You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[TT-15359]improve backwards compatibility of Jwt claim validation (#7294)
### **User description**
<details open>
<summary><a href="https://tyktech.atlassian.net/browse/TT-15359"
title="TT-15359" target="_blank">TT-15359</a></summary>
<br />
<table>
<tr>
<th>Summary</th>
<td> Core Registered Claims Validation</td>
</tr>
<tr>
<th>Type</th>
<td>
<img alt="Story"
src="https://tyktech.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10315?size=medium"
/>
Story
</td>
</tr>
<tr>
<th>Status</th>
<td>In Code Review</td>
</tr>
<tr>
<th>Points</th>
<td>N/A</td>
</tr>
<tr>
<th>Labels</th>
<td><a
href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20jira_escalated%20ORDER%20BY%20created%20DESC"
title="jira_escalated">jira_escalated</a></td>
</tr>
</table>
</details>
<!--
do not remove this marker as it will break jira-lint's functionality.
added_by_jira_lint
-->
---
<!-- Provide a general summary of your changes in the Title above -->
## Description
[TT-15359](https://tyktech.atlassian.net/browse/TT-15359)
<!-- Describe your changes in detail -->
This pull request improves backward compatibility for JWT claim
validation in the Tyk Gateway by:
- Adding fallback logic in the OAS (OpenAPI Specification) JWT
configuration:
- Uses PolicyFieldName if BasePolicyClaims is empty.
- Uses IdentityBaseField if SubjectClaims is empty.
- Uses Scopes.ClaimName if Scopes.Claims is empty.
- Extending and reorganizing unit tests to cover these new fallback
behaviors.
- Ensuring that new logic preserves existing backward-compatible
behavior when parsing JWTs.
<!-- This project only accepts pull requests related to open issues. -->
<!-- If suggesting a new feature or change, please discuss it in an
issue first. -->
<!-- If fixing a bug, there should be an issue describing it with steps
to reproduce. -->
<!-- OSS: Please link to the issue here. Tyk: please create/link the
JIRA ticket. -->
## Motivation and Context
<!-- Why is this change required? What problem does it solve? -->
## How This Has Been Tested
<!-- Please describe in detail how you tested your changes -->
<!-- Include details of your testing environment, and the tests -->
<!-- you ran to see how your change affects other areas of the code,
etc. -->
<!-- This information is helpful for reviewers and QA. -->
## Screenshots (if appropriate)
## Types of changes
<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply: -->
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [ ] Refactoring or add test (improvements in base code or adds test
coverage to functionality)
## Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply -->
<!-- If there are no documentation updates required, mark the item as
checked. -->
<!-- Raise up any additional concerns not covered by the checklist. -->
- [ ] I ensured that the documentation is up to date
- [ ] I explained why this PR updates go.mod in detail with reasoning
why it's required
- [ ] I would like a code coverage CI quality gate exception and have
explained why
[TT-15359]:
https://tyktech.atlassian.net/browse/TT-15359?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
___
### **PR Type**
Enhancement, Tests
___
### **Description**
- Add OAS fallbacks for deprecated fields
- Prefer single-field configs when arrays empty
- Expand unit tests for OAS JWT parsing
- Preserve backward compatibility behavior
___
### Diagram Walkthrough
```mermaid
flowchart LR
OASCfg["OAS JWT config"] -- "BasePolicyClaims empty, use PolicyFieldName" --> PolicyID["Resolve policy ID"]
OASCfg -- "SubjectClaims empty, use IdentityBaseField" --> UserID["Resolve user ID"]
OASCfg -- "Scopes.Claims empty, use Scopes.ClaimName" --> ScopeClaim["Resolve scope claim name"]
Tests["Unit tests"] -- "cover new fallbacks" --> Verification["Behavior verified"]
```
<details> <summary><h3> File Walkthrough</h3></summary>
<table><thead><tr><th></th><th align="left">Relevant
files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><table>
<tr>
<td>
<details>
<summary><strong>mw_jwt.go</strong><dd><code>Add OAS JWT claim fallback
logic</code>
</dd></summary>
<hr>
gateway/mw_jwt.go
<ul><li>Fallback to <code>PolicyFieldName</code> when
<code>BasePolicyClaims</code> empty<br> <li> Fallback to
<code>IdentityBaseField</code> when <code>SubjectClaims</code> empty<br>
<li> Fallback to <code>Scopes.ClaimName</code> when
<code>Scopes.Claims</code> empty</ul>
</details>
</td>
<td><a
href="https://github.com/TykTechnologies/tyk/pull/7294/files#diff-e8bce0f6790c8c56b30e24dbeebb0fc4aa0879ab5ea5f6ef6dbe68931410e237">+9/-0</a>
</td>
</tr>
</table></td></tr><tr><td><strong>Tests</strong></td><td><table>
<tr>
<td>
<details>
<summary><strong>mw_jwt_test.go</strong><dd><code>Extend tests for OAS
JWT claim fallbacks</code>
</dd></summary>
<hr>
gateway/mw_jwt_test.go
<ul><li>Add tests for policy fallback via
<code>PolicyFieldName</code><br> <li> Split and expand OAS user ID tests
with <code>IdentityBaseField</code><br> <li> Add tests for scopes
fallback via <code>Scopes.ClaimName</code></ul>
</details>
</td>
<td><a
href="https://github.com/TykTechnologies/tyk/pull/7294/files#diff-406bf8fdb6c0cc77f04c6245c70abfc592ddb1525aa843200d850e14d135ebfc">+140/-104</a></td>
</tr>
</table></td></tr></tr></tbody></table>
</details>
___
0 commit comments