Skip to content

Fix JWT subject when issuing tokens via the for field #9207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
begelundmuller wants to merge 5 commits into
base: main
Choose a base branch
from
+46 −5
Open

Fix JWT subject when issuing tokens via the for field #9207

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7e32e23
Fix JWT subject when issuing tokens via the 'for' field
begelundmuller Apr 9, 2026
b8c8f73
Small thing
begelundmuller Apr 9, 2026
fc3d11e
Review
begelundmuller Apr 9, 2026
12f4ba7
nit
begelundmuller Apr 9, 2026
5593ed0
Fix
begelundmuller Apr 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 43 additions & 4 deletions admin/server/deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package server
import (
"context"
"crypto/rand"
"crypto/sha256"
"encoding/hex"
"errors"
"fmt"
Expand Down Expand Up @@ -182,11 +183,13 @@ func (s *Server) GetDeployment(ctx context.Context, req *adminv1.GetDeploymentRe
}
}

var subject string
var attr map[string]any
var restrictResources bool
var resources []database.ResourceName
if req.For == nil {
if claims.OwnerType() == auth.OwnerTypeUser {
subject = claims.OwnerID()
attr, err = s.jwtAttributesForUser(ctx, claims.OwnerID(), proj.OrganizationID, permissions)
if err != nil {
return nil, err
Expand All @@ -197,6 +200,8 @@ func (s *Server) GetDeployment(ctx context.Context, req *adminv1.GetDeploymentRe
}
} else if claims.OwnerType() == auth.OwnerTypeService {
attr = map[string]any{"admin": true}
// NOTE: Intentionally leaving the `subject` empty out of caution.
// Some users use service accounts for generating JWTs for end users without passing req.For, and we don't want to accidentally pass a shared subject ID across those users (which could leak e.g. AI chats).
}
} else {
if depl.Environment == "prod" && !permissions.ManageProd {
Expand All @@ -209,17 +214,24 @@ func (s *Server) GetDeployment(ctx context.Context, req *adminv1.GetDeploymentRe

switch forVal := req.For.(type) {
case *adminv1.GetDeploymentRequest_UserId:
subject = forVal.UserId
attr, restrictResources, resources, err = s.getAttributesAndResourceRestrictionsForUser(ctx, proj.OrganizationID, proj.ID, forVal.UserId, "")
if err != nil {
return nil, err
}
case *adminv1.GetDeploymentRequest_UserEmail:
subject = safeHash(forVal.UserEmail)
attr, restrictResources, resources, err = s.getAttributesAndResourceRestrictionsForUser(ctx, proj.OrganizationID, proj.ID, "", forVal.UserEmail)
if err != nil {
return nil, err
}
case *adminv1.GetDeploymentRequest_Attributes:
attr = forVal.Attributes.AsMap()

// Use the "id" field as the subject if it exists and is a string.
if id, ok := attr["id"].(string); ok && id != "" {
subject = safeHash(id)
}
default:
return nil, status.Error(codes.InvalidArgument, "invalid 'for' type")
}
Expand Down Expand Up @@ -262,7 +274,7 @@ func (s *Server) GetDeployment(ctx context.Context, req *adminv1.GetDeploymentRe
// Generate JWT
jwt, err := s.issuer.NewToken(runtimeauth.TokenOptions{
AudienceURL: depl.RuntimeAudience,
Subject: claims.OwnerID(),
Subject: subject,
TTL: ttlDuration,
InstancePermissions: map[string][]runtime.Permission{
depl.RuntimeInstanceID: instancePermissions,
Expand Down Expand Up @@ -575,11 +587,13 @@ func (s *Server) GetDeploymentCredentials(ctx context.Context, req *adminv1.GetD
return nil, status.Error(codes.PermissionDenied, "does not have permission to manage deployment")
}

var subject string
var attr map[string]any
var restrictResources bool
var resources []database.ResourceName
if req.For == nil {
if claims.OwnerType() == auth.OwnerTypeUser {
subject = claims.OwnerID()
attr, err = s.jwtAttributesForUser(ctx, claims.OwnerID(), proj.OrganizationID, permissions)
if err != nil {
return nil, err
Expand All @@ -589,21 +603,29 @@ func (s *Server) GetDeploymentCredentials(ctx context.Context, req *adminv1.GetD
return nil, err
}
}
// NOTE: Intentionally leaving the `subject` empty in other cases out of caution.
// Some users use service accounts for generating JWTs for end users without passing req.For, and we don't want to accidentally pass a shared subject ID across those users (which could leak e.g. AI chats).
} else {
switch forVal := req.For.(type) {
case *adminv1.GetDeploymentCredentialsRequest_UserId:
subject = forVal.UserId
attr, restrictResources, resources, err = s.getAttributesAndResourceRestrictionsForUser(ctx, proj.OrganizationID, proj.ID, forVal.UserId, "")
if err != nil {
return nil, err
}

case *adminv1.GetDeploymentCredentialsRequest_UserEmail:
subject = safeHash(forVal.UserEmail)
Copy link
Copy Markdown
Member

@pjain1 pjain1 Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the email is a Rill user then s.getAttributesForUser return the actual userId, can that be returned here from s.getAttributesAndResourceRestrictionsForUser and used?

Copy link
Copy Markdown
Contributor Author

@begelundmuller begelundmuller Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Heh, yeah I also did that first, but realized that this could cause the resolved ID to change later if the user initially is not a Rill user, but then later signs up for Rill (maybe for a different reason/account entirely). So thought it was safer just to hash so it stays stable in any circumstance.

attr, restrictResources, resources, err = s.getAttributesAndResourceRestrictionsForUser(ctx, proj.OrganizationID, proj.ID, "", forVal.UserEmail)
if err != nil {
return nil, err
}
case *adminv1.GetDeploymentCredentialsRequest_Attributes:
attr = forVal.Attributes.AsMap()

// Use the "id" field as the subject if it exists and is a string.
if id, ok := attr["id"].(string); ok && id != "" {
subject = safeHash(id)
}
default:
return nil, status.Error(codes.InvalidArgument, "invalid 'for' type")
}
Expand All @@ -620,7 +642,7 @@ func (s *Server) GetDeploymentCredentials(ctx context.Context, req *adminv1.GetD
// Generate JWT
jwt, err := s.issuer.NewToken(runtimeauth.TokenOptions{
AudienceURL: prodDepl.RuntimeAudience,
Subject: claims.OwnerID(),
Subject: subject,
TTL: ttlDuration,
InstancePermissions: map[string][]runtime.Permission{
prodDepl.RuntimeInstanceID: {
Expand Down Expand Up @@ -690,11 +712,13 @@ func (s *Server) GetIFrame(ctx context.Context, req *adminv1.GetIFrameRequest) (
}

// Get user attributes to pass in the JWT
var subject string
var attr map[string]any
var restrictResources bool
var resources []database.ResourceName
if req.For == nil {
if claims.OwnerType() == auth.OwnerTypeUser {
subject = claims.OwnerID()
attr, err = s.jwtAttributesForUser(ctx, claims.OwnerID(), proj.OrganizationID, permissions)
if err != nil {
return nil, err
Expand All @@ -704,20 +728,29 @@ func (s *Server) GetIFrame(ctx context.Context, req *adminv1.GetIFrameRequest) (
return nil, err
}
}
// NOTE: Intentionally leaving the `subject` empty in other cases out of caution.
// Some users use service accounts for generating JWTs for end users without passing req.For, and we don't want to accidentally pass a shared subject ID across those users (which could leak e.g. AI chats).
} else {
switch forVal := req.For.(type) {
case *adminv1.GetIFrameRequest_UserId:
subject = forVal.UserId
attr, restrictResources, resources, err = s.getAttributesAndResourceRestrictionsForUser(ctx, proj.OrganizationID, proj.ID, forVal.UserId, "")
if err != nil {
return nil, err
}
case *adminv1.GetIFrameRequest_UserEmail:
subject = safeHash(forVal.UserEmail)
attr, restrictResources, resources, err = s.getAttributesAndResourceRestrictionsForUser(ctx, proj.OrganizationID, proj.ID, "", forVal.UserEmail)
if err != nil {
return nil, err
}
case *adminv1.GetIFrameRequest_Attributes:
attr = forVal.Attributes.AsMap()

// Use the "id" field as the subject if it exists and is a string.
if id, ok := attr["id"].(string); ok && id != "" {
subject = safeHash(id)
}
default:
return nil, status.Error(codes.InvalidArgument, "invalid 'for' type")
}
Expand Down Expand Up @@ -768,7 +801,7 @@ func (s *Server) GetIFrame(ctx context.Context, req *adminv1.GetIFrameRequest) (
// Generate JWT
jwt, err := s.issuer.NewToken(runtimeauth.TokenOptions{
AudienceURL: prodDepl.RuntimeAudience,
Subject: claims.OwnerID(),
Subject: subject,
TTL: ttlDuration,
InstancePermissions: map[string][]runtime.Permission{
prodDepl.RuntimeInstanceID: {
Expand Down Expand Up @@ -1031,3 +1064,9 @@ func (s *Server) getAttributesForUser(ctx context.Context, orgID, projID, userID

return attr, userID, forProjPerms.ReadProd, nil
}

// safeHash returns a hex hash of the input string.
func safeHash(s string) string {
h := sha256.Sum256([]byte(s))
return hex.EncodeToString(h[:])
}
4 changes: 3 additions & 1 deletion runtime/server/auth/claims.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,9 @@ func (c *jwtClaims) Claims(instanceID string) *runtime.SecurityClaims {
if attrs == nil {
attrs = make(map[string]any)
}
attrs["id"] = c.RegisteredClaims.Subject
if _, ok := attrs["id"]; !ok {
attrs["id"] = c.RegisteredClaims.Subject
}

var permissions []runtime.Permission
permissions = append(permissions, c.System...)
Expand Down
Loading