Skip to content

Document JWT claim requirements for selfhosted OAuth applications#890

Closed
mhotan wants to merge 2 commits intopeeter/selfhosted-docsfrom
mike/jwt-claim-requirements
Closed

Document JWT claim requirements for selfhosted OAuth applications#890
mhotan wants to merge 2 commits intopeeter/selfhosted-docsfrom
mike/jwt-claim-requirements

Conversation

@mhotan
Copy link
Copy Markdown
Contributor

@mhotan mhotan commented Apr 3, 2026

Summary

  • Add explicit JWT claim requirements table to the selfhosted authentication docs
  • Document that sub claim is required on all OAuth application tokens, including client credentials
  • Add warning about x-user-subject header not found failure when sub is missing
  • Document identitytype as required for authorization, with pointer to useExternalIdentity alternative

Documents current behavior up to helm-charts 2026.4.0 / cloud release/2026.4.2.

Stacked on #885 (ExternalIdentity docs).

ref FAB-194

mhotan and others added 2 commits April 2, 2026 22:29
@mhotan @claude
Update External Authz docs for ExternalIdentity (FAB-189)
984bb94 
When the identitytype JWT claim is absent (selfhosted with non-Okta
IdPs), the platform sends ExternalIdentity{subject} instead of
user_id or application_id. Update the identity resolution docs to
document all three proto types and clarify that identitytype is not
required for External authorization.

Update reference implementation to extract subject from whichever
proto type arrives, handle missing tokens from background workers.

Linear: https://linear.app/unionai/issue/FAB-189

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@mhotan @claude
Document JWT claim requirements for selfhosted OAuth applications
7e3d719 
Add explicit table of required JWT claims (sub, identitytype,
preferred_username) with warning that sub must be present in all
tokens including client credentials. This documents the current
behavior up to helm-charts 2026.4.0.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Apr 3, 2026

Deploying docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 7e3d719
Status: ✅  Deploy successful!
Preview URL: https://b32c3186.docs-dog.pages.dev
Branch Preview URL: https://mike-jwt-claim-requirements.docs-dog.pages.dev

View logs

@ppiegaze ppiegaze mentioned this pull request Apr 22, 2026
Open
1 task
@ppiegaze
Copy link
Copy Markdown
Collaborator

ppiegaze commented Apr 22, 2026

Superseded by #936, which adapts this content to the new flyte/union variant structure (stacked on #935). Most content was already incorporated in the Entra ID auth rewrite (#933).

@ppiegaze ppiegaze closed this Apr 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EngHabu EngHabu Awaiting requested review from EngHabu EngHabu is a code owner

@ppiegaze ppiegaze Awaiting requested review from ppiegaze ppiegaze is a code owner

@cosmicBboy cosmicBboy Awaiting requested review from cosmicBboy cosmicBboy is a code owner

@kumare3 kumare3 Awaiting requested review from kumare3 kumare3 is a code owner

@samhita-alla samhita-alla Awaiting requested review from samhita-alla samhita-alla is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mhotan @ppiegaze