vault: add generic authorizer with jwt auth support by prashantkumar1982 · Pull Request #21714 · smartcontractkit/chainlink

prashantkumar1982 · 2026-03-26T03:44:20Z

Summary

This adds the Vault auth abstraction needed for gateway-side JWT support while keeping current behavior unchanged because JWT auth remains disabled.

What changed

add a generic Authorizer used by both the Vault gateway handler and the Vault capability gateway handler
model two first-class auth mechanisms: AllowListBasedAuth and JWTBasedAuth
add a shared AuthResult contract and a shared RequestReplayGuard
implement JWT auth validation plumbing behind JWTBasedAuth, gated internally and failing closed when disabled
rename the old request-authorizer/replay-guard types and files to reflect the new mechanism names

Behavior

runtime behavior is unchanged today because JWT auth is still disabled
allowlist-based auth remains the active mechanism for existing traffic

…th-authorizer # Conflicts: # core/capabilities/vault/gw_handler.go # core/capabilities/vault/gw_handler_test.go # core/services/ocr2/delegate.go

github-actions · 2026-03-26T04:07:50Z

✅ No conflicts with other open PRs targeting develop

github-actions · 2026-03-26T04:07:52Z

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

#added For any new functionality added.
#breaking_change For any functionality that requires manual action for the node to boot.
#bugfix For bug fixes.
#changed For any change to the existing functionality.
#db_update For any feature that introduces updates to database schema.
#deprecation_notice For any upcoming deprecation functionality.
#internal For changesets that need to be excluded from the final changelog.
#nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
#removed For any functionality/config that is removed.
#updated For any functionality that is updated.
#wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

prashantkumar1982 · 2026-03-26T04:09:49Z

core/capabilities/vault/allow_list_based_auth.go

This file is pretty much just a rename of previous request_authorizer.go file

trunk-io · 2026-03-26T04:19:57Z

_{View Full Report ↗︎ ⋅ Docs}

- Cap JWKS response body to 1 MB to prevent resource exhaustion - Make all AuthResult fields unexported with accessor methods - Add iat claim validation to JWT parser - Annotate unreachable return in allowlist retry loop - Fix misleading test name for digest verification delegation Made-with: Cursor

…th-authorizer # Conflicts: # core/capabilities/vault/allow_list_based_auth_test.go # core/capabilities/vault/request_authorizer.go

github-actions · 2026-03-26T16:34:44Z

CORA - Pending Reviewers

Codeowners Entry	Overall	Num Files	Owners
`*`	💬	4	@smartcontractkit/foundations, @smartcontractkit/core
`/core/capabilities/`	💬	13	@smartcontractkit/keystone, @smartcontractkit/capabilities-team
`/core/services/ocr*`	💬	1	@smartcontractkit/foundations, @smartcontractkit/core
`go.mod`	💬	6	@smartcontractkit/core, @smartcontractkit/foundations
`go.sum`	💬	6	@smartcontractkit/core, @smartcontractkit/foundations
`integration-tests/go.mod`	💬	1	@smartcontractkit/core, @smartcontractkit/devex-tooling, @smartcontractkit/foundations
`integration-tests/go.sum`	💬	1	@smartcontractkit/core, @smartcontractkit/devex-tooling, @smartcontractkit/foundations

For more details, see the full review summary.

cl-sonarqube-production · 2026-03-26T16:50:42Z

Quality Gate passed

Issues
1 New issue
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

elatoskinas · 2026-03-27T09:42:28Z

core/capabilities/vault/mocks/allow_list_based_auth.go

@@ -0,0 +1,99 @@
+// Code generated by mockery v2.53.0. DO NOT EDIT.


Why not stub it with mockery? Would save quite a bit of code / maintenance

elatoskinas · 2026-03-27T09:45:16Z

core/capabilities/vault/authorizer.go

+	expiresAt     int64
+}
+
+func NewAllowListBasedAuthResult(workflowOwner, digest string, expiresAt int64) *AuthResult {


nit: having a function seems a bit overkill to construct a struct (especially if we support more auth types), we could just inline this.

elatoskinas · 2026-03-27T09:46:25Z

core/capabilities/vault/authorizer.go

+	if a.orgID != "" {
+		return a.orgID
+	}
+	return a.workflowOwner


Aren't we tying all secrets to the org ID? Or is this just for backwards compat and we're planning to remove it?

elatoskinas · 2026-03-27T09:47:26Z

core/capabilities/vault/authorizer.go

+}
+
+// JWTBasedAuth validates Vault requests authenticated with JWTs.
+type JWTBasedAuth interface {


Why do we need a separate interface, if it's the same as type Authorizer interface? The JWTBasedAuth could just implement the Authorizer interface?

elatoskinas · 2026-03-27T09:49:30Z

core/capabilities/vault/authorizer.go

+}
+
+func (a *authorizer) authorizeRequest(ctx context.Context, req jsonrpc.Request[json.RawMessage]) (*AuthResult, error) {
+	if req.Auth == "" {


Could you add a comment on why we pick allowlist based auth here? IIIUC it's for backwards compat since we currently don't populate this field?

elatoskinas · 2026-03-27T10:10:19Z