Skip to content

feat: identity is carried in sub claim#5813

Merged
paullatzelsperger merged 9 commits into
eclipse-edc:mainfrom
paullatzelsperger:feat/scope-sub-identity-step4
Jun 11, 2026
Merged

feat: identity is carried in sub claim#5813
paullatzelsperger merged 9 commits into
eclipse-edc:mainfrom
paullatzelsperger:feat/scope-sub-identity-step4

Conversation

@paullatzelsperger

Copy link
Copy Markdown
Member

What this PR changes/adds

  • the principal identity is solely carried in the sub claim instead of the participant_context_id claim.
  • all remnants of the role claim are dropped

Why it does that

move to scope-based authz

Further notes

List other areas of code that have changed but are not necessarily linked to the main feature. This could be method
signature changes, package declarations, bugs that were encountered and were fixed inline, etc.

Who will sponsor this feature?

Please @-mention the committer that will sponsor your feature.

Linked Issue(s)

Closes #5803

Please be sure to take a look at the contributing guidelines and our etiquette for pull requests.

@paullatzelsperger paullatzelsperger added enhancement New feature or request breaking-change Will require manual intervention for version update api Feature related to the (REST) api labels Jun 10, 2026
paullatzelsperger and others added 4 commits June 10, 2026 15:30
# Conflicts:
#	system-tests/management-api/management-api-test-runner/src/test/java/org/eclipse/edc/test/e2e/managementapi/v5/CelExpressionApiV5EndToEndTest.java
Completes the scope-based authorization cutover: ParticipantPrincipal now carries (participantContextId, scope) with role/ROLE_*/getRoles() removed; ServicePrincipalAuthenticationFilter reads identity from the standard 'sub' claim instead of the custom participant_context_id claim, and skips the participant-context existence check for admin-scoped tokens; Constants replaces TOKEN_CLAIM_ROLE/TOKEN_CLAIM_PARTICIPANT_CONTEXT_ID with TOKEN_CLAIM_SUBJECT; the OauthServer/OauthTokenProvider fixtures and the management-api test client mint tokens by sub+scope (no role). Part of eclipse-edc#5799, closes eclipse-edc#5803.

Signed-off-by: Paul Latzelsperger <paul.latzelsperger@beardyinc.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@paullatzelsperger paullatzelsperger force-pushed the feat/scope-sub-identity-step4 branch from cf06c3e to 676b9b8 Compare June 10, 2026 13:34
@paullatzelsperger paullatzelsperger marked this pull request as ready for review June 11, 2026 05:34
@paullatzelsperger paullatzelsperger requested a review from a team as a code owner June 11, 2026 05:34
@paullatzelsperger paullatzelsperger merged commit 65f0d28 into eclipse-edc:main Jun 11, 2026
34 of 35 checks passed
@paullatzelsperger paullatzelsperger deleted the feat/scope-sub-identity-step4 branch June 11, 2026 11:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

api Feature related to the (REST) api breaking-change Will require manual intervention for version update enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Scope-based authz — Step 4: Use sub as identity carrier and remove role remnants

2 participants