abbreviation. For consistency with the other changes in this PR (e.g., oauth_private_key), it would be clearer to use the full name private_key.

    private_key = get_private_key(env)
    return jwt.encode(headers=header, payload=payload, key=private_key, algorithm=JWT_ALGORITHM)

spp_oauth/tools/rsa_encode_decode.py (61-63)

The variable name pubkey is an abbreviation. For consistency with other variable names and to improve clarity, it's better to use the full name public_key.

    public_key = get_public_key(env)
    try:
        return jwt.decode(access_token, key=public_key, algorithms=[JWT_ALGORITHM])

[codecov]

Codecov Report

❌ Patch coverage is 93.18182% with 21 lines in your changes missing coverage. Please review.
✅ Project coverage is 71.81%. Comparing base (f121006) to head (5e34973).

Files with missing lines	Patch %	Lines
spp_api_v2_oauth/models/oauth_issuer.py	91.39%	8 Missing ⚠️
spp_api_v2_oauth/routers/oauth_rs256.py	87.23%	6 Missing ⚠️
spp_api_v2_oauth/middleware/auth_rs256.py	94.68%	5 Missing ⚠️
spp_api_v2_oauth/__manifest__.py	0.00%	1 Missing ⚠️
spp_api_v2_oauth/tools/jwks_cache.py	96.15%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             19.0     #114      +/-   ##
==========================================
+ Coverage   71.70%   71.81%   +0.10%     
==========================================
  Files         942      953      +11     
  Lines       55563    55852     +289     
==========================================
+ Hits        39844    40112     +268     
- Misses      15719    15740      +21     

Flag	Coverage Δ
spp_api_v2_oauth	92.80% <92.80%> (?)
spp_base_common	90.26% <ø> (ø)
spp_oauth	97.22% <100.00%> (-0.22%)	⬇️
spp_programs	64.87% <ø> (ø)
spp_security	66.66% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
spp_api_v2_oauth/__init__.py	100.00% <100.00%> (ø)
spp_api_v2_oauth/constants.py	100.00% <100.00%> (ø)
spp_api_v2_oauth/models/__init__.py	100.00% <100.00%> (ø)
spp_api_v2_oauth/models/api_client.py	100.00% <100.00%> (ø)
spp_api_v2_oauth/models/fastapi_endpoint.py	100.00% <100.00%> (ø)
spp_api_v2_oauth/tools/__init__.py	100.00% <100.00%> (ø)
spp_oauth/__manifest__.py	0.00% <ø> (ø)
spp_oauth/models/res_config_settings.py	100.00% <100.00%> (ø)
spp_oauth/tools/__init__.py	100.00% <100.00%> (ø)
spp_oauth/tools/oauth_exception.py	100.00% <ø> (ø)
... and 6 more

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gonzalesedwin1123]

Response to Gemini Code Review

Thanks for the review. Here's the status of each finding:

✅ Already Fixed

Finding #4 (privkey abbreviation) and #5 (pubkey abbreviation) — Both were renamed to private_key and public_key in commit de347d3. The review was based on an earlier diff.

ℹ️ No Action Needed

Finding #3 (exception class pass) — A class with only a docstring is valid Python; the docstring serves as the body. Adding pass is redundant and would be flagged by linters.

📋 Valid But Out of Scope

Finding #1 (duplicated JWT_AUDIENCE/JWT_ISSUER constants) and Finding #2 (duplicated token_lifetime_hours parsing) — Both are valid observations. The values "openspp" and "openspp-api-v2" are hardcoded as string literals in 4 places across spp_api_v2 (auth.py:208-209, oauth.py:219/221). They are not exported as named constants.

Fixing this properly requires modifying spp_api_v2 to extract shared constants/utilities — which is intentionally out of scope for this PR. The bridge module's design principle is zero changes to existing modules. Our constants.py centralizes them within the bridge, and a comment documents that they must match spp_api_v2.

These would be good follow-up items for a spp_api_v2 refactor PR.

[kneckinator]

Updating PR description to reflect changes introduced in 05670eb