Skip to content

Herald: Implement OIDC Authentication #13

Open
Open
Herald: Implement OIDC Authentication#13
Labels
good first issueGood for newcomers
@jorisvilardell

Description

@jorisvilardell
jorisvilardell
opened on Feb 9, 2026

Priority: High
Dependencies: Issue 1 (Control Plane HTTP Client)

Description:
Implement OIDC Client Credentials flow for authenticating Herald with the control plane using Ferriskey/Keycloak.

Acceptance Criteria:

  • Create OidcAuthenticator in infrastructure/auth/ module
  • Implement token acquisition using client credentials flow
  • Support token caching and automatic refresh
  • Inject Bearer token into HTTP requests to control plane
  • Handle token expiration gracefully
  • Add configuration for client_id, client_secret, token_endpoint
  • Unit tests with mocked token endpoint

Technical Notes:

  • Use reqwest for token requests
  • Store token with expiry time and refresh proactively
  • Consider using oauth2 crate for OIDC flow
  • Ensure thread-safe token storage (use Arc<RwLock<Token>>)

Metadata

Metadata

Assignees

No one assigned

    Labels

    good first issueGood for newcomers

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions