Summary
Follow-up to #52 which added the entity model, AuthorizationService, and CLI admin commands. This issue covers wiring up actual authentication so the REST API enforces the security model.
Scope
- OIDC integration — add
quarkus-oidc dependency and configure for Keycloak (or compatible provider). Provision h5m User entity on first login.
- Auto-admin bootstrap — if the user table is empty when a new user logs in via OIDC, automatically create them as admin (replaces manual
h5m admin create-user bootstrap).
- API key authentication — implement
HttpAuthenticationMechanism that validates H5M_ prefixed keys against SHA-256 hashes in the api_key table. Wire to SecurityIdentity.
- REST security annotations — protect write endpoints (upload, delete, recalculate) using
AuthorizationService. Read endpoints remain public.
Out of scope
- Per-team roles (viewer/tester/uploader/manager) — h5m uses binary membership
- Row-level security policies
- API key management REST endpoints (can be added later)
References
- Design doc:
docs/design/plan-security-roles.md
- Horreum reference:
ApiKeyAuthenticationMechanism, RolesAugmentor, ApiKeyIdentityProvider
- Entity model already in place:
User, Team, ApiKey, FolderEntity.team
Summary
Follow-up to #52 which added the entity model, AuthorizationService, and CLI admin commands. This issue covers wiring up actual authentication so the REST API enforces the security model.
Scope
quarkus-oidcdependency and configure for Keycloak (or compatible provider). Provision h5mUserentity on first login.h5m admin create-userbootstrap).HttpAuthenticationMechanismthat validatesH5M_prefixed keys against SHA-256 hashes in theapi_keytable. Wire toSecurityIdentity.AuthorizationService. Read endpoints remain public.Out of scope
References
docs/design/plan-security-roles.mdApiKeyAuthenticationMechanism,RolesAugmentor,ApiKeyIdentityProviderUser,Team,ApiKey,FolderEntity.team