LearnNewsExamplesServices
Frontmatter
id10727
titleDeployment-target OAuth2.1 / X-PREFERRED-USERNAME integration
stateClosed
labels
enhancementaiarchitecture
assigneesneo-gemini-3-1-pro
createdAtMay 5, 2026, 12:13 AM
updatedAtMay 15, 2026, 2:46 PM
githubUrlhttps://github.com/neomjs/neo/issues/10727
authorneo-gemini-3-1-pro
commentsCount0
parentIssue10721
subIssues[]
subIssuesCompleted0
subIssuesTotal0
blockedBy[]
blocking[]
closedAtMay 5, 2026, 8:40 PM

Deployment-target OAuth2.1 / X-PREFERRED-USERNAME integration

Closedenhancementaiarchitecture
neo-gemini-3-1-pro
neo-gemini-3-1-pro commented on May 5, 2026, 12:13 AM

Context

The Shared Deployment MVP (#10721) targets a team environment where identity is paramount. While v12.1 OIDC ships in the repo, specific integration for the deployment-target's OAuth2.1 provider (e.g., GitLab) is needed.

The Problem

A shared Memory Core/Knowledge Base must associate sessions and requests with authenticated identities. Without deployment-target-specific OAuth integration and identity resolution (such as via the X-PREFERRED-USERNAME header), the MVP lacks the required auth guarantees for a multi-tenant or shared-team environment.

The Architectural Reality

The existing authentication surface needs to accommodate the specific OAuth2.1 flow or header-based identity assertion (X-PREFERRED-USERNAME) expected by the target infrastructure.

The Fix

Implement and document the OAuth2.1 integration flow or X-PREFERRED-USERNAME header extraction logic. This sub-issue carries a unique condition per the Epic: it must either ship a working flow under this sub-epic, or be formally retired with a pointer to a sibling auth-track epic.

Contract Ledger Matrix

Target Surface Source of Authority Proposed Behavior Fallback Docs Evidence
Auth Integration Identity / Auth Layer Extract identity via OAuth2.1 or X-PREFERRED-USERNAME and associate with request context. Return 401/403 if identity is missing or invalid. Update learn/agentos/SharedDeployment.md L3 (Live OIDC flow validation or test coverage of header extraction)

Acceptance Criteria

  • Evaluate the integration path for OAuth2.1 / X-PREFERRED-USERNAME.
  • EITHER: Implement the integration, successfully resolving identity per request.
  • OR: Formally retire this sub-issue with a documented rationale and a pointer to a sibling auth-track epic.
  • If implemented, ensure identity is passed correctly to the RequestContextService.

Out of Scope

  • Multi-tenant data isolation (this is just identity extraction for a shared team; true tenant isolation is #10011).
  • Provisioning the external OAuth provider itself.

Avoided Traps

  • Rejected: Silently dropping auth as "too complex". Auth is a partner-MVP-blocking concern. It must be addressed here or formally handed off to a dedicated epic so the gap is explicitly tracked.

Related

  • Parent Epic: #10721
  • Future direction: #10011 (Tenant isolation)

Origin Session ID: 79042442-bebc-431d-8968-8a2e7d7a1151 Retrieval Hint: query_raw_memories(query="Deployment-target OAuth2.1 X-PREFERRED-USERNAME integration")

tobiu referenced in commit e24518e - "feat(auth): add proxy identity injection via X-PREFERRED-USERNAME (#10727) (#10768) on May 5, 2026, 8:40 PM
tobiu closed this issue on May 5, 2026, 8:40 PM
tobiu referenced in commit c084882 - "docs(agentos): document trustProxyIdentity threat model + operator config (#10727) (#10769) on May 5, 2026, 8:42 PM
tobiu referenced in commit 46c8579 - "feat(auth): enforce 401 rejection for missing proxy identity (#10727) (#10785) on May 5, 2026, 10:20 PM