{"id":29222282,"url":"https://github.com/datum-cloud/auth-provider-zitadel","last_synced_at":"2026-01-07T00:28:18.200Z","repository":{"id":299672854,"uuid":"1003766289","full_name":"datum-cloud/auth-provider-zitadel","owner":"datum-cloud","description":"Leverage Zitadel for authentication with Milo","archived":false,"fork":false,"pushed_at":"2025-07-02T18:42:03.000Z","size":166,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-02T18:43:17.466Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/datum-cloud.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-17T16:25:20.000Z","updated_at":"2025-07-02T18:42:08.000Z","dependencies_parsed_at":"2025-06-17T18:41:42.494Z","dependency_job_id":"dbae506c-c664-4de2-ad57-482c34ee7ec1","html_url":"https://github.com/datum-cloud/auth-provider-zitadel","commit_stats":null,"previous_names":["datum-cloud/auth-provider-zitadel"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/datum-cloud/auth-provider-zitadel","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datum-cloud%2Fauth-provider-zitadel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datum-cloud%2Fauth-provider-zitadel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datum-cloud%2Fauth-provider-zitadel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datum-cloud%2Fauth-provider-zitadel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/datum-cloud","download_url":"https://codeload.github.com/datum-cloud/auth-provider-zitadel/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datum-cloud%2Fauth-provider-zitadel/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263250591,"owners_count":23437288,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-07-03T03:07:37.507Z","updated_at":"2026-01-07T00:28:18.195Z","avatar_url":"https://github.com/datum-cloud.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Milo Zitadel Auth Provider\n\nAuthentication infrastructure for Milo's business operating system backed by\nZitadel - enabling secure identity management, token generation, and account\nlifecycle management across business entities like users, organizations, and\nmachine accounts.\n\n## Overview\n\nThis project provides the authentication foundation for the [Milo business\noperating system](https://github.com/datum-cloud/milo), which uses Kubernetes\nAPIServer patterns to manage business entities for product-led B2B companies.\nThe auth provider integrates Milo's business APIs with Zitadel's identity and\naccess management platform to handle complex authentication scenarios like:\n\n- *\"How do sales reps securely authenticate to access customer data?\"*\n- *\"How can we manage machine-to-machine authentication for automated\nworkflows?\"*\n- *\"How do we handle user lifecycle management across organizational\n  boundaries?\"*\n\n### Key Capabilities\n\n1. **Identity Management** - Centralized user authentication and identity\n   lifecycle management for Milo resources\n2. **Token Generation \u0026 Validation** - Secure JWT token issuance and validation\n   for API access\n3. **Account Management** - User registration, profile management, and\n   organizational membership handling\n4. **Machine Account Management** - Automated service account creation and\n   credential management for system integrations\n\n## How It Works\n\n1. **Identity Registration**: Users and machine accounts are registered in\n   Zitadel with appropriate organizational context and metadata\n2. **Authentication Flow**: The system handles OAuth2/OIDC flows for user login\n   and machine-to-machine authentication\n3. **Token Management**: Secure JWT tokens are issued with appropriate claims\n   and scopes based on user context and permissions\n4. **Account Lifecycle**: User onboarding, profile updates, and deactivation\n   are managed through Zitadel's APIs\n5. **Machine Account Provisioning**: key creation and rotation for\n   service accounts used by Milo's internal systems\n6. **Session Management**: Secure session handling with configurable token\n   lifetimes and refresh capabilities\n7. **Integration Bridge**: Seamless integration with Milo's Kubernetes-based\nAPIs\n\n## Zitadel API Server (virtual Sessions)\n\nThis repository includes a small API server that exposes Milo's identity sessions as a Kubernetes-native API under the provider group/version:\n\n- Group/Version: `identity.milo.io/v1alpha1`\n- Resource: `sessions`\n- Scope: cluster-scoped, virtual (no etcd)\n- Types: reuses Milo Identity public `Session` types bound to the provider G/V\n\n### What it does\n\n- Trusts Milo's inbound request headers (X-Remote-User, X-Remote-Group, X-Remote-Uid, etc)\n- Enforces self-scoping (users only see and act on their own sessions)\n- Proxies list/get/delete to Zitadel Session Service v2 using the official `zitadel-go/v3` SDK\n\n### Deploy\n\nKustomize base manifests live under `config/base/services/apiserver/` and are included in `config/base/kustomization.yaml`.\n\n- Deployment: runs the `apiserver` subcommand from this binary\n- Service: ClusterIP on 443 -\u003e container 8443\n\nEnvironment variables (mounted via Secret/ConfigMap as you prefer):\n\n- `ZITADEL_API`: e.g. `\u003ctenant\u003e.\u003cregion\u003e.zitadel.cloud`\n- `ZITADEL_ISSUER`: e.g. `https://\u003ctenant\u003e.\u003cregion\u003e.zitadel.cloud`\n- `ZITADEL_KEY_PATH`: path to Zitadel machine account JSON key (mounted to the container)\n- `REQUESTHEADER_CLIENT_CA_FILE`: path to PEM CA bundle that signs Milo's client cert\n- `REQUESTHEADER_ALLOWED_NAMES`: allowed CNs for Milo client cert; empty means any signed by CA\n- `REQUESTHEADER_EXTRA_HEADERS_PREFIX`: header name prefixes to determine user extra info\n- `REQUESTHEADER_GROUP_HEADERS`: header names to determine user groups\n- `REQUESTHEADER_USERNAME_HEADERS`: header names to determine user identity\n- `REQUESTHEADER_UID_HEADERS`: header names to determine user UID\n\n### Notes\n\n- The apiserver is stateless and does not use etcd\n- It relies on the core apiserver for authentication and authorization\n- The service user (machine account JSON key) is used to authenticate to Zitadel\n\n## Testing\n\nFollow these steps to run the end-to-end (e2e) tests locally:\n\n1. Create a local Kind cluster:\n\n   ```bash\n   make kind-create\n   ```\n\n2. Run the e2e test suite:\n\n   ```bash\n   make test-e2e\n   ```\n\n3. Inspect the controller logs once the tests have finished:\n\n   ```bash\n   cat test/controller.log\n   ```\n\n## Zitadel Instance Setup\n\n1. Create an Actions V2 target that points to the `create-user-webhook` endpoint:\n\n`https://localhost:8888/v1/actions/create-user-account`\n\n1. Create an Actions V2 action based on your UI type:\n   - **Zitadel UI**: Configure the event `user.human.selfregistered` with the previously created target\n   - **Zitadel Custom UI**: Configure the event `user.human.added` with the previously created target\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatum-cloud%2Fauth-provider-zitadel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdatum-cloud%2Fauth-provider-zitadel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatum-cloud%2Fauth-provider-zitadel/lists"}