Authorization Service

Responsibilities

Load provider configuration (AD / Firebase / OKTA etc...) for identity token parsing
Load Jeen Server configuration for parsing access / refresh tokens
Delegate login configuration to frontend clients – see /public/providers/get-config
Manage endpoints:
- Public – Open to all
- System – Verified with secret header
- All other endpoints should be verified with access and refresh tokens
Proxy requests to targets. Auth service can proxy to a service according to the request path (currently only playground as target)
Reject unverified requests

When proxying requests to services, auth service will add:

x-jeen-trace-id header with UUID
X-Forwarded-Host header
x-jeen-auth-service header – this is a secret verified by playground API to ensure request was proxied from auth service

Auth service provides 2 health endpoints:

/public/health - for service status & version
/system/health - for service status, version & provider status (requires secret header)

At least 1 identity provider
Jeen configuration for public keys: /api/v1/iam/system/public-key-data on playground API
See REQUIRED_CONFIGURATIONS in config.ts

Auth service currently supports:

Important notes:

Auth is a gateway to the backend services. ALL requests to jeen services should go through the auth service
Auth should not connect to any services aside from identity providers and Jeen API
No DB connections
No Storage connections
No LLM, etc.
API connectivity is required; if API is not available on boot, auth service will not start because no public keys are available from API
Playground clients do a request to /get-config and expect a valid login configuration

After the request is validated by Auth, send it to a reverse proxy instead of the current proxy login
Hot reload Identity provider config / Jeen config
Scaling horizontally
IP Blacklist – For malicious clients
Management API – to configure while service is running