stacklok / toolhive / 24464634321

66%

Build Type

push

github

Committed by web-flow

Commit Message

Add RoleClaimName to Cedar ConfigOptions (#4847)

Add RoleClaimName field to ConfigOptions and wire it through to the
Authorizer struct, complementing the existing GroupClaimName. This
supports IdPs that separate group and role concepts (e.g. Entra ID
"groups" vs "roles" claims). When empty (the default), no role
extraction occurs -- backward compatible.

The field is config plumbing only; actual extraction and deduplication
with GroupClaimName is handled by #4768.

E2E tested against real IDP tokens in a Kind cluster with the operator
built from this branch:

- Okta: Authorization server with a custom "groups" claim configured
  to emit group display names in access tokens. OIDC app uses
  authorization code flow with "mcpserver" as audience.
  RoleClaimName left empty -- confirms backward compat.
  JWT shape: { "groups": ["Everyone", "engineering"],
               "sub": "jakub@stacklok.com" }
  Cedar policy:
    permit(principal in THVGroup::"engineering",
           action, resource in MCP::"okta-group-test");

- Entra ID: App registration with two app roles ("mcp-admin",
  "developer") assigned to a test user. The access token carries
  roles but no "groups" claim (no group claim in token config).
  RoleClaimName set to "roles".
  JWT shape: { "roles": ["mcp-admin", "developer"],
               "sub": "cljQrWT58zYW..." }
  Cedar policies:
    permit(principal in THVGroup::"developer",
           action == Action::"list_tools",
           resource in MCP::"entra-role-test");
    permit(principal in THVGroup::"mcp-admin",
           action == Action::"call_tool",
           resource in MCP::"entra-role-test")
      when { resource.name == "echo" };

Closes #4763

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Coverage Stats

1 of 1 new or added line in 1 file covered. (100.0%)

6 existing lines in 1 file now uncovered.

57225 of 86958 relevant lines covered (65.81%)

61.59 hits per line