Feature/tokensmith auth

[alexlovelltroy]

Description

This pull request introduces a new, pluggable authentication system for SMD, allowing selection between the legacy JWT backend and a new TokenSmith-based backend. It adds new startup flags and environment variables for authentication configuration, improves logging for authentication failures, and refactors authentication initialization and verification logic for clarity and extensibility. Documentation is updated to describe the new authentication options and runtime behavior.

Authentication system improvements:

• Adds support for two authentication backends: the existing legacy backend and a new tokensmith backend, selectable via the -auth-backend flag or SMD_AUTH_BACKEND environment variable. The TokenSmith backend validates issuer and audience in addition to JWKS. [1] [2] [3] [4] [5]
• Introduces new flags and environment variables: -auth-issuer/SMD_AUTH_ISSUER and -auth-audiences/SMD_AUTH_AUDIENCES, required for the TokenSmith backend. [1] [2] [3]
• Refactors authentication initialization into backend-specific methods, with improved error handling and retry logic. [1] [2]

Middleware and route handling:

• Refactors route registration to use the new authentication middleware, ensuring protected routes are guarded according to the selected backend. [1] [2]

Verification and claims extraction:

• Refactors claim and scope extraction to support both backends, improving code clarity and making it easier to add future backends.
• Extracts scope parsing into a helper function that supports multiple claim formats.

Logging and diagnostics:

• Adds detailed logging of authentication rejections, including backend, HTTP method, path, remote address, auth header presence, scheme, and (for TokenSmith) expected issuer and audiences. [1] [2]

Documentation and dependencies:

• Updates documentation to describe the new authentication configuration, runtime controls, and backend options.
• Updates dependencies, including adding github.com/openchami/tokensmith and updating several libraries. [1] [2] [3]

Checklist

• My code follows the style guidelines of this project
• I have added/updated comments where needed
• I have added tests that prove my fix is effective or my feature works
• I have run make test (or equivalent) locally and all tests pass
• DCO Sign-off: All commits are signed off (git commit -s) with my real name and email

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update

---

For more info, see Contributing Guidelines.

[davidallendj]

When setting SMD_AUTH_BACKEND=tokensmith, I notice that SMD is still trying to initialize the auth token.

Apr 10 17:01:47 openchami-testing.novalocal smd[3892921]: 2026/04/10 17:01:47.817541 main.go:1058: Initializing authentication with backend "tokensmith"...
Apr 10 17:01:47 openchami-testing.novalocal smd[3892921]: 2026/04/10 17:01:47.820772 main.go:1062: failed to initialize auth token: failed to fetch "http://opaal:3333/key>
Apr 10 17:01:52 openchami-testing.novalocal smd[3892921]: 2026/04/10 17:01:52.824118 main.go:1062: failed to initialize auth token: failed to fetch "http://opaal:3333/key>

Do we still need to set SMD_JWKS_URL to fetch the JWKS with the tokensmith backend?

[shunr-hpe]

Possibly change to the following where the current directory is the default value

ARG TARGETPLATFORM=.

This allows me to run

make binaries image

Alternately tell me how you build smd.

[shunr-hpe]

I ran the functional tests (CT tests) against these changes and they passed. See the README on how to run these.

The functional tests run against an SMD instance that has done its own discovery, as such, the tests are not as applicable to OpenCHAMI, but it's still nice to see them pass.

The unit tests also passed.