Skip to content

refactor(examples): bump sdk-go to v0.10.0 for prefixed claims#24

Merged
appleboy merged 2 commits intomainfrom
worktree-jwks
May 3, 2026
Merged

refactor(examples): bump sdk-go to v0.10.0 for prefixed claims#24
appleboy merged 2 commits intomainfrom
worktree-jwks

Conversation

@appleboy
Copy link
Copy Markdown
Member

@appleboy appleboy commented May 3, 2026

Summary

Adopt sdk-go v0.10.0 in go-jwks/ and go-jwks-multi/, mirroring go-authgate/sdk-go#27: the SDK now reads AuthGate's three server-attested claims (Domain, Project, ServiceAccount) under a configurable JWT_PRIVATE_CLAIM_PREFIX (default extra, so wire keys are extra_domain / extra_project / extra_service_account), removes the Claims.Tenant field in favour of a generic Claims.Extras map, and exposes WithPrivateClaimPrefix.

  • Both examples: thread JWT_PRIVATE_CLAIM_PREFIX from env → jwksauth.WithPrivateClaimPrefix (a single env var that pairs byte-for-byte with the AuthGate server-side knob); resolved prefix is logged on startup. README + .env.example updated to document the new prefix model.
  • go-jwks-multi/testissuer: must-fix — bare domain / service_account / project keys are no longer recognized by v0.10.0, so every minted token would fail the resource server's AccessRule. The fixture now reads JWT_PRIVATE_CLAIM_PREFIX (default extra), precomputes the three prefixed claim keys once per issuer, and emits them under that prefix. The /sign query-param surface (?domain=oa&sa=...&project=...) is unchanged — only the JWT internal keys move.
  • go-jwks-multi/README.md: stale extraClaims Go struct snippet and "namespaced claims" extension-point bullet replaced — the new SDK has no JSON tags on Claims, so the "edit the json tag" customization path is gone; pointed at WithPrivateClaimPrefix instead.

AI Authorship

  • AI was used. Tool: Claude Code (Opus 4.7).
  • AI authored: every change in this PR (Go code, README rewrites, .env.example, testissuer updates).
  • Human review: spot-checked. The diff is dominated by env-var plumbing and doc rewrites; the small amount of net-new logic is the JWT_PRIVATE_CLAIM_PREFIX wiring in both main.go files (each ~3 lines around an Option slice) plus the precomputed domainKey/serviceAccountKey/projectKey fields on testissuer's issuer struct.

Change classification

  • Leaf — reference examples that users fork and adapt; no shared library code or core auth path is touched. The change is security-relevant in that wrong copy-paste could give a user an insecure verifier, but the security-critical contracts (cross-domain pin, fail-closed AccessRule) live in the SDK and were exercised end-to-end against this PR.

Plan reference

Worktree-local plan at ~/.claude/plans/https-github-com-go-authgate-sdk-go-pull-indexed-wadler.md. Goal: align both examples with the upstream JWT_PRIVATE_CLAIM_PREFIX rollout so default-prefix tokens decode correctly out of the box, custom-prefix deployments have a knob, and the local testissuer keeps mid-cycle development workable.

Verification

  • go build ./... && go vet ./... clean in both go-jwks/ and go-jwks-multi/ (incl. testissuer).
  • E2E smoke run against the in-tree testissuer:
    1. Default-prefix happy path?domain=oa&sa=sync-bot@oa.local&project=admin-tools/api/profile returns 200 with all three server-attested fields populated.
    2. Cross-domain attack?domain=swrd from auth-a (which only owns oa,hwrd) → 401, server log: issuer not permitted for this domain: domain="swrd".
    3. Matched custom prefix — both ends with JWT_PRIVATE_CLAIM_PREFIX=acme → 200, claims populated.
    4. Mismatched prefix — testissuer acme, resource server default → 401, server log shows empty domain="" (the documented fail-closed mode from claims_prefix_test.go::TestPrefixedClaims_CustomPrefix/default_prefix_no_fallback).
    5. go-jwks single-issuer/api/admin 200 with domain / service_account / project populated; startup log confirms Private claim prefix: "extra" (SDK default).

Migration impact (for users following these examples)

  • Pair release with sdk-go v0.10.0 and AuthGate Server containing authgate#182. Old AuthGate servers (pre-#182) emit bare domain claims; the new examples won't read them and AccessRule{Domains: ...} will fail closed.
  • New optional env var JWT_PRIVATE_CLAIM_PREFIX — leave unset for the SDK default extra; set it byte-for-byte with the AuthGate server-side value if your deployment overrides the prefix.
  • Claims.Tenant and TokenInfo.Tenant() are gone in v0.10.0. Neither example used them; downstream consumers reading the SDK directly need v, _ := info.Extra("tenant"); s, _ := v.(string).

Test plan

  • cd go-jwks && GOTOOLCHAIN=auto go build ./... && GOTOOLCHAIN=auto go vet ./...
  • cd go-jwks-multi && GOTOOLCHAIN=auto go build ./... && GOTOOLCHAIN=auto go vet ./...
  • Run go-jwks-multi/testissuer + resource server (default prefix), mint ?domain=oa&sa=sync-bot@oa.local&project=admin-tools&scope=email+profile, confirm 200 on /api/profile.
  • Cross-domain: mint from auth-a with ?domain=swrd, confirm 401 with issuer not permitted for this domain server log.
  • Custom-prefix: rerun both ends with JWT_PRIVATE_CLAIM_PREFIX=acme, confirm the same happy-path returns 200; with mismatched values, confirm 401.

🤖 Generated with Claude Code

@appleboy @claude
refactor(examples): bump sdk-go to v0.10.0 for prefixed claims
f0ebea0 
- Bump go-authgate/sdk-go from v0.9.0 to v0.10.0
- Wire JWT_PRIVATE_CLAIM_PREFIX env var through go-jwks and go-jwks-multi to jwksauth.WithPrivateClaimPrefix
- Update testissuer to mint <prefix>_domain / <prefix>_service_account / <prefix>_project claims (default "extra") and read JWT_PRIVATE_CLAIM_PREFIX
- Refresh README and .env.example to document the new prefix model and the removal of Tenant in favor of Claims.Extras

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 3, 2026 06:22
Copilot AI reviewed May 3, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the go-jwks/ and go-jwks-multi/ example resource servers to use github.com/go-authgate/sdk-go v0.10.0 and to support the SDK’s new configurable private-claim prefix (JWT_PRIVATE_CLAIM_PREFIX) for reading AuthGate’s server-attested Domain / Project / ServiceAccount claims.

Changes:

  • Bump github.com/go-authgate/sdk-go from v0.9.0v0.10.0 in both Go example modules.
  • Thread JWT_PRIVATE_CLAIM_PREFIX from env into the verifier construction via jwksauth.WithPrivateClaimPrefix(...), and log the resolved prefix at startup.
  • Update go-jwks-multi/testissuer to mint prefixed claim keys, and refresh READMEs / .env.example files to document the new model.

Reviewed changes

Copilot reviewed 10 out of 12 changed files in this pull request and generated no comments.

Show a summary per file
File Description
go-jwks/main.go Wires JWT_PRIVATE_CLAIM_PREFIX into verifier options and logs the effective prefix.
go-jwks/go.mod Bumps sdk-go dependency to v0.10.0.
go-jwks/go.sum Updates checksums for sdk-go v0.10.0.
go-jwks/README.md Documents prefixed server-attested claims and the new env var behavior.
go-jwks/.env.example Adds JWT_PRIVATE_CLAIM_PREFIX with guidance and examples.
go-jwks-multi/main.go Wires JWT_PRIVATE_CLAIM_PREFIX into multi-verifier options and startup logging.
go-jwks-multi/go.mod Bumps sdk-go dependency to v0.10.0.
go-jwks-multi/go.sum Updates checksums for sdk-go v0.10.0.
go-jwks-multi/README.md Updates docs from “custom claim JSON tags” to the new WithPrivateClaimPrefix model and wire-level keys.
go-jwks-multi/.env.example Adds JWT_PRIVATE_CLAIM_PREFIX documentation for the multi-issuer example.
go-jwks-multi/testissuer/main.go Reads JWT_PRIVATE_CLAIM_PREFIX, precomputes prefixed claim keys, and mints tokens with prefixed claims.
go-jwks-multi/testissuer/README.md Documents that /sign mints <prefix>_* keys and warns about prefix mismatch fail-closed behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@appleboy @claude
feat(go-jwks-multi): load .env in testissuer
524db37 
- Call godotenv.Load at testissuer startup, mirroring the pattern in go-jwks-multi/main.go, so a single shared go-jwks-multi/.env can drive JWT_PRIVATE_CLAIM_PREFIX (and any future testissuer env vars) on both ends without exporting them per shell.
- Document the .env behaviour in testissuer/README.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@appleboy appleboy merged commit 67e61bd into main May 3, 2026
4 checks passed
@appleboy appleboy mentioned this pull request May 3, 2026
Merged
5 tasks
appleboy added a commit that referenced this pull request May 3, 2026
@appleboy
refactor(examples): bump sdk-go to v0.10.0 in cli/webservice/m2m (#25)
587d805 
- Upgrade github.com/go-authgate/sdk-go from v0.7.0 to v0.10.0 in go-cli, go-webservice, and go-m2m
- No source changes required since these examples do not use the Tenant/Domain or prefixed-claim APIs that drove the v0.9 and v0.10 releases
- Aligns the remaining Go examples with go-jwks and go-jwks-multi, which were bumped in #24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@appleboy