feat(jwt): add external JWT validation authentication

Add support for validating JWT tokens issued by external authentication
services (e.g., Authelia, Keycloak, GitHub Actions OIDC, GitLab OIDC).

- Add JWKS fetching with TTL-based caching
- Implement JWT signature and claim validation
- Validate standard claims (iss, aud, exp, nbf)
- Authenticated users get access to all repositories

Assisted-by: GLM 4.7

Author: Tern

go.mod

@@ -1,27 +1,31 @@
 module github.com/dvjn/sorcerer
 
-go 1.24
+go 1.24.0
+
+toolchain go1.24.13
 
 require (
+	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/go-chi/chi/v5 v5.2.1
 	github.com/knadh/koanf/providers/env v1.1.0
 	github.com/knadh/koanf/providers/structs v1.0.0
 	github.com/knadh/koanf/v2 v2.2.0
 	github.com/opencontainers/distribution-spec/specs-go v0.0.0-20250220192232-583e014d1541
 	github.com/rs/zerolog v1.34.0
 	github.com/tg123/go-htpasswd v1.2.4
-	golang.org/x/crypto v0.37.0
 )
 
 require (
 	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect
 	github.com/fatih/structs v1.1.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/knadh/koanf/maps v0.1.2 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/stretchr/testify v1.10.0 // indirect
+	golang.org/x/crypto v0.37.0 // indirect
+	golang.org/x/oauth2 v0.28.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 )

go.sum

@@ -1,15 +1,21 @@
 github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI=
 github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5/go.mod h1:exZ0C/1emQJAw5tHOaUDyY1ycttqBAPcxuzf7QbY6ec=
+github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
+github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
 github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
 github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/knadh/koanf/maps v0.1.2 h1:RBfmAW5CnZT+PJ1CVc1QSJKf4Xu9kxfQgYVQSu8hpbo=
 github.com/knadh/koanf/maps v0.1.2/go.mod h1:npD/QZY3V6ghQDdcQzl1W4ICNVTkohC8E73eI2xW4yI=
 github.com/knadh/koanf/providers/env v1.1.0 h1:U2VXPY0f+CsNDkvdsG8GcsnK4ah85WwWyJgef9oQMSc=
@@ -41,10 +47,10 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tg123/go-htpasswd v1.2.4 h1:HgH8KKCjdmo7jjXWN9k1nefPBd7Be3tFCTjc2jPraPU=
 github.com/tg123/go-htpasswd v1.2.4/go.mod h1:EKThQok9xHkun6NBMynNv6Jmu24A33XdZzzl4Q7H1+0=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
 golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
 golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
+golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

internal/auth/auth.go

@@ -1,11 +1,11 @@
 package auth
 
 import (
-	_ "embed"
 	"fmt"
 	"net/http"
 
 	"github.com/dvjn/sorcerer/internal/auth/htpasswd"
+	"github.com/dvjn/sorcerer/internal/auth/jwt"
 	"github.com/dvjn/sorcerer/internal/auth/no_auth"
 	"github.com/dvjn/sorcerer/internal/config"
 	"github.com/go-chi/chi/v5"
@@ -23,6 +23,8 @@ func New(c *config.AuthConfig, logger *zerolog.Logger) (Auth, error) {
 		return no_auth.New(&c.NoAuth), nil
 	case config.AuthModeHtpasswd:
 		return htpasswd.NewHtpasswdAuth(&c.Htpasswd, logger)
+	case config.AuthModeJWT:
+		return jwt.NewJWTAuth(c.JWT.JWKSURL, c.JWT.Issuer, c.JWT.Audience, c.JWT.CacheTTL, logger)
 	default:
 		return nil, fmt.Errorf("unknown auth mode: %s", c.Mode)
 	}

internal/auth/jwt/jwks.go

@@ -0,0 +1,92 @@
+package jwt
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/rs/zerolog"
+)
+
+// JWKSProvider fetches and caches JWKS public keys with TTL-based caching
+type JWKSProvider struct {
+	jwksURL    string
+	cacheTTL   time.Duration
+	provider   *oidc.Provider
+	mu         sync.RWMutex
+	lastFetch time.Time
+	logger    *zerolog.Logger
+}
+
+// NewJWKSProvider creates a new JWKS provider with caching
+func NewJWKSProvider(jwksURL string, cacheTTL time.Duration, logger *zerolog.Logger) (*JWKSProvider, error) {
+	if logger == nil {
+		return nil, fmt.Errorf("logger is required")
+	}
+
+	p := &JWKSProvider{
+		jwksURL:  jwksURL,
+		cacheTTL: cacheTTL,
+		logger:   logger,
+	}
+
+	// Initial fetch
+	if err := p.refreshProvider(context.Background()); err != nil {
+		return nil, fmt.Errorf("failed to initialize JWKS provider: %w", err)
+	}
+
+	p.logger.Info().
+		Str("jwks_url", jwksURL).
+		Str("cache_ttl", cacheTTL.String()).
+		Msg("jwt jwks provider initialized")
+
+	return p, nil
+}
+
+// GetProvider returns the OIDC provider, refreshing cache if needed
+func (p *JWKSProvider) GetProvider(ctx context.Context) (*oidc.Provider, error) {
+	p.mu.RLock()
+	needsRefresh := time.Since(p.lastFetch) > p.cacheTTL
+	p.mu.RUnlock()
+
+	if needsRefresh {
+		if err := p.refreshProvider(ctx); err != nil {
+			// If refresh fails, use cached provider if available
+			p.mu.RLock()
+			defer p.mu.RUnlock()
+			if p.provider == nil {
+				return nil, fmt.Errorf("no cached provider and refresh failed: %w", err)
+			}
+			p.logger.Warn().
+				Err(err).
+				Str("jwks_url", p.jwksURL).
+				Msg("jwks refresh failed, using cached keys")
+		}
+	}
+
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+	return p.provider, nil
+}
+
+// refreshProvider fetches the JWKS provider from the remote URL
+func (p *JWKSProvider) refreshProvider(ctx context.Context) error {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	provider, err := oidc.NewProvider(ctx, p.jwksURL)
+	if err != nil {
+		return fmt.Errorf("failed to fetch JWKS from %s: %w", p.jwksURL, err)
+	}
+
+	p.provider = provider
+	p.lastFetch = time.Now()
+
+	p.logger.Debug().
+		Str("jwks_url", p.jwksURL).
+		Msg("jwks provider refreshed")
+
+	return nil
+}

internal/auth/jwt/jwt.go

@@ -0,0 +1,5 @@
+package jwt
+
+// This file is kept for package-level exports. The main implementation
+// is in middleware.go which defines the JWTAuth type and its methods.
+