feat(identity): implement UserIdentities dynamic REST API in Milo #472
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add UserIdentities REST storage and dynamic provider to enable centralized RBAC and audit logging through Milo API server. This implementation mirrors the existing Sessions architecture, proxying requests to auth-provider-zitadel with user impersonation via X-Remote-* headers. Changes: - Add REST storage backend for UserIdentities resource - Implement DynamicProvider with mTLS and impersonation support - Register UserIdentities in identity storage provider - Add CLI flags and configuration for provider connection - Update deployment manifests with UserIdentities env vars - Add README documentation for virtual API architecture This ensures UserIdentities follows the same architectural pattern as Sessions, providing consistent RBAC enforcement and audit trail across all identity APIs.
Contributor
scotwells
previously approved these changes
Jan 8, 2026
…eProvider Fix crash caused by registering two separate StorageProviders for the same API group (identity.miloapis.com/v1alpha1). Now both Sessions and UserIdentities backends are initialized within a single StorageProvider, preventing the duplicate root path conflict. This resolves the CrashLoopBackOff issue in staging where the API server was exiting with code 1 due to conflicting WebService registrations.
OscarLlamas6
dismissed stale reviews from JoseSzycho and scotwells
via
b0c83a8
Contributor
|
Tested on staging, API is working correctly. |
JoseSzycho
approved these changes
Jan 9, 2026
scotwells
approved these changes
Jan 9, 2026
Contributor
scotwells
left a comment
scotwells
left a comment
There was a problem hiding this comment.
@OscarLlamas6 can you take an action item to get automated tests in place for this?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add UserIdentities REST storage and dynamic provider to enable centralized RBAC and audit logging through Milo API server. This implementation mirrors the existing Sessions architecture, proxying requests to auth-provider-zitadel with user impersonation via X-Remote-* headers.
Changes:
This ensures UserIdentities follows the same architectural pattern as Sessions, providing consistent RBAC enforcement and audit trail across all identity APIs.