Description
JWT tokens can include public claims (e.g., identity) and private claims (e.g., roles, attributes, groups, permissions, etc.). Private claims can also include fine-grained permissions for tool calls as documented in RFC 9396 (rich authorization requests). These claims need to be extracted from JWT tokens and added to the context to be leveraged by downstream plugins for making authorization requests, such as in the OPA or Cedar plugins implementing RBAC and ABAC.
This plugin will implements and register to auth hooks in the gateway to extract claims metadata from access tokens and map that auth metadata into a reserved context key that can be used by downstream access control/policy enforcement plugins (such as Cedar and OPA plugins).
Tasks
cc: @monshri @terylt @imolloy
Description
JWT tokens can include public claims (e.g., identity) and private claims (e.g., roles, attributes, groups, permissions, etc.). Private claims can also include fine-grained permissions for tool calls as documented in RFC 9396 (rich authorization requests). These claims need to be extracted from JWT tokens and added to the context to be leveraged by downstream plugins for making authorization requests, such as in the OPA or Cedar plugins implementing RBAC and ABAC.
This plugin will implements and register to auth hooks in the gateway to extract claims metadata from access tokens and map that auth metadata into a reserved context key that can be used by downstream access control/policy enforcement plugins (such as Cedar and OPA plugins).
Tasks
cc: @monshri @terylt @imolloy