Gafaelfawr is a FastAPI service for the authorization and management of tokens, including their issuance and revocation. It is deployed via Phalanx.
It is part of the Rubin Science Platform identity management system. The overall design is documented in DMTN-234, and its implementation in DMTN-224. History and decisions made during its development are documented in SQR-069. Read those documents for a more complete picture of how Gafaelfawr fits into a larger identity management system.
Gafaelfawr provides authentication and access control via NGINX's auth_request
directive, and handles integration with an external identity provider (either with GitHub or OpenID Connect).
Authentication sessions and user identity information are stored in Redis.
Token information is stored in a SQL database.
It also provides an API (and currently a UI) to create and manipulate tokens, and a minimal OpenID Connect server to support protected services that only understand OpenID Connect.
For full documentation, see gafaelfawr.lsst.io.
Gafaelfawr is named for Glewlwyd Gafaelfawr, the knight who challenges King Arthur in Pa gur yv y porthaur? and, in later stories, is a member of his court and acts as gatekeeper. Gafaelfawr is pronounced (very roughly) gah-VILE-vahwr. (If you speak Welsh and can provide a better pronunciation guide, please open an issue!)