feat(authz): move DPoP enforcement into dpop.enforce config (DSPX-3397)

[dmihalcik-virtru]

Summary

Part of DSPX-3397. Consolidates DPoP config: enforcement lived at the top of the auth block (server.auth.enforceDPoP) while every other DPoP knob is nested under server.auth.dpop. This adds server.auth.dpop.enforce and deprecates the old top-level field.

Stacked PR: based on DSPX-3397-platform-service-part-2 (#3665), not main. GitHub will retarget this to main once that merges. Review only the latest commit here.

Changes

• config.go: add DPoPConfig.Enforce; deprecate AuthNConfig.EnforceDPoP; add dpopEnforced() helper (DPoP.Enforce || EnforceDPoP); update validation warnings.
• authn.go: NewAuthenticator uses cfg.dpopEnforced().
• server.go: warning strings reference server.auth.dpop.enforce.
• Example configs + docs/Configuring.md: nested dpop.enforce form; testdata/all-no-config.yaml intentionally left on the legacy key for backward-compat parse coverage.
• Tests migrated to DPoP.Enforce + new TestDPoPEnforcement_Migration.

Backward compatibility

Both fields are defaulted bools, so mapstructure can't tell "explicitly false" from "unset"; enforcement therefore uses OR semantics (on if either field is true) and validation warns when the deprecated field is set. The deprecated field keeps working during the migration window.

Testing

• go test ./service/internal/auth/... passes (incl. the migration test).
• golangci-lint adds no new issues.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1fe3ce86-33d5-46ac-8b58-6ad3f71c8bed

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DSPX-3397-platform-service-part-3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request consolidates DPoP-related configuration settings by moving the enforcement toggle into the existing dpop configuration block. This change improves configuration consistency while maintaining backward compatibility for existing deployments by supporting both the new and deprecated fields during a transition period.

Highlights

• Configuration Consolidation: Moved DPoP enforcement configuration from the top-level server.auth.enforceDPoP to the nested server.auth.dpop.enforce field.
• Backward Compatibility: Implemented OR-based logic in dpopEnforced() to ensure the deprecated enforceDPoP field remains functional during the migration period.
• Documentation and Logging: Updated documentation, example configuration files, and warning logs to reflect the new configuration structure.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

A setting moved to a new home, Where DPoP logic starts to roam. Old keys still work, a bridge we keep, While code evolves and secrets sleep.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request migrates the configuration option server.auth.enforceDPoP to server.auth.dpop.enforce. It deprecates the old option while maintaining backward compatibility by enforcing DPoP if either field is set to true. Updates have been applied across documentation, configuration YAML files, authentication logic, and unit tests. There are no review comments, and I have no additional feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	246.827696ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	107.797228ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	583.809826ms
Throughput	171.29 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	45.24342319s
Average Latency	450.857693ms
Throughput	110.51 requests/second

[github-actions]

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

• examples
• otdfctl
• sdk
• service
• lib/fixtures
• tests-bdd

See the workflow run for details.

[github-actions]

X-Test Results

✅ go@pull-3666-main
✅ go@main-pull-3666
✅ go@main-main
✅ go@pull-3666-pull-3666
✅ go@main-v0.9.0
bats-test-results
✅ go@pull-3666-v0.9.0
✅ java@main-pull-3666
✅ java@main-main
✅ java@main-v0.9.0
✅ js@main-pull-3666
✅ js@main-main
✅ js@main-v0.9.0
cukes-report
opentdfplatform0UKIXR.dockerbuild
govulncheck-failure-0
govulncheck-failure-3
govulncheck-failure-5
govulncheck-failure-2
govulncheck-failure-8
govulncheck-failure-1