Skip to content

Support for regex pattern in DefaultJWTClaimMapper permission parser #7574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jul 7, 2025
Merged

Support for regex pattern in DefaultJWTClaimMapper permission parser #7574

merged 7 commits into from
Jul 7, 2025

Conversation

adamko147
Copy link
Contributor

What changed?

Added support for parsing permissions from JWT claim using regular expression

Why?

Default JWT Claim Mapper expects permission in form namespace:role. If it's not possible to configure JWT issuer to follow namespace:role permissionsPattern can be set to regular expression with named groups to parse permission. More details in issue gh-7560

How did you test it?

  • Unit tests
  • Local tests
  • Self hosted environment (ongoing)

Potential risks

This change is only activated if new configuration is provided

Documentation

WIP

Is hotfix candidate?

No

@adamko147 adamko147 requested a review from a team as a code owner April 4, 2025 22:12
@CLAassistant
Copy link

CLAassistant commented Apr 4, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@adamko147 adamko147 marked this pull request as draft April 4, 2025 22:14
@adamko147 adamko147 mentioned this pull request Apr 4, 2025
Open
@adamko147 adamko147 marked this pull request as ready for review April 4, 2025 22:24
@bergundy bergundy requested a review from mattkim May 1, 2025 22:42
captainbeardo
captainbeardo reviewed Jul 1, 2025
View reviewed changes
Copy link

@captainbeardo captainbeardo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Just one comment on naming.

common/config/config.go Outdated
@@ -577,6 +577,7 @@ type (
// Signing key provider for validating JWT tokens
JWTKeyProvider JWTKeyProvider `yaml:"jwtKeyProvider"`
PermissionsClaimName string `yaml:"permissionsClaimName"`
PermissionsPattern string `yaml:"permissionsPattern"`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: consider calling this PermissionsRegex to clearly indicate what the contents should be and update the naming throughout.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@captainbeardo Thank you, done.

@adamko147 adamko147 requested a review from captainbeardo July 3, 2025 14:53
bergundy
bergundy approved these changes Jul 7, 2025
View reviewed changes
Copy link
Member

@bergundy bergundy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Could you also open a PR to document this in our documentation repo: https://github.com/temporalio/documentation/blob/main/docs/production-deployment/self-hosted-guide/security.mdx#default-jwt-claimmapper?

@adamko147
Copy link
Contributor Author

LGTM. Could you also open a PR to document this in our documentation repo: https://github.com/temporalio/documentation/blob/main/docs/production-deployment/self-hosted-guide/security.mdx#default-jwt-claimmapper?

@bergundy, will do that! Thanks, appreciate the support!

@bergundy bergundy merged commit 943d5b3 into temporalio:main Jul 7, 2025
52 checks passed
@adamko147 adamko147 deleted the jwt-claim-mapper-permissions-pattern branch July 8, 2025 16:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bergundy bergundy bergundy approved these changes

@captainbeardo captainbeardo captainbeardo approved these changes

@mattkim mattkim Awaiting requested review from mattkim

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@adamko147 @CLAassistant @bergundy @captainbeardo