LCORE-2503: Added ServiceAccount for rh_identity

[jrobertboos]

Description

Added ServiceAccount for rh_identity as well as updated docs.

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: Cursor (Opus 4.6)
• Generated by: Cursor (Opus 4.6)

Related Tickets & Documents

• Related Issue LCORE-2503
• Closes LCORE-2503

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• New Features

  • Added support for ServiceAccount identity type as a third authentication method alongside User and System identities, enabling OAuth service account authentication via JWT.

• Documentation

  • Updated Red Hat Identity authentication documentation to include ServiceAccount identity type specification, validation rules, error responses, and usage examples.

[coderabbitai]

Walkthrough

Adds ServiceAccount as a third supported identity type to the RH Identity authentication module. A new _validate_service_account_fields method validates client_id and username string fields; get_user_id() and get_username() are extended with ServiceAccount branches. Unit tests, integration tests, documentation, and example config are updated to reflect the new type.

Changes

ServiceAccount identity type support

Layer / File(s)	Summary
ServiceAccount validation and extraction in RHIdentityData src/authentication/rh_identity.py	Adds _validate_service_account_fields enforcing presence and string type for service_account.client_id and username; wires into the validation dispatch; extends get_user_id() and get_username() with ServiceAccount branches; updates module, class, and dependency docstrings.
Unit tests for ServiceAccount identity tests/unit/authentication/test_rh_identity.py	Adds service_account_identity_data fixture; covers get_user_id()/get_username() extraction, get_system_id() empty-string, auth-dependency success, validation failures for missing/non-string fields, and a regression test confirming valid data passes.
Integration test for ServiceAccount identity tests/integration/test_rh_identity_integration.py	Adds service_account_identity_json fixture and test_valid_service_account_identity test that sends an encoded ServiceAccount header to GET /api/v1/conversations and asserts status 200 or 404.
Documentation and example updates docs/auth/rh-identity.md, examples/lightspeed-stack-rh-identity.yaml	Adds ServiceAccount identity type definition, extraction rules, example header construction, extended 400 error table, and updates overview text and example YAML comment.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant RHIdentityAuthDependency
  participant RHIdentityData
  participant _validate_service_account_fields

  Client->>RHIdentityAuthDependency: HTTP request with x-rh-identity header
  RHIdentityAuthDependency->>RHIdentityData: decode and parse header
  RHIdentityData->>RHIdentityData: _get_identity_type() → "ServiceAccount"
  RHIdentityData->>_validate_service_account_fields: identity dict
  _validate_service_account_fields-->>RHIdentityData: valid or HTTPException(400)
  RHIdentityData->>RHIdentityData: get_user_id() → service_account.client_id
  RHIdentityData->>RHIdentityData: get_username() → service_account.username
  RHIdentityAuthDependency-->>Client: authenticated user context or 400 error

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

• lightspeed-core/lightspeed-stack#1851: Modifies RHIdentityData.get_username() and System identity validation in the same rh_identity.py file, directly adjacent to the get_username() branching extended in this PR.

Suggested labels

ok-to-test

Suggested reviewers

• tisnik

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding ServiceAccount support to rh_identity authentication, which is the primary focus across all modified files.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jrobertboos]

Please Review:

• @tisnik