fix: pass OIDC default env vars to meridian container (#1259)

bjcoombs · web-flow · commit 2f095b2430c7 · 2026-02-26T22:25:21.000Z
* feat: enable Dex OIDC authentication for demo environment

Replace fake JWT workarounds with real Dex OIDC authentication.
The backend now gracefully handles standard OIDC tokens by falling
back to the sub claim for user ID and applying configurable defaults
for tenant ID and roles when custom Meridian claims are absent.

Backend:
- Add Email/Name OIDC fields and EffectiveUserID() to Claims
- Add DEFAULT_TENANT_ID and DEFAULT_ROLES env vars to gateway config
- JWT middleware injects configured defaults for missing claims
- Wire defaults through CombinedAuthMiddleware to JWTMiddleware

Frontend:
- parseJWT accepts standard OIDC tokens (sub fallback, array aud)
- Login page with email/password form using Dex password grant
- Dev-only fake JWT buttons preserved for local development
- Demo mode defaults to platform lens for DevTenantAutoSelector

Dex config:
- Real bcrypt hashes for admin@volterra.energy and operator@volterra.energy
- Password: demo2026

* fix: store effective claims object in context for platform-admin bypass

TenantAuthorizationMiddleware checks claims.HasRole() on the Claims
object stored in context. The previous approach stored default roles
only as context values, making them invisible to the authorization
check. Fix by creating a shallow copy of claims with effective values
(UserID, TenantID, Roles) applied, then storing the copy in context.

This ensures platform-admin default role is visible when
DEFAULT_ROLES=platform-admin is configured with empty
DEFAULT_TENANT_ID, enabling cross-tenant access for demo users.

* fix: pass DEFAULT_TENANT_ID and DEFAULT_ROLES to meridian container

These env vars were defined in .env but not listed in the
docker-compose.yml environment section, so they were never
passed to the container. Also update .env.demo.example to
document the new vars and enable AUTH_ENABLED=true by default.

* fix: trim whitespace from DEFAULT_TENANT_ID env var

---------

Co-authored-by: Ben Coombs &lt;bjcoombs@users.noreply.github.com&gt;
diff --git a/deploy/demo/.env.demo.example b/deploy/demo/.env.demo.example
@@ -68,9 +68,8 @@ HTTP_PORT=8090
 # ---------------------------------------------------------------------------
 
 # [OPTIONAL] Enable JWT authentication on the gateway.
-# Set to "false" for demo mode (API open, frontend uses local JWT for UI routing).
-# Set to "true" when Dex OIDC is fully configured with real credentials.
-AUTH_ENABLED=false
+# Set to "true" to require Dex OIDC tokens for API access.
+AUTH_ENABLED=true
 
 # [OPTIONAL] JWKS endpoint for JWT validation.
 # Default points to the bundled Dex container.
@@ -92,14 +91,17 @@ JWKS_URL=http://dex:5556/dex/keys
 # Example: "sk_demo_abc123:demo-client,sk_test_def456:test-runner"
 #API_KEYS=
 
+# [OPTIONAL] Default tenant ID injected into context when OIDC token lacks x-tenant-id.
+# Leave empty for platform-admin cross-tenant access (recommended for demo).
+#DEFAULT_TENANT_ID=
+
+# [OPTIONAL] Comma-separated default roles injected when OIDC token lacks roles claim.
+# Set to "platform-admin" so demo Dex users get cross-tenant access.
+DEFAULT_ROLES=platform-admin
+
 # [OPTIONAL] Gateway base domain for subdomain-based tenant resolution.
 BASE_DOMAIN=demo.meridianhub.cloud
 
-# [OPTIONAL] Enable X-Tenant-Slug header for tenant resolution (dev/demo only).
-# When true, tenants can be identified via the X-Tenant-Slug HTTP header instead
-# of subdomain extraction. Must not be enabled in production namespaces.
-LOCAL_DEV_MODE=true
-
 # ---------------------------------------------------------------------------
 # Billing
 # ---------------------------------------------------------------------------
diff --git a/deploy/demo/docker-compose.yml b/deploy/demo/docker-compose.yml
@@ -87,6 +87,8 @@ services:
       JWT_ISSUER: ${JWT_ISSUER:-}
       JWT_AUDIENCE: ${JWT_AUDIENCE:-}
       API_KEYS: ${API_KEYS:-}
+      DEFAULT_TENANT_ID: ${DEFAULT_TENANT_ID:-}
+      DEFAULT_ROLES: ${DEFAULT_ROLES:-}
       BASE_DOMAIN: ${BASE_DOMAIN:-demo.meridianhub.cloud}
       LOCAL_DEV_MODE: ${LOCAL_DEV_MODE:-false}
 
diff --git a/services/gateway/config.go b/services/gateway/config.go
@@ -266,7 +266,7 @@ func LoadAuthConfig() AuthConfig {
 	}
 
 	// Parse OIDC fallback defaults
-	config.DefaultTenantID = os.Getenv("DEFAULT_TENANT_ID")
+	config.DefaultTenantID = strings.TrimSpace(os.Getenv("DEFAULT_TENANT_ID"))
 	config.DefaultRoles = env.GetEnvAsSlice("DEFAULT_ROLES", nil)
 
 	return config

Original file line number	Diff line number	Diff line change
`@@ -266,7 +266,7 @@ func LoadAuthConfig() AuthConfig {`
`266`	`266`	`}`
`267`	`267`
`268`	`268`	`// Parse OIDC fallback defaults`
`269`		`- config.DefaultTenantID = os.Getenv("DEFAULT_TENANT_ID")`
	`269`	`+ config.DefaultTenantID = strings.TrimSpace(os.Getenv("DEFAULT_TENANT_ID"))`
`270`	`270`	`config.DefaultRoles = env.GetEnvAsSlice("DEFAULT_ROLES", nil)`
`271`	`271`
`272`	`272`	`return config`