Skip to content

authorization: support the legacy scp claim as scopes#8062

Merged
zirain merged 3 commits intoenvoyproxy:mainfrom
zhaohuabing:impl-8027
Jan 28, 2026
Merged

authorization: support the legacy scp claim as scopes#8062
zirain merged 3 commits intoenvoyproxy:mainfrom
zhaohuabing:impl-8027

Conversation

@zhaohuabing
Copy link
Copy Markdown
Member

@zhaohuabing zhaohuabing commented Jan 26, 2026

Implement: #8027
@zhaohuabing zhaohuabing requested a review from a team as a code owner January 26, 2026 10:03
@zhaohuabing zhaohuabing marked this pull request as draft January 26, 2026 10:03
@zhaohuabing zhaohuabing added this to the v1.7.0-rc.1 Release milestone Jan 26, 2026
@netlify
Copy link
Copy Markdown

netlify bot commented Jan 26, 2026
edited
Loading

Deploy Preview for cerulean-figolla-1f9435 canceled.

Name Link
🔨 Latest commit 7080187
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69784caf54ad55000858e291
@zhaohuabing
authorization: support the legacy scp claim as scopes
4641eda 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
sudiptob2
sudiptob2 reviewed Jan 26, 2026
View reviewed changes
api/v1alpha1/authorization_types.go
// The value of the scopes field should be a space delimited string that is expected in the scope parameter,
// as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.
// The value of the scopes field should be a space delimited string that is expected in the
// scope (or scp) claim, as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.
Copy link
Copy Markdown
Member

@sudiptob2 sudiptob2 Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For Okta, the value of the scope claim is a JSON array. Should we support JSON array values for this claim now or in the future?
Copy link
Copy Markdown
Member Author

@zhaohuabing zhaohuabing Jan 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't tested this against Okta, but JSON array should have already been supported as the Envoy JWT auth filter normalizes the scopes to string array.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/jwt_authn/v3/config.proto#envoy-v3-api-msg-extensions-filters-http-jwt-authn-v3-jwtprovider-normalizepayload

Each claim in this list will be interpreted as a space-delimited string and converted to a list of strings based on the delimited values. Example: a token with a claim scope: "email profile" is translated to dynamic metadata scope: ["email", "profile"] if this field is set value ["scope"].
@zhaohuabing zhaohuabing marked this pull request as ready for review January 27, 2026 04:26
@zhaohuabing
fix gen
7080187 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@codecov
Copy link
Copy Markdown

codecov bot commented Jan 27, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 86.79245% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.76%. Comparing base (d78c894) to head (7080187).
⚠️ Report is 12 commits behind head on main.

Files with missing lines Patch % Lines
internal/xds/translator/authorization.go 86.53% 4 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8062      +/-   ##
==========================================
- Coverage   73.80%   73.76%   -0.04%     
==========================================
  Files         237      237              
  Lines       35753    35763      +10     
==========================================
- Hits        26386    26381       -5     
- Misses       7512     7523      +11     
- Partials     1855     1859       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.
arkodg
arkodg approved these changes Jan 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks
@arkodg arkodg requested review from a team January 28, 2026 05:23
@zirain zirain merged commit c7b1a23 into envoyproxy:main Jan 28, 2026
39 checks passed
@zhaohuabing zhaohuabing deleted the impl-8027 branch January 28, 2026 06:44
SadmiB pushed a commit to SadmiB/gateway that referenced this pull request Jan 30, 2026
@zhaohuabing @SadmiB
authorization: support the legacy scp claim as scopes (envoyproxy#8062)
d7e6717 
* authorization: support the legacy scp claim as scopes

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

* fix gen

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Sadmi Bouhafs <sadmibouhafs@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

4 participants

@zhaohuabing @zirain @arkodg @sudiptob2