Re: [PR] Knox 3334 - Introduce ActorChainPrincipal for RFC 8693 instead of ImpersonatedPrincipal [knox]

Thu, 11 Jun 2026 13:22:53 -0700 


lmccay commented on code in PR #1257:
URL: https://github.com/apache/knox/pull/1257#discussion_r3398925209


##########
gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenUtils.java:
##########
@@ -114,4 +118,143 @@ private static boolean useHMAC(char[] hmacSecret, String 
signingKeystoreName) {
     return hmacSecret != null && StringUtils.isBlank(signingKeystoreName);
   }
 
+  /**
+   * Extract the actor chain from an RFC 8693 'act' claim in a JWT token.
+   *
+   * <p>The 'act' claim in RFC 8693 represents a delegation chain where each 
actor
+   * delegated authority to the next. The claim is structured as a nested JSON 
object,
+   * where each level contains identity claims (such as 'sub' and 'iss') and 
potentially
+   * another nested 'act' claim.</p>
+   *
+   * <p>According to RFC 8693 Section 4.1, the 'act' claim contains identity 
claims that
+   * identify the actor. Common identity claims include:</p>
+   * <ul>
+   *   <li>'sub' - the subject/identity of the actor</li>
+   *   <li>'iss' - the issuer of the actor's identity</li>
+   * </ul>
+   *
+   * <p>Non-identity claims (e.g., 'exp', 'nbf', 'aud') are not relevant to 
the validity
+   * of the containing JWT and should not be used within 'act' claims.</p>
+   *
+   * <p>Example JWT 'act' claim structure:</p>
+   * <pre>
+   * {
+   *   "sub": "service-a",
+   *   "iss": "https://issuer.example.com";,
+   *   "act": {
+   *     "sub": "service-b",
+   *     "act": {
+   *       "sub": "service-c"
+   *     }
+   *   }
+   * }
+   * </pre>
+   *
+   * <p>This method flattens this nested structure into a list ordered from 
most recent
+   * actor (service-a) to oldest (service-c).</p>
+   *
+   * @param token The JWT token to extract the actor chain from
+   * @return A list of actor claim maps, ordered from most recent to oldest; 
empty list if no 'act' claim exists
+   */
+  @SuppressWarnings("unchecked")
+  public static List<Map<String, Object>> extractActorChain(JWT token) {
+    if (token == null) {
+      return Collections.emptyList();
+    }
+
+    Object actClaim = token.getClaimAsObject(JWTToken.ACT_CLAIM);
+    if (actClaim == null) {
+      return Collections.emptyList();
+    }

Review Comment:
   Got it.  I like the previous readability better but this is fine too.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to