Skip to content

Add CLI and entry conversion support for JWT-SVID audience policies #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
srikalyan wants to merge 1 commit into from
Closed

Add CLI and entry conversion support for JWT-SVID audience policies #1

srikalyan wants to merge 1 commit into from

Conversation

@srikalyan
Copy link
Owner

@srikalyan srikalyan commented Dec 26, 2025

Summary

  • Add -jwtSVIDDefaultAudiencePolicy flag for default audience policy
  • Add -jwtSVIDAudiencePolicy flag for per-audience policy configuration
  • Update entry create, update, and show commands to handle new fields
  • Add entry conversion logic for JwtSvidDefaultAudiencePolicy and JwtSvidAudiencePolicies fields

Policy options

  • default: No JTI claim, caching enabled (current behavior)
  • auditable: JTI claim included, caching enabled
  • unique: JTI claim included, caching disabled (unique tokens)

Part of spiffe#6043

Dependencies

NOTE: Only merge after these dependent PRs are merged:

@srikalyan
Add CLI and entry conversion support for JWT-SVID audience policies
1f781dd 
This commit adds support for the new JWT-SVID audience policy configuration
in the SPIRE server CLI and entry conversion logic:

CLI changes:
- Add -jwtSVIDDefaultAudiencePolicy flag for default audience policy
- Add -jwtSVIDAudiencePolicy flag for per-audience policy configuration
- Update entry create, update, and show commands to handle new fields
- Add AudiencePolicyFlag custom type for parsing audience:policy pairs

Entry conversion:
- Add JwtSvidDefaultAudiencePolicy and JwtSvidAudiencePolicies to
  EntryToProto and ProtoToEntry conversion functions
- Add audiencePolicyToInternal helper for enum conversion

Policy options: default, auditable, unique
- default: No JTI claim, caching enabled (current behavior)
- auditable: JTI claim included, caching enabled
- unique: JTI claim included, caching disabled (unique tokens)

Part of spiffe#6043

NOTE: Only merge after these dependent PRs are merged:
- spire-api-sdk: spiffe/spire-api-sdk#84
- spire: spiffe#6514
@srikalyan srikalyan closed this Dec 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@srikalyan