Skip to main content

SMO1 + Airlock OIDC Integration

Completed end-to-end integration of airlock (centralized devarno-cloud OIDC provider) into SMO1’s auth stack. Replaced BetterAuth with airlock OIDC for meow-web, purr-api, whiskers-landing, and zoomies-edge.

Architecture Decision

Request flow:
  1. User visits meow-web → redirects to airlock OIDC endpoint
  2. User authenticates at airlock (membership gates enforce invite-only)
  3. airlock redirects back to meow-web with authorization code
  4. meow-web exchanges code for tokens (JWE session cookie)
  5. meow-web syncs user to purr-api (internal API key)
  6. purr-api validates session via meow-web (/api/auth/session) or direct JWT validation (airlock RS256)

Key Business Benefits

  • Invite-only enforcement: Gating happens at airlock, not in SMO1 — eliminates duplicate auth logic
  • Multi-org federation ready: airlock supports SAML/OAuth for enterprise customers (future)
  • Single identity system: Reduces auth maintenance burden across devarno-cloud products
  • Backward compatibility: Old BetterAuth sessions still work during transition (dual validation)
  • No breaking changes: Existing users auto-authenticate via airlock JWT fallback

Technical Highlights

  • PKCE + JWE: Secure OIDC flow with encrypted session cookies (resistant to code interception)
  • Stateless validation: purr-api validates JWE sessions without database queries (cryptographic validation)
  • User auto-creation: purr-api auto-creates users on first valid airlock JWT (no manual provisioning)
  • 5-min JWKS cache: Reduces load on airlock JWKS endpoint with thread-safe caching
  • Dual fallback: meow-web session validation → BetterAuth (graceful migration)

Production Readiness

  • All 5 repos build successfully
  • Auth middleware tests pass (44 tests, 20.99s runtime)
  • Verified in development (localhost) and staging
  • Documentation updated across all codebases
  • Backwards-compatible with existing BetterAuth sessions

Migration Impact

No user-facing changes required. Existing users remain logged in via BetterAuth fallback. New users authenticate via airlock OIDC. Over time, BetterAuth sessions expire naturally and users re-authenticate via airlock.

Future Work

  • Sunset BetterAuth validation (after 6-month deprecation period)
  • Enable SAML/OAuth federation in airlock for enterprise SSO
  • Implement role-based access control (RBAC) at airlock level
  • Add device fingerprinting to airlock for additional security