Skip to content

fix(api-server): handle Keycloak service-account- prefix in OIDC username matching#1471

Closed
markturansky wants to merge 2 commits intomainfrom
fix/keycloak-service-account-prefix
Closed

fix(api-server): handle Keycloak service-account- prefix in OIDC username matching#1471
markturansky wants to merge 2 commits intomainfrom
fix/keycloak-service-account-prefix

Conversation

@markturansky
Copy link
Copy Markdown
Contributor

@markturansky markturansky commented Apr 27, 2026

Summary

  • Keycloak prefixes service account usernames with service-account- in JWT claims, causing the gRPC middleware to fail matching the configured GRPC_SERVICE_ACCOUNT username and not assigning CallerTypeService.
  • Extracts an isServiceAccount() helper that accepts both the exact configured name and the Keycloak-prefixed variant (service-account-<name>), used in both the unary and stream gRPC interceptors.
  • Adds table-driven tests covering exact match, prefixed match, no match, empty inputs, and partial prefix cases.

Test plan

  • TestIsServiceAccount passes with all 6 cases
  • Existing TestBearerTokenAuth and gRPC interceptor tests continue to pass
  • Deploy to staging and verify service account gRPC calls are correctly identified as CallerTypeService with Keycloak-issued tokens

🤖 Generated with Claude Code

@claude
fix(api-server): handle Keycloak service-account- prefix in OIDC user…
70440c4 
…name matching

Keycloak client credentials tokens have preferred_username set to
"service-account-<clientId>" rather than the raw client ID. The
GRPC_SERVICE_ACCOUNT env var is populated from the clientId secret key
(e.g. "ocm-ams-service"), but the JWT username is
"service-account-ocm-ams-service". The direct comparison always failed,
so CallerTypeService was never set and WatchSessionMessages returned
PERMISSION_DENIED.

Add isServiceAccount() helper that matches both the raw client ID and
the Keycloak-prefixed form.

Evidence: decoded the OIDC token from Red Hat SSO client credentials
grant — preferred_username="service-account-ocm-ams-service".

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@markturansky markturansky added the ambient-code:self-reviewed Self-reviewed by Ambient agent label Apr 27, 2026
@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 27, 2026
edited
Loading

Deploy Preview for cheerful-kitten-f556a0 canceled.

Name Link
🔨 Latest commit 12e63d1
🔍 Latest deploy log https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69ef943380f9fd0008f48a69

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 27, 2026
edited
Loading

Caution

Review failed

The head commit changed during the review from 70440c4 to 12e63d1.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/keycloak-service-account-prefix
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch fix/keycloak-service-account-prefix

Comment @coderabbitai help to get the list of available commands and usage tips.

@markturansky
Copy link
Copy Markdown
Contributor Author

markturansky commented Apr 27, 2026

Closing — this fix was already merged to main via #1465.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ambient-code:self-reviewed Self-reviewed by Ambient agent

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@markturansky