Merge pull request #13 from mauriciozanettisalomao/fear/lfxv2-498-499-user-data-consumption-req-reply-authelia-auth0

[LFXV2-498, LFXV2-499] User data consumption req/reply - Authelia and Auth0

Author: mauriciozanettisalomao

README.md

@@ -162,43 +162,14 @@ To retrieve user metadata, send a NATS request to the following subject:
 **Subject:** `lfx.auth-service.user_metadata.read`  
 **Pattern:** Request/Reply
 
-The service supports two lookup strategies based on the input format, providing both authoritative identification and convenient username-based searches.
-
-##### Input Format and Strategy Selection
-
-The service automatically determines the lookup strategy based on the input format:
-
-- **Canonical Lookup** (contains `|`): `<connection>|<provider_user_id>` - Subject identifier
-- **Search Lookup** (no `|`): `<username>` - Convenience lookup
-
-##### Canonical Lookup Strategy (Recommended)
-
-**Format:** `<connection>|<provider_user_id>`
-
-The canonical lookup is the **authoritative, standard way to identify a user**, regardless of which provider they come from.
-
-**Examples:** `auth0|123456789`, `google-oauth2|987654321`, `samlp|my-connection|user123`
-
-##### Search Lookup Strategy (Convenience)
-
-**Format:** `<username>`
-
-Username lookups are **convenience only** and help avoid connection collisions within the Username-Password-Authentication connection.
-
-**Examples:** `john.doe`, `jane.smith`, `developer123`
+The service takes a token and validates/retrieves user data from the target identity provider based on the `USER_REPOSITORY_TYPE` environment variable configuration.
 
 ##### Request Payload
 
-The request payload should be a plain text identifier (no JSON wrapping required):
+The request payload should be a token (no JSON wrapping required):
 
-**Canonical Lookup:**
 ```
-auth0|123456789
-```
-
-**Search Lookup:**
-```
-john.doe
+eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
 ```
 
 ##### Reply
@@ -236,35 +207,26 @@ The service returns a structured reply with user metadata:
 }
 ```
 
-**Error Reply (Invalid Input):**
+**Error Reply (Invalid Token):**
 ```json
 {
   "success": false,
-  "error": "input is required"
+  "error": "invalid token"
 }
 ```
 
-##### Examples using NATS CLI
+##### Example using NATS CLI
 
 ```bash
-# Canonical lookup (subject identifier)
-# Note: Use quotes to escape the pipe character in shell commands
-nats request lfx.auth-service.user_metadata.read "auth0|123456789"
-
-# Search lookup (convenience username lookup)
-nats request lfx.auth-service.user_metadata.read john.doe
-
+# Retrieve user metadata using token
+nats request lfx.auth-service.user_metadata.read "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
 ```
 
 **Important Notes:**
-- **Canonical lookups** are the preferred method for system-to-system communication
-- **Search lookups** are provided for convenience and user-facing interfaces
-- The pipe character (`|`) in canonical identifiers must be escaped with quotes in shell commands
-- Both strategies return the same metadata format on success
-- The service supports **Auth0**, **Authelia**, and **mock** repositories based on configuration
-- When using mock or authelia mode, the service simulates Auth0 behavior for development and testing
-- For detailed Auth0-specific behavior and limitations, see the [Auth0 Integration Documentation](internal/infrastructure/auth0/README.md)
-- For detailed Authelia-specific behavior and SUB management, see the [Authelia Integration Documentation](internal/infrastructure/authelia/README.md)
+- The service validates the token and extracts user information from the target identity provider
+- The target identity provider is determined by the `USER_REPOSITORY_TYPE` environment variable
+- For detailed Auth0-specific behavior and limitations, see: [`internal/infrastructure/auth0/README.md`](internal/infrastructure/auth0/README.md)
+- For detailed Authelia-specific behavior and SUB management, see: [`internal/infrastructure/authelia/README.md`](internal/infrastructure/authelia/README.md)
 
 ---
 

internal/domain/port/user.go

@@ -19,7 +19,7 @@ type UserReaderWriter interface {
 type UserReader interface {
 	GetUser(ctx context.Context, user *model.User) (*model.User, error)
 	SearchUser(ctx context.Context, user *model.User, criteria string) (*model.User, error)
-	MetadataLookup(ctx context.Context, input string, user *model.User) bool
+	MetadataLookup(ctx context.Context, input string) (*model.User, error)
 }
 
 // UserWriter defines the behavior of the user writer

internal/infrastructure/auth0/README.md

@@ -4,51 +4,51 @@ This package provides Auth0 integration for the LFX v2 Auth Service, implementin
 
 ## Overview
 
-The Auth0 integration supports two primary lookup strategies for user metadata retrieval, providing both authoritative identification and convenient username-based searches.
+The Auth0 integration takes a JWT token and validates/retrieves user data from the Auth0 identity provider. The system parses the JWT token to extract user identification information and performs lookups through the Auth0 Management API.
 
-## User Identification Strategies
+## Token Support
 
-### Canonical Lookup Strategy (Recommended)
+The Auth0 integration supports JWT (JSON Web Token) parsing to extract user identification information. When a JWT token is provided as input, the system automatically extracts the `sub` (subject) claim and uses it for user lookups.
 
-**Format:** `<connection>|<provider_user_id>`
+### JWT Token Processing
 
-The canonical lookup is the **authoritative, standard way to identify a user**, regardless of which provider they come from. The sub (subject) identifier is the authoritative identifier that uniquely identifies a user across the entire Auth0 tenant.
+**Token Format:** JWT tokens issued by Auth0
 
-**Examples:**
-* `auth0|123456789` — Auth0 Database connection user
-* `google-oauth2|987654321` — Google OAuth2 user
-* `github|456789123` — GitHub OAuth2 user
-* `samlp|enterprise|user123` — SAML Enterprise connection user
-* `linkedin|789123456` — LinkedIn OAuth2 user
-
-**Auth0 Management API Call:**
-```http
-GET /api/v2/users/{sub}
+**Token Structure:**
+```json
+{
+  "iss": "https://{{tenant}}.auth0.com/",
+  "sub": "auth0|user123",
+  "aud": "https://{{tenant}}.auth0.com/api/v2/",
+  "iat": 1759751739,
+  "exp": 1759755339,
+  "scope": "read:current_user",
+  "azp": "O8sQ4Jbr3At8buVR3IkrTRlejPZFWenI"
+}
 ```
 
-**Benefits:**
-- **Authoritative**: Guaranteed unique identifier across all connections
-- **Fast**: Direct lookup by primary key
-- **Reliable**: No ambiguity about which user is being referenced
-- **Cross-provider**: Works regardless of authentication provider
-
-### Search Lookup Strategy (Convenience)
+### Token Processing Flow
 
-**Format:** `<username>`
+1. **Token Validation**: Validates the JWT token signature and expiration
+2. **Sub Extraction**: Extracts the `sub` claim from the token payload
+3. **User Lookup**: Uses the extracted `sub` value for direct user lookup via Auth0 Management API
+4. **Auth0 API Call**: Performs direct user lookup using the `sub` identifier
+5. **User Data Retrieval**: Returns user metadata from Auth0
 
-Username lookups are **convenience only** and help avoid connection collisions. This strategy searches for users by their username within the Username-Password-Authentication connection.
+### Auth0 Management API Integration
 
-**Examples:**
-- `john.doe`
-- `jane.smith`
-- `developer123`
+**Canonical Lookup (Recommended):**
+```http
+GET /api/v2/users/{sub}
+```
 
-**Auth0 Management API Call:**
+**Search Lookup (Convenience):**
 ```http
 GET /api/v2/users?q=identities.user_id:{username} AND identities.connection:Username-Password-Authentication
 ```
 
-**Limitations:**
-- **Connection-specific**: Only works within Username-Password-Authentication connection
-- **Slower**: Requires search query instead of direct lookup
-- **Limited scope**: Cannot find users from social or enterprise connections
+### Important Notes
+
+- **JWT Signature Validation**: Full JWT signature validation is performed using Auth0's public keys
+- **Token Expiration**: JWT tokens are validated for expiration and freshness
+- **Auth0 Management API**: Uses Auth0's Management API for user data retrieval

internal/infrastructure/auth0/models.go

@@ -3,7 +3,12 @@
 
 package auth0
 
-import "github.com/linuxfoundation/lfx-v2-auth-service/internal/domain/model"
+import (
+	"encoding/json"
+	"log/slog"
+
+	"github.com/linuxfoundation/lfx-v2-auth-service/internal/domain/model"
+)
 
 // Auth0User represents a user in Auth0
 type Auth0User struct {
@@ -74,3 +79,29 @@ func (u *Auth0User) ToUser() *model.User {
 		UserMetadata: meta,
 	}
 }
+
+// ErrorResponse represents an error response from Auth0
+type ErrorResponse struct {
+	StatusCode int    `json:"statusCode"`
+	Error      string `json:"error"`
+	Message    string `json:"message"`
+	Attributes struct {
+		Error string `json:"error"`
+	} `json:"attributes"`
+}
+
+// Message returns the error message from the attributes
+func (e *ErrorResponse) ErrorMessage(errorMessage string) string {
+	// parse the error message from the attributes
+	err := json.Unmarshal([]byte(errorMessage), e)
+	if err != nil {
+		slog.Error("failed to parse error message from attributes", "error", err)
+		return errorMessage
+	}
+	return e.Message
+}
+
+// NewErrorResponse creates a new ErrorResponse
+func NewErrorResponse() *ErrorResponse {
+	return &ErrorResponse{}
+}