gooddata
diff --git a/‎README.md‎
Lines changed: 24 additions & 0 deletions b/‎README.md‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎gooddata-server-oauth2-autoconfigure/src/main/kotlin/CallContextAuthenticationProcessor.kt‎
Lines changed: 122 additions & 0 deletions b/‎gooddata-server-oauth2-autoconfigure/src/main/kotlin/CallContextAuthenticationProcessor.kt‎
Lines changed: 122 additions & 0 deletions
diff --git a/‎gooddata-server-oauth2-autoconfigure/src/main/kotlin/CallContextAuthenticationToken.kt‎
Lines changed: 43 additions & 0 deletions b/‎gooddata-server-oauth2-autoconfigure/src/main/kotlin/CallContextAuthenticationToken.kt‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎gooddata-server-oauth2-autoconfigure/src/main/kotlin/CallContextAuthenticationWebFilter.kt‎
Lines changed: 103 additions & 0 deletions b/‎gooddata-server-oauth2-autoconfigure/src/main/kotlin/CallContextAuthenticationWebFilter.kt‎
Lines changed: 103 additions & 0 deletions
diff --git a/‎gooddata-server-oauth2-autoconfigure/src/main/kotlin/CallContextHeaderProcessor.kt‎
Lines changed: 57 additions & 0 deletions b/‎gooddata-server-oauth2-autoconfigure/src/main/kotlin/CallContextHeaderProcessor.kt‎
Lines changed: 57 additions & 0 deletions
@@ -74,6 +74,30 @@ root@a45628275f4a:/# ./tinkey create-keyset --key-template AES256_GCM
 }
 ```
 
+### Call Context Authentication
+
+In addition to OIDC/OAuth2 and Bearer token authentication, the library supports **call context authentication** 
+for service-to-service communication. This mechanism is designed for scenarios where authentication has already 
+been performed by an upstream service (e.g., an API gateway).
+
+Key characteristics:
+* Authentication information is passed via a custom HTTP header
+* No re-authentication or metadata lookups are performed (trusts upstream validation)
+* Takes precedence over Bearer token authentication when the call context header is present
+* Requires implementing [CallContextHeaderProcessor](gooddata-server-oauth2-autoconfigure/src/main/kotlin/CallContextHeaderProcessor.kt)
+  interface to parse the application-specific header format
+
+#### Security Considerations
+
+**Critical**: This authentication mode bypasses normal security checks and trusts the upstream service completely.
+Implementations must ensure:
+
+* **Gateway-level protection**: The API gateway **must** strip/discard the call context header from all external 
+  requests. This is the primary security control.
+* **Network segmentation**: Services using this feature should not be directly accessible from untrusted networks.
+  Deploy behind a properly configured API gateway or service mesh.
+* **Audit logging**: All call context authentications should be logged for security monitoring and incident response.
+
 ### HTTP endpoints
 
 * **any resource** behind authentication
 
@@ -0,0 +1,122 @@
+/*
+ * Copyright 2025 GoodData Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gooddata.oauth2.server
+
+import io.github.oshai.kotlinlogging.KotlinLogging
+import org.springframework.web.server.ServerWebExchange
+import org.springframework.web.server.WebFilterChain
+import reactor.core.publisher.Mono
+
+private val logger = KotlinLogging.logger {}
+
+/**
+ * Context data needed to create a user context.
+ */
+private data class UserContextData(
+    val organizationId: String,
+    val userId: String,
+    val userName: String?,
+    val tokenId: String?,
+    val authMethod: AuthMethod?,
+    val accessToken: String?
+)
+
+/**
+ * Processes [CallContextAuthenticationToken] and creates user context from call context data.
+ *
+ * Unlike other authentication processors, this does NOT fetch organization/user from the authentication store
+ * because call context authentication represents requests that have already been authenticated by an upstream
+ * service. The upstream service has already validated credentials, checked for global logout, and verified
+ * organization/user existence.
+ *
+ * This processor delegates header parsing to [CallContextHeaderProcessor] implementation.
+ */
+class CallContextAuthenticationProcessor(
+    private val headerProcessor: CallContextHeaderProcessor,
+    private val userContextProvider: ReactorUserContextProvider
+) : AuthenticationProcessor<CallContextAuthenticationToken>(userContextProvider) {
+
+    override fun authenticate(
+        authenticationToken: CallContextAuthenticationToken,
+        exchange: ServerWebExchange,
+        chain: WebFilterChain
+    ): Mono<Void> {
+        return try {
+            val authDetails = headerProcessor.parseCallContextHeader(authenticationToken.callContextHeaderValue)
+
+            val organizationId = authDetails[CallContextKeys.ORGANIZATION_ID]
+                ?: throw CallContextAuthenticationException("Missing organization ID in call context")
+            val userId = authDetails[CallContextKeys.USER_ID]
+                ?: throw CallContextAuthenticationException("Missing user ID in call context")
+            val authMethodStr = authDetails[CallContextKeys.AUTH_METHOD]
+                ?: throw CallContextAuthenticationException("Missing authentication method in call context")
+
+            val tokenId = authDetails[CallContextKeys.TOKEN_ID]
+
+            val authMethod = try {
+                AuthMethod.valueOf(authMethodStr)
+            } catch (e: IllegalArgumentException) {
+                logger.error {
+                    "Invalid authMethod '$authMethodStr' in CallContext header. " +
+                        "Valid values: ${AuthMethod.entries.joinToString { it.name }}. "
+                }
+                throw CallContextAuthenticationException(
+                    "Invalid authentication method in call context"
+                )
+            }
+
+            logger.info {
+                "Processed authenticated Call context: org=$organizationId, user=$userId, method=${authMethod.name}"
+            }
+
+            val userContextData = UserContextData(
+                organizationId = organizationId,
+                userId = userId,
+                userName = null,
+                tokenId = tokenId,
+                authMethod = authMethod,
+                accessToken = null
+            )
+            withUserContext(userContextData) {
+                chain.filter(exchange)
+            }
+        } catch (e: CallContextAuthenticationException) {
+            val remoteAddress = exchange.request.remoteAddress?.address?.hostAddress
+            logger.error { "Call context authentication failed from $remoteAddress" }
+            Mono.error(e)
+        } catch (@Suppress("TooGenericExceptionCaught") e: Exception) {
+            // Must catch all exceptions to prevent auth chain disruption
+            logger.error(e) { "Unexpected error during call context authentication" }
+            Mono.error(CallContextAuthenticationException("Authentication failed", e))
+        }
+    }
+
+    private fun <T> withUserContext(
+        userContextData: UserContextData,
+        monoProvider: () -> Mono<T>
+    ): Mono<T> {
+        val contextView = userContextProvider.getContextView(
+            organizationId = userContextData.organizationId,
+            userId = userContextData.userId,
+            userName = userContextData.userName,
+            tokenId = userContextData.tokenId,
+            authMethod = userContextData.authMethod,
+            accessToken = userContextData.accessToken
+        )
+
+        return monoProvider().contextWrite(contextView)
+    }
+}
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2025 GoodData Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gooddata.oauth2.server
+
+import org.springframework.security.authentication.AbstractAuthenticationToken
+
+/**
+ * Authentication token created from call context header.
+ *
+ * This represents authentication that has already been validated by an upstream service.
+ * The call context header can only come from trusted internal services.
+ *
+ * @property callContextHeaderValue The raw call context header value
+ */
+class CallContextAuthenticationToken(
+    val callContextHeaderValue: String
+) : AbstractAuthenticationToken(emptyList()) {
+
+    init {
+        // Mark as authenticated since upstream service already validated
+        isAuthenticated = true
+    }
+
+    override fun getCredentials(): Any? = null
+
+    override fun getPrincipal(): String = callContextHeaderValue
+
+    override fun toString(): String =
+        "CallContextAuthenticationToken[headerPresent=true]"
+}
@@ -0,0 +1,103 @@
+/*
+ * Copyright 2025 GoodData Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gooddata.oauth2.server
+
+import io.github.oshai.kotlinlogging.KotlinLogging
+import org.springframework.security.core.context.ReactiveSecurityContextHolder
+import org.springframework.security.core.context.SecurityContextImpl
+import org.springframework.web.server.ServerWebExchange
+import org.springframework.web.server.WebFilter
+import org.springframework.web.server.WebFilterChain
+import reactor.core.publisher.Mono
+
+private val logger = KotlinLogging.logger {}
+
+/**
+ * Validates that the authentication details map contains all required fields for CallContext authentication.
+ *
+ * @param authDetails Map of authentication details from the header processor
+ * @return true if all required fields are present and non-null, false otherwise
+ */
+internal fun hasRequiredCallContextFields(authDetails: Map<String, String?>): Boolean {
+    return authDetails[CallContextKeys.USER_ID] != null &&
+        authDetails[CallContextKeys.ORGANIZATION_ID] != null &&
+        authDetails[CallContextKeys.AUTH_METHOD] != null
+}
+
+/**
+ * WebFilter that detects call context header and creates Spring Security authentication.
+ *
+ * This filter runs before the main authentication filters and takes precedence over Bearer token
+ * authentication when the call context header is present AND contains user information.
+ * The call context header should only come from trusted internal services.
+ *
+ * If the header is present with user info, it creates a [CallContextAuthenticationToken] that will be processed
+ * by [CallContextAuthenticationProcessor].
+ * If the header is absent or has no user info, the request continues to other authentication mechanisms.
+ */
+class CallContextAuthenticationWebFilter(
+    private val headerProcessor: CallContextHeaderProcessor?
+) : WebFilter {
+
+    override fun filter(exchange: ServerWebExchange, chain: WebFilterChain): Mono<Void> {
+        val callContextHeader = exchange.request.headers.getFirst(CALL_CONTEXT_HEADER_NAME)
+
+        // If no header or no processor, skip CallContext authentication
+        if (callContextHeader == null || headerProcessor == null) {
+            return chain.filter(exchange)
+        }
+
+        // Check if the CallContext has user information before creating an authentication token
+        return try {
+            val authDetails = headerProcessor.parseCallContextHeader(callContextHeader)
+
+            // Only proceed with CallContext authentication if there's user AND organization info
+            if (hasRequiredCallContextFields(authDetails)) {
+                val remoteHost = exchange.request.remoteAddress?.address?.hostAddress ?: "unknown"
+                logger.info {
+                    "Call context authentication initiated from $remoteHost"
+                }
+
+                val authToken = CallContextAuthenticationToken(callContextHeader)
+                val securityContext = SecurityContextImpl(authToken)
+
+                chain.filter(exchange)
+                    .contextWrite(
+                        ReactiveSecurityContextHolder.withSecurityContext(Mono.just(securityContext))
+                    )
+            } else {
+                // CallContext has no user info, skip and let the regular authentication chain handle it
+                chain.filter(exchange)
+            }
+        } catch (@Suppress("TooGenericExceptionCaught") e: Exception) {
+            // Must catch all exceptions for graceful fallback to normal auth
+            val remoteHost = exchange.request.remoteAddress?.address?.hostAddress
+            logger.warn(e) {
+                "Failed to parse CallContext header from $remoteHost, " +
+                    "falling back to normal authentication chain"
+            }
+            chain.filter(exchange)
+        }
+    }
+}
+
+/**
+ * Exception thrown when CallContext authentication fails.
+ */
+class CallContextAuthenticationException(
+    message: String,
+    cause: Throwable? = null
+) : RuntimeException(message, cause)
@@ -0,0 +1,57 @@
+/*
+ * Copyright 2025 GoodData Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gooddata.oauth2.server
+
+/**
+ * Interface for processing call context headers from internal service-to-service calls.
+ *
+ * Implementations should parse the call context header and extract authentication
+ * information that has already been validated by an upstream service.
+ *
+ * The implementation should be provided by the application using this library.
+ */
+fun interface CallContextHeaderProcessor {
+
+    /**
+     * Parses the call context header value and returns a map of authentication details.
+     *
+     * The returned map should contain keys defined in [CallContextKeys]:
+     * - [CallContextKeys.ORGANIZATION_ID] (required): The organization ID
+     * - [CallContextKeys.USER_ID] (required): The user ID
+     * - [CallContextKeys.AUTH_METHOD] (required): The authentication method (e.g., "API_TOKEN", "OIDC", "JWT")
+     * - [CallContextKeys.TOKEN_ID] (optional): The token ID if applicable
+     *
+     * @param headerValue The header value (typically Base64-encoded)
+     * @return Map containing authentication details, or empty map if the header has no user or organization information
+     *         (which signals that CallContext authentication should be skipped)
+     */
+    fun parseCallContextHeader(headerValue: String): Map<String, String?>
+}
+
+/**
+ * Standard keys for the map returned by [CallContextHeaderProcessor.parseCallContextHeader].
+ */
+object CallContextKeys {
+    const val ORGANIZATION_ID = "organizationId"
+    const val USER_ID = "userId"
+    const val AUTH_METHOD = "authMethod"
+    const val TOKEN_ID = "tokenId"
+}
+
+/**
+ * The name of the HTTP header used to convey call context information in API calls across backend services.
+ */
+const val CALL_CONTEXT_HEADER_NAME = "X-GDC-CALL-CONTEXT"