Replace webhook.Principal with auth.Identity #4315
Description
Problem
PR #3840 introduced webhook.Principal in pkg/webhook/types.go, but auth.Identity in pkg/auth/identity.go already represents the same concept. webhook.Principal is a strict subset:
| Field | auth.Identity |
webhook.Principal |
|---|---|---|
| Subject | Subject string |
Sub string |
| Name | Name string |
Name string |
Email string |
Email string |
|
| Groups | Groups []string |
Groups []string |
| Claims | Claims map[string]any |
Claims map[string]any |
| Token | Token string |
— |
| TokenType | TokenType string |
— |
| Metadata | Metadata map[string]string |
— |
Having two types means:
- Identity changes must be kept in sync across both
- The middleware layer will need a mapping function to convert between them
- Consumers need to know which type to use in which context
Proposed fix
Replace webhook.Principal with auth.Identity in the webhook.Request struct. The extra fields on Identity (Token, TokenType, Metadata) can be left empty when constructing the webhook request — the JSON omitempty tags on Identity.MarshalJSON already handle redaction/omission.
Files affected
pkg/webhook/types.go— removePrincipalstruct, importauth.Identitypkg/webhook/client_test.go— update test fixtures