Skip to content

Add JWT-SVID audience policy fields to Entry type #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
srikalyan wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add JWT-SVID audience policy fields to Entry type #84

srikalyan wants to merge 1 commit into from

Conversation

@srikalyan
Copy link

@srikalyan srikalyan commented Dec 26, 2025

Summary

Adds support for per-audience JWT-SVID policy configuration to the Entry type.

New JWTSVIDAudiencePolicy enum with three modes:

  • DEFAULT (0): No JTI claim, caching enabled. Backwards compatible behavior.
  • AUDITABLE (1): JTI claim included for audit trails, caching still enabled.
  • UNIQUE (2): JTI claim included, caching disabled. Each request gets a fresh token.

New Entry fields:

  • jwt_svid_default_audience_policy: Default policy for audiences not explicitly configured
  • jwt_svid_audience_policies: Map of audience → policy for per-audience overrides

New EntryMask fields:

  • jwt_svid_default_audience_policy
  • jwt_svid_audience_policies

Related

This SDK change supports the SPIRE server implementation in spiffe/spire#6514

Fixes spiffe/spire#6043

@srikalyan
Add JWT-SVID audience policy fields to Entry type
16a8e65 
Adds support for per-audience JWT-SVID policy configuration:

New JWTSVIDAudiencePolicy enum with three modes:
- DEFAULT (0): No JTI, caching enabled
- AUDITABLE (1): JTI included, caching enabled
- UNIQUE (2): JTI included, caching disabled

New Entry fields:
- jwt_svid_default_audience_policy: Default policy for audiences not in map
- jwt_svid_audience_policies: Per-audience policy overrides

New EntryMask fields for update operations.
srikalyan added a commit to srikalyan/spire that referenced this pull request Dec 26, 2025
@srikalyan
Add CLI and entry conversion support for JWT-SVID audience policies
1d8392e 
This commit adds support for the new JWT-SVID audience policy configuration
in the SPIRE server CLI and entry conversion logic:

CLI changes:
- Add -jwtSVIDDefaultAudiencePolicy flag for default audience policy
- Add -jwtSVIDAudiencePolicy flag for per-audience policy configuration
- Update entry create, update, and show commands to handle new fields
- Add AudiencePolicyFlag custom type for parsing audience:policy pairs

Entry conversion:
- Add JwtSvidDefaultAudiencePolicy and JwtSvidAudiencePolicies to
  EntryToProto and ProtoToEntry conversion functions
- Add audiencePolicyToInternal helper for enum conversion

Policy options: default, auditable, unique
- default: No JTI claim, caching enabled (current behavior)
- auditable: JTI claim included, caching enabled
- unique: JTI claim included, caching disabled (unique tokens)

Part of spiffe#6043

NOTE: Only merge after these dependent PRs are merged:
- spire-api-sdk: spiffe/spire-api-sdk#84
- spire-plugin-sdk: https://github.com/spiffe/spire-plugin-sdk/pull/113
srikalyan added a commit to srikalyan/spire that referenced this pull request Dec 26, 2025
@srikalyan
Add CLI and entry conversion support for JWT-SVID audience policies
1f781dd 
This commit adds support for the new JWT-SVID audience policy configuration
in the SPIRE server CLI and entry conversion logic:

CLI changes:
- Add -jwtSVIDDefaultAudiencePolicy flag for default audience policy
- Add -jwtSVIDAudiencePolicy flag for per-audience policy configuration
- Update entry create, update, and show commands to handle new fields
- Add AudiencePolicyFlag custom type for parsing audience:policy pairs

Entry conversion:
- Add JwtSvidDefaultAudiencePolicy and JwtSvidAudiencePolicies to
  EntryToProto and ProtoToEntry conversion functions
- Add audiencePolicyToInternal helper for enum conversion

Policy options: default, auditable, unique
- default: No JTI claim, caching enabled (current behavior)
- auditable: JTI claim included, caching enabled
- unique: JTI claim included, caching disabled (unique tokens)

Part of spiffe#6043

NOTE: Only merge after these dependent PRs are merged:
- spire-api-sdk: spiffe/spire-api-sdk#84
- spire: spiffe#6514
This was referenced Dec 26, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@sorindumitru sorindumitru Awaiting requested review from sorindumitru sorindumitru is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

JWT JTI Attribute

1 participant

@srikalyan