Add JWT-SVID audience policy fields to Entry type by srikalyan · Pull Request #84 · spiffe/spire-api-sdk

srikalyan · 2025-12-26T05:45:09Z

Summary

Adds support for per-audience JWT-SVID policy configuration to the Entry type.

New JWTSVIDAudiencePolicy enum with three modes:

DEFAULT (0): No JTI claim, caching enabled. Backwards compatible behavior.
AUDITABLE (1): JTI claim included for audit trails, caching still enabled.
UNIQUE (2): JTI claim included, caching disabled. Each request gets a fresh token.

New Entry fields:

jwt_svid_default_audience_policy: Default policy for audiences not explicitly configured
jwt_svid_audience_policies: Map of audience → policy for per-audience overrides

New EntryMask fields:

jwt_svid_default_audience_policy
jwt_svid_audience_policies

Adds support for per-audience JWT-SVID policy configuration: New JWTSVIDAudiencePolicy enum with three modes: - DEFAULT (0): No JTI, caching enabled - AUDITABLE (1): JTI included, caching enabled - UNIQUE (2): JTI included, caching disabled New Entry fields: - jwt_svid_default_audience_policy: Default policy for audiences not in map - jwt_svid_audience_policies: Per-audience policy overrides New EntryMask fields for update operations.

This commit adds support for the new JWT-SVID audience policy configuration in the SPIRE server CLI and entry conversion logic: CLI changes: - Add -jwtSVIDDefaultAudiencePolicy flag for default audience policy - Add -jwtSVIDAudiencePolicy flag for per-audience policy configuration - Update entry create, update, and show commands to handle new fields - Add AudiencePolicyFlag custom type for parsing audience:policy pairs Entry conversion: - Add JwtSvidDefaultAudiencePolicy and JwtSvidAudiencePolicies to EntryToProto and ProtoToEntry conversion functions - Add audiencePolicyToInternal helper for enum conversion Policy options: default, auditable, unique - default: No JTI claim, caching enabled (current behavior) - auditable: JTI claim included, caching enabled - unique: JTI claim included, caching disabled (unique tokens) Part of spiffe#6043 NOTE: Only merge after these dependent PRs are merged: - spire-api-sdk: spiffe/spire-api-sdk#84 - spire-plugin-sdk: https://github.com/spiffe/spire-plugin-sdk/pull/113

This commit adds support for the new JWT-SVID audience policy configuration in the SPIRE server CLI and entry conversion logic: CLI changes: - Add -jwtSVIDDefaultAudiencePolicy flag for default audience policy - Add -jwtSVIDAudiencePolicy flag for per-audience policy configuration - Update entry create, update, and show commands to handle new fields - Add AudiencePolicyFlag custom type for parsing audience:policy pairs Entry conversion: - Add JwtSvidDefaultAudiencePolicy and JwtSvidAudiencePolicies to EntryToProto and ProtoToEntry conversion functions - Add audiencePolicyToInternal helper for enum conversion Policy options: default, auditable, unique - default: No JTI claim, caching enabled (current behavior) - auditable: JTI claim included, caching enabled - unique: JTI claim included, caching disabled (unique tokens) Part of spiffe#6043 NOTE: Only merge after these dependent PRs are merged: - spire-api-sdk: spiffe/spire-api-sdk#84 - spire: spiffe#6514

srikalyan requested review from MarcosDY, amartinezfayo, evan2645, rturner3 and sorindumitru as code owners December 26, 2025 05:45

This was referenced Dec 26, 2025

Add CLI and entry conversion support for JWT-SVID audience policies spiffe/spire#6516

Closed

Add CLI and entry conversion support for JWT-SVID audience policies srikalyan/spire#1

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add JWT-SVID audience policy fields to Entry type#84

Add JWT-SVID audience policy fields to Entry type#84
srikalyan wants to merge 1 commit intospiffe:mainfrom
srikalyan:feature/jwt-svid-audience-policy

srikalyan commented Dec 26, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

srikalyan commented Dec 26, 2025

Summary

New JWTSVIDAudiencePolicy enum with three modes:

New Entry fields:

New EntryMask fields:

Related

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant