# Resources — Authentication & Authorization

High-trust sources only. In-repo anchors are the ground truth for *how this repo does it*; external
links are for *the general technique* the interview will test. Never cite parametric knowledge —
every non-trivial claim in a lesson links here.

## In-repo ground truth (the primary source for every lesson)
- **`reference/repo-auth-map.md`** — the survey map: the auth interceptor, JWT claims, Shamir,
  rbacDecider, the permission/role model, locations & access_paths, RLS, org/resource_path. Start here.
- **Auth interceptor & claims:** `internal/golibs/interceptors/auth.go` — `Auth`, `NewAuth`,
  `UnaryServerInterceptor`; `JWTClaimsFromContext`, `ResourcePathFromContext`, `UserIDFromContext`,
  `UserGroupFromContext`.
- **RBAC:** `cmd/server/<service>/auth.go` — `rbacDecider`, `ignoreAuthEndpoint`, `fakeJwtCtxEndpoint`.
  Roles: `internal/usermgmt/pkg/constant`.
- **Permissions / roles / locations:** `internal/usermgmt/...` + `migrations/*` (the
  `permission`, `role`, `permission_role`, `granted_permission`, `user_group`, `locations`,
  `location_types`, `user_access_paths` tables).
- **RLS:** `internal/golibs/database/pool_gcp.go` (`setPostgres`/`BeforeAcquire`); RLS policies in
  `migrations/*`; `cmd/server/rls_scan`.
- **Shamir (token exchange/verify):** `cmd/server/shamir`, `internal/shamir`.
- **Security rules (in-repo, authoritative):** `.claude/rules/security.md`.

## Authentication — tokens, OIDC, OAuth (official)
- **JWT — RFC 7519** — https://www.rfc-editor.org/rfc/rfc7519 — the token format (header.payload.signature, claims).
- **JWT signing/encryption** — JWS https://www.rfc-editor.org/rfc/rfc7515 · JWE https://www.rfc-editor.org/rfc/rfc7516.
- **OpenID Connect Core 1.0** — https://openid.net/specs/openid-connect-core-1_0.html — the identity layer on OAuth 2.0; ID Token is always a JWT.
- **OAuth 2.0 (RFC 6749)** — https://www.rfc-editor.org/rfc/rfc6749 — authorization framework; access tokens are format-free.
- **JWT profile for OAuth 2.0 access tokens — RFC 9068** — https://www.rfc-editor.org/rfc/rfc9068 — the standard shape when access tokens are JWTs.
- **OAuth 2.0 Token Exchange — RFC 8693** — https://www.rfc-editor.org/rfc/rfc8693 — the STS pattern behind `ExchangeToken`; `act`/`may_act` claims, delegation vs impersonation.
- **ID token vs access token** — https://auth0.com/blog/id-token-access-token-what-is-the-difference/ — "who you are" vs "what you may access."
- **Validating an ID token** — https://curity.io/resources/learn/validating-an-id-token/ — signature, issuer, audience, expiry checks.

## Authentication — Firebase / Google Identity Platform (official)
- **Verify ID tokens** — https://firebase.google.com/docs/auth/admin/verify-id-tokens — third-party verification, JWKS, RS256.
- **Custom claims & authorization** — https://firebase.google.com/docs/auth/admin/custom-claims — putting roles/tenant into the token (the model this repo's `Manabie` claim follows).
- **Identity Platform — custom claims** — https://cloud.google.com/identity-platform/docs/how-to-configure-custom-claims
- **Identity Platform — custom tokens** — https://cloud.google.com/identity-platform/docs/admin/create-custom-tokens
- JWKS URI (Firebase/Identity Platform): `https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com` (RS256).

## Authorization — RBAC, ABAC (official / high-trust)
- **NIST RBAC** — https://csrc.nist.gov/projects/role-based-access-control — Flat / Hierarchical / Constrained RBAC, the standard model.
- **NIST ABAC (SP 800-162)** — https://csrc.nist.gov/pubs/sp/800/162/upd2/final — attribute-based access control, the more granular model.
- **RBAC vs ABAC** — https://www.onelogin.com/learn/rbac-vs-abac — roles vs attributes; where each fits (this repo blends both).

## Authorization — Postgres Row-Level Security & multi-tenancy (official / high-trust)
- **Postgres — Row Security Policies** — https://www.postgresql.org/docs/current/ddl-rowsecurity.html — `CREATE POLICY`, `ENABLE ROW LEVEL SECURITY`, `USING`/`WITH CHECK`.
- **Postgres — set_config / current_setting** — https://www.postgresql.org/docs/current/functions-admin.html#FUNCTIONS-ADMIN-SET — the session-variable mechanism RLS reads.
- **Multi-tenant RLS (AWS)** — https://aws.amazon.com/blogs/database/multi-tenant-data-isolation-with-postgresql-row-level-security/ — tenant-context-at-runtime pattern; the pooler `SET LOCAL` gotcha; table-owner-bypass gotcha.
- **RLS for tenants (Crunchy Data)** — https://www.crunchydata.com/blog/row-level-security-for-tenants-in-postgres — worked example reading a runtime setting.

## Hierarchies — locations & access_paths (high-trust)
- **Storing hierarchical data** — https://www.sitepoint.com/hierarchical-data-database/ — adjacency list vs materialized path vs nested set vs closure table.
- **Materialized path** — https://bojanz.wordpress.com/2014/04/25/storing-hierarchical-data-materialized-path/ — the "1/3/3.2" string-path model that `access_path` follows; `LIKE 'prefix%'` subtree queries.

## Community (wisdom — test your understanding on real people)
- **r/AskNetsec / r/netsec** — https://www.reddit.com/r/AskNetsec/ — auth design, JWT pitfalls, RLS-vs-app-layer debates.
- **Stack Exchange — Information Security** — https://security.stackexchange.com/ — high-signal Q&A on token validation, RBAC/ABAC, tenant isolation.
- **r/PostgreSQL** — https://www.reddit.com/r/PostgreSQL/ — RLS policy design and performance in anger.

## The interview angle
- Staples worth rehearsing against this repo's code: authN vs authZ; how a JWT is validated (sig,
  iss, aud, exp); RBAC vs ABAC and where each applies; how RLS enforces tenancy at the DB vs the app
  layer; defense-in-depth (interceptor + service check + RLS); the "confused deputy" / service-to-
  service auth problem. Ground each in a real file here rather than a toy example.
