feldera
diff --git a/‎.github/workflows/test-integration-platform.yml‎
Lines changed: 50 additions & 0 deletions b/‎.github/workflows/test-integration-platform.yml‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 51 additions & 4 deletions b/‎CLAUDE.md‎
Lines changed: 51 additions & 4 deletions
diff --git a/‎crates/pipeline-manager/src/api/endpoints/config.rs‎
Lines changed: 56 additions & 2 deletions b/‎crates/pipeline-manager/src/api/endpoints/config.rs‎
Lines changed: 56 additions & 2 deletions
diff --git a/‎crates/pipeline-manager/src/api/main.rs‎
Lines changed: 19 additions & 2 deletions b/‎crates/pipeline-manager/src/api/main.rs‎
Lines changed: 19 additions & 2 deletions
@@ -59,6 +59,14 @@ jobs:
     if: ${{ !contains(vars.CI_SKIP_JOBS, 'manager-https') }}
     name: Make sure manager runs with HTTPS
     runs-on: ubuntu-latest-amd64
+
+    # Environment variables for OIDC authentication (if available)
+    env:
+      OIDC_TEST_ISSUER: ${{ vars.OIDC_TEST_ISSUER }}
+      OIDC_TEST_CLIENT_ID: ${{ vars.OIDC_TEST_CLIENT_ID }}
+      OIDC_TEST_CLIENT_SECRET: ${{ secrets.OIDC_TEST_CLIENT_SECRET }}
+      OIDC_TEST_USERNAME: ${{ secrets.OIDC_TEST_USERNAME }}
+      OIDC_TEST_PASSWORD: ${{ secrets.OIDC_TEST_PASSWORD }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -85,6 +93,11 @@ jobs:
             --health-retries=5 \
             --mount type=bind,src=./test-tls,dst=/home/ubuntu/test-tls,readonly \
             -p 8080:8080 \
+            -e AUTH_PROVIDER="${{ vars.OIDC_TEST_ISSUER && 'generic-oidc' || 'none' }}" \
+            -e AUTH_CLIENT_ID="${{ vars.OIDC_TEST_CLIENT_ID }}" \
+            -e AUTH_ISSUER="${{ vars.OIDC_TEST_ISSUER }}" \
+            -e RUST_LOG=info \
+            -e RUST_BACKTRACE=1 \
             ${{ vars.FELDERA_IMAGE_NAME }}:sha-${{ github.sha }} \
             --enable-https \
             --https-tls-cert-path /home/ubuntu/test-tls/tls_test.crt \
@@ -115,6 +128,12 @@ jobs:
           FELDERA_HOST: https://localhost:8080
           PYTHONPATH: ${{ github.workspace }}/python
           IN_CI: 1 # We use this flag to skip some kafka tests in the python code base
+          # OIDC environment variables for authentication
+          OIDC_TEST_ISSUER: ${{ vars.OIDC_TEST_ISSUER }}
+          OIDC_TEST_CLIENT_ID: ${{ vars.OIDC_TEST_CLIENT_ID }}
+          OIDC_TEST_CLIENT_SECRET: ${{ secrets.OIDC_TEST_CLIENT_SECRET }}
+          OIDC_TEST_USERNAME: ${{ secrets.OIDC_TEST_USERNAME }}
+          OIDC_TEST_PASSWORD: ${{ secrets.OIDC_TEST_PASSWORD }}
       - name: Logs & Cleanup
         if: always()
         run: |
@@ -137,11 +156,26 @@ jobs:
           #  target: aarch64-unknown-linux-gnu
     runs-on: ${{ matrix.runner }}
 
+    # Environment variables for OIDC authentication (if available)
+    env:
+      OIDC_TEST_ISSUER: ${{ vars.OIDC_TEST_ISSUER }}
+      OIDC_TEST_CLIENT_ID: ${{ vars.OIDC_TEST_CLIENT_ID }}
+      OIDC_TEST_CLIENT_SECRET: ${{ secrets.OIDC_TEST_CLIENT_SECRET }}
+      OIDC_TEST_USERNAME: ${{ secrets.OIDC_TEST_USERNAME }}
+      OIDC_TEST_PASSWORD: ${{ secrets.OIDC_TEST_PASSWORD }}
+
     container:
       image: ghcr.io/feldera/feldera-dev:sha-9a54a381bb958ba78da125976a2f7731db3d7a4f
     services:
       pipeline-manager:
         image: ${{ vars.FELDERA_IMAGE_NAME }}:sha-${{ github.sha }}
+        env:
+          # Configure OIDC authentication if available, otherwise use no auth
+          AUTH_PROVIDER: ${{ vars.OIDC_TEST_ISSUER && 'generic-oidc' || 'none' }}
+          AUTH_CLIENT_ID: ${{ vars.OIDC_TEST_CLIENT_ID }}
+          AUTH_ISSUER: ${{ vars.OIDC_TEST_ISSUER }}
+          RUST_LOG: info
+          RUST_BACKTRACE: 1
         options: >-
           --health-cmd "curl --fail --request GET --url http://localhost:8080/healthz || exit 1"
           --health-interval 10s
@@ -152,6 +186,16 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Check OIDC configuration and connectivity
+        if: vars.OIDC_TEST_ISSUER != '' && vars.OIDC_TEST_CLIENT_ID != ''
+        run: |
+          echo "OIDC configuration detected, verifying connectivity..."
+          echo "Testing OIDC discovery endpoint: ${{ vars.OIDC_TEST_ISSUER }}"
+          ISSUER_URL="${{ vars.OIDC_TEST_ISSUER }}"
+          ISSUER_URL="${ISSUER_URL%/}" # Strip trailing slash
+          curl -f -s "${ISSUER_URL}/.well-known/openid-configuration" > /dev/null
+          echo "OIDC discovery endpoint is accessible"
+
       - name: Validate and run packaged demos
         if: ${{ vars.CI_DRY_RUN != 'true' }}
         run: |
@@ -170,3 +214,9 @@ jobs:
           PYTHONPATH: ${{ github.workspace }}/python
           IN_CI: 1 # We use this flag to skip some kafka tests in the python code base
           FELDERA_HTTPS_TLS_CERT: /home/ubuntu/test-tls/tls_test.crt
+          # OIDC environment variables for authentication
+          OIDC_TEST_ISSUER: ${{ vars.OIDC_TEST_ISSUER }}
+          OIDC_TEST_CLIENT_ID: ${{ vars.OIDC_TEST_CLIENT_ID }}
+          OIDC_TEST_CLIENT_SECRET: ${{ secrets.OIDC_TEST_CLIENT_SECRET }}
+          OIDC_TEST_USERNAME: ${{ secrets.OIDC_TEST_USERNAME }}
+          OIDC_TEST_PASSWORD: ${{ secrets.OIDC_TEST_PASSWORD }}
@@ -6652,6 +6652,10 @@ POST   /api/pipelines          - Create pipeline
 GET    /api/pipelines/{id}     - Get pipeline details
 PATCH  /api/pipelines/{id}     - Update pipeline
 DELETE /api/pipelines/{id}     - Delete pipeline
+
+GET    /v0/config              - Get configuration (includes tenant info)
+GET    /config/authentication  - Get authentication provider configuration
+GET    /config/demos           - Get list of available demos
 ```
 
 #### Pipeline Lifecycle
@@ -6673,10 +6677,53 @@ GET  /api/pipelines/{id}/stats    - Get runtime statistics
 
 ### Authentication System
 
-- **JWT Tokens**: Stateless authentication
-- **API Keys**: Service-to-service authentication
-- **Multi-tenant**: Tenant isolation and resource management
-- **RBAC**: Role-based access control
+The pipeline-manager supports multiple authentication providers through a unified OIDC/OAuth2 framework:
+
+#### **Supported Providers**
+- **None**: No authentication (development/testing)
+- **AWS Cognito**
+- **Generic OIDC** - Okta
+
+#### **Authentication Mechanisms**
+- **OIDC Tokens**: OIDC-compliant Access token validation with RS256 signature verification
+- **API Keys**: User-generated keys that
+
+Authentication of HTTP API requests is performed through Authorization header via `Bearer <token>` value
+
+Additional features:
+- JWK Caching: Automatic public key fetching and caching from provider endpoints
+- Bearer Token Authorization: Client sends Access OIDC token as Bearer token; all claims (tenant, groups, etc.) are extracted from this Access token
+
+#### **Configuration**
+```bash
+# Environment variables for OIDC providers
+AUTH_ISSUER=https://your-domain.okta.com/oauth2/<custom-auth-server-id>
+AUTH_CLIENT_ID=your-client-id
+
+# For AWS Cognito (additional variables)
+AWS_COGNITO_LOGIN_URL=https://your-domain.auth.region.amazoncognito.com/login
+AWS_COGNITO_LOGOUT_URL=https://your-domain.auth.region.amazoncognito.com/logout
+```
+
+#### **Authorization mechanisms**
+
+The authentication system supports flexible tenant assignment strategies across all supported OIDC providers (AWS Cognito, Okta):
+
+**Tenant Assignment Strategies:**
+- `--individual-tenant` (default: true) - Creates individual tenants based on user's `sub` claim
+- `--issuer-tenant` (default: false) - Derives tenant name from auth issuer hostname (e.g., `company.okta.com`)
+- Custom `tenant` claim - enabled by default - If present in OIDC Access token is used to directly determine the authorized tenant
+
+**Tenant Resolution Priority (all providers):**
+1. `tenant` claim (explicit tenant assignment via OIDC provider)
+2. Issuer domain extraction (when `--issuer-tenant` enabled)
+3. User `sub` claim (when `--individual-tenant` enabled)
+
+**Group-based authorization**
+If --authorized_groups is configured the user has to have at least one of these groups in `groups` claim of OIDC Access Token
+
+#### **Enterprise Features**
+- **Fault tolerance**: Mechanism to recover from a crash by making periodic checkpoints, identifying and replaying lost state
 
 ## Development Workflow
 
 
@@ -1,10 +1,16 @@
 // Configuration API to retrieve the current authentication configuration and list of demos
-use actix_web::{get, web::Data as WebData, HttpRequest, HttpResponse};
+use actix_web::{
+    get,
+    web::{Data as WebData, ReqData},
+    HttpRequest, HttpResponse,
+};
 use feldera_types::license::DisplaySchedule;
 use serde::Serialize;
 use utoipa::ToSchema;
 
 use crate::api::main::ServerState;
+use crate::db::storage::Storage;
+use crate::db::types::tenant::TenantId;
 use crate::error::ManagerError;
 use crate::license::{LicenseCheck, LicenseValidity};
 use crate::unstable_features;
@@ -140,7 +146,8 @@ impl Configuration {
 #[get("/config")]
 pub(crate) async fn get_config(
     state: WebData<ServerState>,
-    _req: HttpRequest,
+    _client: WebData<awc::Client>,
+    _tenant_id: ReqData<TenantId>,
 ) -> Result<HttpResponse, ManagerError> {
     let config = Configuration::gather(&state).await;
     Ok(HttpResponse::Ok().json(config))
@@ -195,5 +202,52 @@ pub(crate) async fn get_config_demos(
     Ok(HttpResponse::Ok().json(&state.demos))
 }
 
+#[derive(Serialize, ToSchema)]
+pub(crate) struct SessionInfo {
+    /// Current user's tenant ID
+    pub tenant_id: TenantId,
+    /// Current user's tenant name
+    pub tenant_name: String,
+}
+
+impl SessionInfo {
+    pub(crate) async fn gather(state: &ServerState, tenant_id: TenantId) -> Self {
+        let db = state.db.lock().await;
+        let tenant_name = db
+            .get_tenant_name(tenant_id)
+            .await
+            .unwrap_or_else(|_| "unknown".to_string());
+
+        SessionInfo {
+            tenant_id,
+            tenant_name,
+        }
+    }
+}
+
+/// Retrieve current session information.
+#[utoipa::path(
+    context_path = "/v0",
+    security(("JSON web token (JWT) or API key" = [])),
+    responses(
+        (status = OK
+            , description = "The response body contains current session information including tenant details."
+            , content_type = "application/json"
+            , body = SessionInfo),
+        (status = INTERNAL_SERVER_ERROR
+            , description = "Request failed."
+            , body = ErrorResponse),
+    ),
+    tag = "Configuration"
+)]
+#[get("/config/session")]
+pub(crate) async fn get_config_session(
+    state: WebData<ServerState>,
+    tenant_id: ReqData<TenantId>,
+) -> Result<HttpResponse, ManagerError> {
+    let session_info = SessionInfo::gather(&state, *tenant_id).await;
+    Ok(HttpResponse::Ok().json(session_info))
+}
+
 #[derive(Serialize, ToSchema)]
 pub(crate) struct EmptyResponse {}
@@ -218,6 +218,7 @@ It contains the following fields:
         // Configuration
         endpoints::config::get_config_authentication,
         endpoints::config::get_config_demos,
+        endpoints::config::get_config_session,
         endpoints::config::get_config,
 
         // Metrics
@@ -230,14 +231,18 @@ It contains the following fields:
         // Authentication
         crate::auth::AuthProvider,
         crate::auth::ProviderAwsCognito,
-        crate::auth::ProviderGoogleIdentity,
+        crate::auth::ProviderGenericOidc,
 
         // Common
         crate::db::types::version::Version,
+        crate::db::types::tenant::TenantId,
+        crate::license::DisplaySchedule,
+        crate::license::LicenseInformation,
         crate::license::LicenseValidity,
         crate::api::endpoints::config::UpdateInformation,
         crate::api::endpoints::config::Configuration,
         crate::api::endpoints::config::BuildInformation,
+        crate::api::endpoints::config::SessionInfo,
 
         // Pipeline
         crate::db::types::pipeline::PipelineId,
@@ -490,6 +495,7 @@ fn api_scope() -> Scope {
         // Configuration endpoints
         .service(endpoints::config::get_config)
         .service(endpoints::config::get_config_demos)
+        .service(endpoints::config::get_config_session)
         // Metrics of all pipelines belonging to this tenant
         .service(endpoints::metrics::get_metrics)
         // Cluster health check
@@ -643,7 +649,18 @@ pub async fn run(
     let auth_configuration = match api_config.auth_provider {
         crate::config::AuthProviderType::None => None,
         crate::config::AuthProviderType::AwsCognito => Some(crate::auth::aws_auth_config()),
-        crate::config::AuthProviderType::GoogleIdentity => Some(crate::auth::google_auth_config()),
+        crate::config::AuthProviderType::GenericOidc => {
+            match crate::auth::generic_oidc_auth_config(&api_config).await {
+                Ok(config) => Some(config),
+                Err(e) => {
+                    error!("Failed to configure generic OIDC authentication: {}", e);
+                    return Err(anyhow::anyhow!(
+                        "Authentication configuration failed: {}",
+                        e
+                    ));
+                }
+            }
+        }
     };
     let server = match auth_configuration {
         // We instantiate an awc::Client that can be used if the api-server needs to