feat: move auths-oidc-bridge into public workspace

Move the OIDC bridge crate from auths-cloud into the public auths
workspace at Layer 2. Uses static pre-generated RSA keys in tests
to avoid slow runtime key generation (test suite: 99s → 0.4s).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: bordumb

Cargo.lock

@@ -15,6 +15,7 @@ members = [
   "crates/auths-infra-http",
   "crates/auths-storage",
   "crates/auths-keri",
+  "crates/auths-oidc-bridge",
   "crates/xtask",
 ]
 exclude = [
@@ -47,4 +48,5 @@ auths-crypto = { path = "crates/auths-crypto", version = "0.0.1-rc.4", default-f
 auths-sdk = { path = "crates/auths-sdk", version = "0.0.1-rc.4" }
 auths-infra-git = { path = "crates/auths-infra-git", version = "0.0.1-rc.4" }
 auths-infra-http = { path = "crates/auths-infra-http", version = "0.0.1-rc.4" }
+auths-oidc-bridge = { path = "crates/auths-oidc-bridge", version = "0.0.1-rc.6" }
 auths-storage = { path = "crates/auths-storage", version = "0.0.1-rc.4" }

Cargo.toml

@@ -1,6 +1,8 @@
 # Auths
 
-Decentralized identity for developers. One identity, multiple devices, Git-native storage.
+Decentralized identity for individuals, AI agents, and their organizations.
+
+One identity, multiple devices, Git-native storage.
 
 ## Install
 

README.md

@@ -0,0 +1,62 @@
+[package]
+name = "auths-oidc-bridge"
+version.workspace = true
+edition = "2024"
+rust-version = "1.93"
+authors = ["Auths Contributors"]
+description = "OIDC bridge: exchanges KERI attestation chains for cloud-provider JWTs"
+license.workspace = true
+repository.workspace = true
+homepage.workspace = true
+keywords = ["identity", "oidc", "jwt", "keri"]
+categories = ["authentication", "web-programming"]
+
+[features]
+default = []
+github-oidc = ["dep:reqwest"]
+
+[[bin]]
+name = "auths-oidc-bridge"
+path = "src/main.rs"
+
+[lib]
+name = "auths_oidc_bridge"
+path = "src/lib.rs"
+
+[dependencies]
+auths-telemetry.workspace = true
+auths-verifier = { workspace = true, features = ["native"] }
+
+anyhow = "1"
+axum = "0.8"
+governor = { version = "0.8", features = ["dashmap"] }
+base64.workspace = true
+chrono = { version = "0.4", features = ["serde"] }
+hex = "0.4"
+jsonwebtoken = "9"
+rand = "0.8"
+rsa = { version = "0.9", features = ["pem"] }
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+sha2 = "0.10"
+thiserror.workspace = true
+tokio.workspace = true
+tower-http = { version = "0.6", features = ["trace", "cors"] }
+tracing = "0.1"
+uuid.workspace = true
+reqwest = { version = "0.12", default-features = false, features = ["rustls-tls", "json"], optional = true }
+
+[dev-dependencies]
+auths-crypto.workspace = true
+tower = { version = "0.5", features = ["util"] }
+http-body-util = "0.1"
+tempfile = "3"
+ring.workspace = true
+json-canon = "0.1"
+bs58.workspace = true
+base64.workspace = true
+chrono = "0.4"
+hex = "0.4"
+reqwest = { version = "0.12", default-features = false, features = ["rustls-tls", "json"] }
+aws-config = { version = "1", features = ["behavior-version-latest"] }
+aws-sdk-sts = "1"

crates/auths-oidc-bridge/Cargo.toml

@@ -0,0 +1,28 @@
+# auths-oidc-bridge
+
+OIDC bridge that exchanges KERI attestation chains for short-lived RS256 JWTs consumable by cloud providers (AWS STS, GCP Workload Identity, Azure AD).
+
+## How it works
+
+1. Client POSTs an attestation chain + root public key to `/token`
+2. Bridge verifies the chain via `auths-verifier`
+3. Bridge issues a signed RS256 JWT with OIDC-standard claims
+4. Cloud provider validates the JWT against `/.well-known/jwks.json`
+
+## Features
+
+- Token exchange endpoint with attestation chain verification
+- JWKS and OpenID Configuration discovery endpoints
+- Key rotation with dual-key JWKS support
+- Rate limiting per identity prefix
+- Optional GitHub Actions OIDC cross-referencing (`github-oidc` feature)
+
+## Feature flags
+
+| Flag | Description |
+|------|-------------|
+| `github-oidc` | Enables GitHub Actions OIDC token verification and cross-referencing |
+
+## License
+
+Apache-2.0

crates/auths-oidc-bridge/README.md

@@ -0,0 +1,149 @@
+//! Audience format detection and validation for cloud providers.
+
+use crate::error::BridgeError;
+
+/// Detected cloud provider based on audience format.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum AudienceKind {
+    /// AWS STS (e.g. `sts.amazonaws.com`).
+    Aws,
+    /// GCP Workload Identity Federation.
+    Gcp,
+    /// Azure AD / Entra ID.
+    Azure,
+    /// Unknown or custom audience.
+    Custom,
+}
+
+impl AudienceKind {
+    /// Returns the provider name as a string, or `None` for `Custom`.
+    pub fn provider_name(self) -> Option<&'static str> {
+        match self {
+            Self::Aws => Some("aws"),
+            Self::Gcp => Some("gcp"),
+            Self::Azure => Some("azure"),
+            Self::Custom => None,
+        }
+    }
+}
+
+/// Controls how audience format mismatches are handled.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
+pub enum AudienceValidation {
+    /// Log warnings on format mismatch but allow the request (default).
+    #[default]
+    Warn,
+    /// Reject requests with audience format mismatches.
+    Strict,
+    /// Skip audience format validation entirely.
+    None,
+}
+
+impl AudienceValidation {
+    /// Parse from a string value (for env var parsing).
+    pub fn from_str_value(s: &str) -> Option<Self> {
+        match s.to_lowercase().as_str() {
+            "warn" => Some(Self::Warn),
+            "strict" => Some(Self::Strict),
+            "none" => Some(Self::None),
+            _ => Option::None,
+        }
+    }
+}
+
+/// Detect the cloud provider from the audience string and validate the format.
+///
+/// Returns the detected `AudienceKind`. In `Strict` mode, returns an error
+/// for format mismatches. In `Warn` mode, logs warnings. In `None` mode,
+/// skips all validation.
+pub fn validate_audience_format(
+    audience: &str,
+    mode: &AudienceValidation,
+) -> Result<AudienceKind, BridgeError> {
+    let kind = detect_audience_kind(audience);
+
+    if *mode == AudienceValidation::None {
+        return Ok(kind);
+    }
+
+    // Check for GCP format mismatches
+    if kind == AudienceKind::Gcp && !is_valid_gcp_audience(audience) {
+        let msg = format!(
+            "GCP audience format mismatch: expected \
+             https://iam.googleapis.com/projects/{{NUMBER}}/locations/global/\
+             workloadIdentityPools/{{POOL}}/providers/{{PROVIDER}}, got: {audience}"
+        );
+        match mode {
+            AudienceValidation::Strict => {
+                return Err(BridgeError::InvalidRequest(msg));
+            }
+            AudienceValidation::Warn => {
+                tracing::warn!("{msg}");
+            }
+            AudienceValidation::None => unreachable!(),
+        }
+    }
+
+    tracing::info!(audience = audience, kind = ?kind, "audience format detected");
+    Ok(kind)
+}
+
+/// Detect the audience kind from the audience string.
+pub fn detect_audience_kind(audience: &str) -> AudienceKind {
+    if audience.contains("amazonaws.com") {
+        AudienceKind::Aws
+    } else if audience.starts_with("https://iam.googleapis.com/") {
+        AudienceKind::Gcp
+    } else if audience.starts_with("api://") || looks_like_guid(audience) {
+        AudienceKind::Azure
+    } else {
+        AudienceKind::Custom
+    }
+}
+
+/// Check if a GCP audience matches the expected Workload Identity Federation format.
+///
+/// Expected: `https://iam.googleapis.com/projects/{NUMBER}/locations/global/workloadIdentityPools/{POOL}/providers/{PROVIDER}`
+fn is_valid_gcp_audience(audience: &str) -> bool {
+    let Some(rest) = audience.strip_prefix("https://iam.googleapis.com/projects/") else {
+        return false;
+    };
+
+    // Expected: {NUMBER}/locations/global/workloadIdentityPools/{POOL}/providers/{PROVIDER}
+    let parts: Vec<&str> = rest
+        .splitn(2, "/locations/global/workloadIdentityPools/")
+        .collect();
+    if parts.len() != 2 {
+        return false;
+    }
+
+    let project_number = parts[0];
+    if project_number.is_empty() || !project_number.chars().all(|c| c.is_ascii_digit()) {
+        return false;
+    }
+
+    // Expected: {POOL}/providers/{PROVIDER}
+    let provider_parts: Vec<&str> = parts[1].splitn(2, "/providers/").collect();
+    if provider_parts.len() != 2 {
+        return false;
+    }
+
+    let pool_id = provider_parts[0];
+    let provider_id = provider_parts[1];
+
+    !pool_id.is_empty() && !provider_id.is_empty()
+}
+
+/// Check if a string looks like a GUID (8-4-4-4-12 hex digits).
+fn looks_like_guid(s: &str) -> bool {
+    let parts: Vec<&str> = s.split('-').collect();
+    parts.len() == 5
+        && parts[0].len() == 8
+        && parts[1].len() == 4
+        && parts[2].len() == 4
+        && parts[3].len() == 4
+        && parts[4].len() == 12
+        && parts
+            .iter()
+            .all(|p| p.chars().all(|c| c.is_ascii_hexdigit()))
+}