fix: allow platform paths (ListTenants) without tenant claim in JWT (#1400)

Platform paths like /v1/tenants are bootstrap endpoints where the caller
discovers available tenants. Requiring a tenant claim to list tenants is
circular — the user needs to know which tenants exist before they can
scope requests to one.

Export IsPlatformPath from shared/platform/gateway and use it in
TenantAuthorizationMiddleware to bypass tenant authorization for
authenticated users hitting platform endpoints. The endpoint itself
handles access control based on the caller's identity.

Fixes the demo login flow where Dex OIDC tokens (which lack custom
tenant claims) could not call ListTenants to populate the tenant picker.

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs

services/api-gateway/auth/combined_middleware.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	platformauth "github.com/meridianhub/meridian/shared/platform/auth"
+	"github.com/meridianhub/meridian/shared/platform/gateway"
 	"github.com/meridianhub/meridian/shared/platform/tenant"
 )
 
@@ -245,35 +246,13 @@ func (m *TenantAuthorizationMiddleware) Handler(next http.Handler) http.Handler
 			return
 		}
 
-		// When JWT has no tenant claim (e.g. standard OIDC tokens from Dex):
-		// 1. Platform-admin/super-admin: allow access to any tenant
-		// 2. Regular user with resolved tenant (subdomain/slug): scope to that tenant
-		// 3. Otherwise: deny
+		// When JWT has no tenant claim (e.g. standard OIDC tokens from Dex),
+		// delegate to authorizeWithoutTenantClaim which checks platform-admin
+		// role, resolved tenant from subdomain, and platform paths.
 		if jwtTenantID == "" {
-			claims, hasClaims := GetClaimsFromContext(ctx)
-			if hasClaims && hasPlatformAdminRole(claims) {
-				m.logger.Debug("platform admin access",
-					slog.String("user_id", claims.UserID),
-					slog.String("path", r.URL.Path),
-				)
+			if m.authorizeWithoutTenantClaim(w, r) {
 				next.ServeHTTP(w, r)
-				return
-			}
-
-			// Allow if tenant was resolved from subdomain/slug — user inherits
-			// tenant scope from the request routing rather than from JWT claims.
-			// This supports OIDC providers (like Dex) that issue identity-only
-			// tokens without custom tenant claims.
-			if resolvedTenant, ok := tenant.FromContext(ctx); ok && !resolvedTenant.IsEmpty() {
-				m.logger.Debug("tenant resolved from request context (no JWT tenant claim)",
-					slog.String("tenant", resolvedTenant.String()),
-					slog.String("path", r.URL.Path),
-				)
-				next.ServeHTTP(w, r)
-				return
 			}
-
-			writeForbidden(w, "missing tenant claim in token")
 			return
 		}
 
@@ -307,6 +286,51 @@ func (m *TenantAuthorizationMiddleware) Handler(next http.Handler) http.Handler
 	})
 }
 
+// authorizeWithoutTenantClaim handles authorization for JWTs that lack a tenant
+// claim (e.g. standard OIDC tokens from Dex). Returns true if the request is
+// allowed, false if a 403 was written.
+//
+// Authorization paths (checked in order):
+//  1. Platform-admin/super-admin: allow access to any tenant
+//  2. Resolved tenant from subdomain/slug: scope user to that tenant
+//  3. Platform path (e.g., ListTenants): allow — bootstrap endpoint
+//  4. Otherwise: deny with 403
+func (m *TenantAuthorizationMiddleware) authorizeWithoutTenantClaim(w http.ResponseWriter, r *http.Request) bool {
+	ctx := r.Context()
+
+	claims, hasClaims := GetClaimsFromContext(ctx)
+	if hasClaims && hasPlatformAdminRole(claims) {
+		m.logger.Debug("platform admin access",
+			slog.String("user_id", claims.UserID),
+			slog.String("path", r.URL.Path),
+		)
+		return true
+	}
+
+	// Allow if tenant was resolved from subdomain/slug — user inherits
+	// tenant scope from the request routing rather than from JWT claims.
+	if resolvedTenant, ok := tenant.FromContext(ctx); ok && !resolvedTenant.IsEmpty() {
+		m.logger.Debug("tenant resolved from request context (no JWT tenant claim)",
+			slog.String("tenant", resolvedTenant.String()),
+			slog.String("path", r.URL.Path),
+		)
+		return true
+	}
+
+	// Allow platform paths (e.g., ListTenants) for any authenticated user.
+	// These are bootstrap endpoints where the caller discovers available
+	// tenants — requiring a tenant claim would be circular.
+	if gateway.IsPlatformPath(r.URL.Path) {
+		m.logger.Debug("platform path access (no tenant claim required)",
+			slog.String("path", r.URL.Path),
+		)
+		return true
+	}
+
+	writeForbidden(w, "missing tenant claim in token")
+	return false
+}
+
 // hasPlatformAdminRole returns true if claims contain platform-admin or super-admin role.
 func hasPlatformAdminRole(claims *platformauth.Claims) bool {
 	if claims == nil {

services/api-gateway/auth/combined_middleware_test.go

@@ -410,6 +410,57 @@ func TestTenantAuthorizationMiddleware(t *testing.T) {
 		assert.Contains(t, rr.Body.String(), "missing tenant claim")
 	})
 
+	t.Run("platform path allowed without tenant claim for authenticated user", func(t *testing.T) {
+		middleware := NewTenantAuthorizationMiddleware(logger)
+
+		var nextCalled bool
+		nextHandler := http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
+			nextCalled = true
+		})
+
+		handler := middleware.Handler(nextHandler)
+
+		// OIDC token with no tenant claim, no resolved tenant, but platform path
+		claims := &platformauth.Claims{
+			UserID: "oidc-user",
+		}
+		ctx := injectClaimsToContext(context.Background(), claims)
+
+		req := httptest.NewRequest(http.MethodGet, "/v1/tenants", nil)
+		req = req.WithContext(ctx)
+		rr := httptest.NewRecorder()
+
+		handler.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusOK, rr.Code)
+		assert.True(t, nextCalled, "platform path should be accessible without tenant claim")
+	})
+
+	t.Run("platform path allowed for Connect/gRPC path", func(t *testing.T) {
+		middleware := NewTenantAuthorizationMiddleware(logger)
+
+		var nextCalled bool
+		nextHandler := http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
+			nextCalled = true
+		})
+
+		handler := middleware.Handler(nextHandler)
+
+		claims := &platformauth.Claims{
+			UserID: "oidc-user",
+		}
+		ctx := injectClaimsToContext(context.Background(), claims)
+
+		req := httptest.NewRequest(http.MethodPost, "/meridian.tenant.v1.TenantService/ListTenants", nil)
+		req = req.WithContext(ctx)
+		rr := httptest.NewRecorder()
+
+		handler.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusOK, rr.Code)
+		assert.True(t, nextCalled)
+	})
+
 	t.Run("403 when no resolved tenant in context", func(t *testing.T) {
 		middleware := NewTenantAuthorizationMiddleware(logger)
 

shared/platform/gateway/tenant_resolver.go

@@ -76,9 +76,12 @@ var platformPaths = []string{
 	"/meridian.tenant.v1.TenantService/", // Connect/gRPC path
 }
 
-// isPlatformPath returns true if the request path is a platform-level endpoint
-// that should bypass tenant resolution.
-func isPlatformPath(path string) bool {
+// IsPlatformPath returns true if the request path is a platform-level endpoint
+// that should bypass tenant resolution and tenant authorization.
+// Platform paths (e.g., ListTenants) are bootstrap endpoints that only require
+// authentication — the endpoint itself handles access control based on the
+// caller's identity.
+func IsPlatformPath(path string) bool {
 	for _, prefix := range platformPaths {
 		if strings.HasPrefix(path, prefix) {
 			return true
@@ -188,7 +191,7 @@ func (m *TenantResolverMiddleware) extractSlugFromRequest(w http.ResponseWriter,
 func (m *TenantResolverMiddleware) Handler(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Skip tenant resolution for platform-level endpoints
-		if isPlatformPath(r.URL.Path) {
+		if IsPlatformPath(r.URL.Path) {
 			next.ServeHTTP(w, r)
 			return
 		}

shared/platform/gateway/tenant_resolver_test.go

@@ -930,19 +930,19 @@ func TestServeHTTP(t *testing.T) {
 
 func TestIsPlatformPath(t *testing.T) {
 	// REST transcoding paths
-	assert.True(t, isPlatformPath("/v1/tenants"))
-	assert.True(t, isPlatformPath("/v1/tenants/acme_corp"))
+	assert.True(t, IsPlatformPath("/v1/tenants"))
+	assert.True(t, IsPlatformPath("/v1/tenants/acme_corp"))
 
 	// Connect/gRPC paths
-	assert.True(t, isPlatformPath("/meridian.tenant.v1.TenantService/ListTenants"))
-	assert.True(t, isPlatformPath("/meridian.tenant.v1.TenantService/CreateTenant"))
-	assert.True(t, isPlatformPath("/meridian.tenant.v1.TenantService/GetTenant"))
+	assert.True(t, IsPlatformPath("/meridian.tenant.v1.TenantService/ListTenants"))
+	assert.True(t, IsPlatformPath("/meridian.tenant.v1.TenantService/CreateTenant"))
+	assert.True(t, IsPlatformPath("/meridian.tenant.v1.TenantService/GetTenant"))
 
 	// Non-platform paths
-	assert.False(t, isPlatformPath("/v1/accounts"))
-	assert.False(t, isPlatformPath("/v1/parties"))
-	assert.False(t, isPlatformPath("/health"))
-	assert.False(t, isPlatformPath("/meridian.party.v1.PartyService/ListParties"))
+	assert.False(t, IsPlatformPath("/v1/accounts"))
+	assert.False(t, IsPlatformPath("/v1/parties"))
+	assert.False(t, IsPlatformPath("/health"))
+	assert.False(t, IsPlatformPath("/meridian.party.v1.PartyService/ListParties"))
 }
 
 func TestPlatformPathBypassesTenantResolution(t *testing.T) {