Wire Kratos session tokenizer template (todo §3); plainpages JWT (sub/email/roles), 10m TTL, Jsonnet claims mapper reading metadata_admin

2026-06-17 12:02:21 +02:00
parent 0313f48112
commit 95c759d773
5 changed files with 49 additions and 4 deletions
--- a/ory/kratos/kratos.yml
+++ b/ory/kratos/kratos.yml
@@ -1,8 +1,8 @@
 # Ory Kratos — identity & self-service auth. Identity schema (email, name) +
 # password login; recovery & verification run on email codes. Every self-service
 # flow returns the browser to our own themed routes (§4 renders the fields). DSN +
-# prod courier/secrets come from the env. SSO, session tuning, and the JWT
-# tokenizer land in later §3/§4 items.
+# prod courier/secrets come from the env. The session→JWT tokenizer is wired below;
+# its JWKS signing key is generated/mounted by the next §3 item.
 serve:
  public:
    base_url: http://127.0.0.1:4433/
@@ -87,6 +87,18 @@ session:
    name: plainpages_session
    persistent: true # survive browser restarts
    same_site: Lax
+  # Session→JWT tokenizer (§4): whoami(tokenize_as: plainpages) mints a short-lived,
+  # locally-verifiable JWT so the hot path never calls Ory. Claims come from the
+  # committed Jsonnet mapper (sub = identity id, email from traits, roles from the
+  # metadata_admin projection); signed with the JWKS the next §3 item generates/mounts.
+  whoami:
+    tokenizer:
+      templates:
+        plainpages:
+          ttl: 10m
+          subject_source: id
+          claims_mapper_url: file:///etc/config/kratos/tokenizer/plainpages.jsonnet
+          jwks_url: file:///etc/config/kratos/tokenizer/jwks.json

 # Dev throwaways — production supplies real secrets via env (§3). cipher = 32 chars.
 secrets:
--- a/ory/kratos/tokenizer/plainpages.jsonnet
+++ b/ory/kratos/tokenizer/plainpages.jsonnet
@@ -0,0 +1,16 @@
+// Session→JWT claims mapper for the `plainpages` tokenizer (§4). Kratos exposes the
+// session as `session`; `sub` is set from the identity id (subject_source: id) and
+// can't be overridden here. roles come from metadata_admin — the per-login projection
+// of Keto roles the app refreshes at login; absent on a fresh identity ⇒ empty list.
+local session = std.extVar('session');
+local meta =
+  if std.objectHas(session.identity, 'metadata_admin') && session.identity.metadata_admin != null
+  then session.identity.metadata_admin
+  else {};
+
+{
+  claims: {
+    email: session.identity.traits.email,
+    roles: if std.objectHas(meta, 'roles') then meta.roles else [],
+  },
+}