larvit/plainpages
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Login completion (todo §4); /auth/complete: roles from Keto → metadata_public projection → tokenize → plainpages_jwt cookie; fix tokenizer projection metadata_admin→metadata_public (whoami strips admin metadata)

Browse Source
This commit is contained in:
Lilleman auf Larv
2026-06-17 23:15:28 +02:00
parent 26a7821611
commit 38157605d0
13 changed files with 288 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ory/kratos/kratos.yml
View File

@@ -36,6 +36,10 @@ selfservice:
ui_url: http://127.0.0.1:3000/error
login:
ui_url: http://127.0.0.1:3000/login
after:
# After authenticating, land on our completion route — it mints the session JWT
# (roles from Keto → metadata_public projection → tokenize) and sets our cookie (§4).
default_browser_return_url: http://127.0.0.1:3000/auth/complete
registration:
ui_url: http://127.0.0.1:3000/registration
after:
@@ -88,7 +92,7 @@ session:
# Session→JWT tokenizer (§4): whoami(tokenize_as: plainpages) mints a short-lived,
# locally-verifiable JWT so the hot path never calls Ory. Claims come from the
# committed Jsonnet mapper (sub = identity id, email from traits, roles from the
# metadata_admin projection); signed with tokenizer/jwks.json.
# metadata_public projection); signed with tokenizer/jwks.json.
whoami:
tokenizer:
templates:

9
ory/kratos/tokenizer/plainpages.jsonnet
View File

@@ -1,11 +1,12 @@
// Session→JWT claims mapper for the `plainpages` tokenizer (§4). Kratos exposes the
// session as `session`; `sub` is set from the identity id (subject_source: id) and
// can't be overridden here. roles come from metadata_admin — the per-login projection
// of Keto roles the app refreshes at login; absent on a fresh identity ⇒ empty list.
// can't be overridden here. roles come from metadata_public — the per-login projection
// of Keto roles the app refreshes at login (metadata_admin is NOT carried in the session
// the tokenizer sees; metadata_public is). Absent on a fresh identity ⇒ empty list.
local session = std.extVar('session');
local meta =
if std.objectHas(session.identity, 'metadata_admin') && session.identity.metadata_admin != null
then session.identity.metadata_admin
if std.objectHas(session.identity, 'metadata_public') && session.identity.metadata_public != null
then session.identity.metadata_public
else {};
{