Skip to content

jwt-claims.md

Latest commit

 

History

History
54 lines (31 loc) · 2.96 KB

jwt-claims.md

File metadata and controls

54 lines (31 loc) · 2.96 KB

JWT Claims used in the fleet-manager

Below is the list of jwt claims used in the fleet-manager

Default

  • email - email address of the entity for which a token was issued

  • exp - expiry timestamp of token (for ocm short living tokens it is 15 minutes counted from the time of issuing of the token (iat))

  • first_name - first name of the entity for which the token was issued

  • iat - timestamp of issuing of the token

  • iss - issuer of the token (e.g. https://sso.redhat.com/auth/realms/redhat-external)

  • last_name - last name of the entity for which the token was issued

  • preferred_username - preferred username of the entity for which the token was issued. Available in decoded ocm short living token

  • typ - type of token, e.g. Bearer

  • realm_access

    • roles - list of realm access roles of an entity for which the token was issued (there might be different types of roles, e.g. ocm specific or elevated admin permissions), e.g.
      • offline_access - specifies whether offline access to ocm
      • admin:org:all - admin permissions within the ocm organisation

Central admin endpoint roles

  • realm_access
    • roles
      • fleet-manager-admin-read - has permissions to list all central clusters across all ocm organisations
      • fleet-manager-admin-write -has permissions to list and update all central clusters across all ocm organisations
      • fleet-manager-admin-full -has permissions to list, update and delete all central clusters across all ocm organisations

SSO

  • account_id - account id of the entity for which a token was issued. Assigned to central clusters (only displayed by presenter, when invoking private admin endpoint)

  • is_org_admin - if set to true, user with this claim in their token has elevated privileges, compared to users with this claim set to false, e.g. they can update and delete centrals not owned by them within the same organisation (having the same org_id value)

  • org_id - organisation ID of the entity for which a token was issued. When central cluster is created, organisation_id field is populated with org_id from the short living ocm token. Central requests are filtered by organisation id (when org_id is present in the jwt claim). If a user is an organisation admin (is_org_admin: true) - central clusters within the same organisation can be deleted or updated by this user even if they are not an owner of these central clusters

SSO

NOTE this section contains references to Red Hat internal components

Token generated by srvc-acct see example:

  • rh-org-id - Red Hat organisation id for given service account

  • rh-user-id - user id in service account.

  • username - username of the entity for which the token was issued. Obtained from the short living ocm token used in the http request. Central request owner value is assigned from the username value.