Skip to content

fix: Pass resolved token to OPA policy checks#927

Open
MohidSheraz wants to merge 1 commit into
openstack-experimental:mainfrom
MohidSheraz:fix-715-token-opa-credentials
Open

fix: Pass resolved token to OPA policy checks#927
MohidSheraz wants to merge 1 commit into
openstack-experimental:mainfrom
MohidSheraz:fix-715-token-opa-credentials

Conversation

@MohidSheraz

Copy link
Copy Markdown
Collaborator

Closes #715

This updates token show and revoke policy checks to pass the resolved token response object to OPA instead of the raw FernetToken payload.

The subject token is already validated into a ValidatedSecurityContext. This change builds the resolved token object from that context and uses it as the policy target for:

  • identity/auth/token/show
  • identity/auth/token/revoke

The revoke backend still receives the raw token payload because it needs the internal token data for revocation.

Note: Used CodeX for assistance.

Signed-off-by: Mohid Sheraz <msheraz@andrew.cmu.edu>
@MohidSheraz MohidSheraz force-pushed the fix-715-token-opa-credentials branch from eb021ff to ecbfe35 Compare July 6, 2026 13:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

The Token which is passed to OPA should represent Credentials

1 participant