feat(validator): parse and expose On-Behalf-Of Token Exchange claims (RFC 8693)#407
Open
developerkunal wants to merge 2 commits into
Open
feat(validator): parse and expose On-Behalf-Of Token Exchange claims (RFC 8693)#407developerkunal wants to merge 2 commits into
developerkunal wants to merge 2 commits into
Conversation
…(RFC 8693) Add first-class validation support for tokens issued via On-Behalf-Of / Token Exchange (RFC 8693). RegisteredClaims now includes the act (actor) chain, azp, org_id, and org_name, populated automatically during validation. Add ValidatedClaims helpers CurrentActor(), DelegationChain(), and HasActor() that distinguish the current actor (for authorization, per RFC 8693 §4.1) from the informational delegation chain (for audit). Reject delegation chains deeper than 5 levels as malformed.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #407 +/- ##
==========================================
- Coverage 94.42% 94.38% -0.05%
==========================================
Files 25 25
Lines 2154 2190 +36
==========================================
+ Hits 2034 2067 +33
- Misses 81 83 +2
- Partials 39 40 +1 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
The cnf claim is now extracted in extractSupplementaryClaims alongside act, azp, and the organization claims, so the standalone extractConfirmationClaim method is unused and flagged by the linter. Remove it and fold its cnf test coverage into the extractSupplementaryClaims tests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📝 Checklist
🔧 Changes
Adds first-class validation support for access tokens issued through On-Behalf-Of / Token Exchange (RFC 8693), for example when an MCP server exchanges an incoming user token for one scoped to a downstream API. This SDK validates and inspects such tokens; performing the exchange itself is done by the authorization server, not this middleware.
These claims are now parsed automatically during validation, so no extra configuration is required.
validator.RegisteredClaims(new fields, additive)Act *Actor— theact(actor) claim chain per RFC 8693 §4.1AuthorizedParty string— theazpclaimOrgID string— theorg_idclaimOrgName string— theorg_nameclaimNew
validator.ActortypeModels the nested
actclaim:Subject(sub), optionalIssuer(iss), and a nestedAct *Actorfor the prior actor.New helpers on
validator.ValidatedClaimsCurrentActor() string— the current actor (outermostact.sub), the client that performed the most recent exchange. Per RFC 8693 §4.1, this is the only actor value that may be used for access-control decisions.DelegationChain() []string— the full actor chain ordered from current to original, intended for audit and logging only.HasActor() boolThe API is shaped so the safe call (
CurrentActor) is the obvious one, andDelegationChainis explicitly documented as audit-only, matching the RFC 8693 §4.1 guidance that nested actors must not drive authorization.Delegation chains are limited to 5 levels; a token whose
actclaim nests more than 5 actors is rejected as aninvalid_claimsvalidation error.All changes are additive. No existing fields, signatures, or behavior changed, and no new dependencies or network calls are introduced. Extraction of
act,azp,org_id, andorg_nameis folded into the existing single payload decode alongside thecnfclaim.📚 References
actclaim)🔬 Testing
CurrentActor,DelegationChain, andHasActorhelpers cover the no-actor, empty-subject, single-exchange, and chained-exchange cases (validator/claims_test.go).invalid_claims), and a malformed token (validator/validator_test.go).go test ./...(865 tests),go vet ./...clean,gofmtclean.