Skip to content

fix(cli): prefer user/api audience for mixed-aud JWTs#2828

Open
SergioChan wants to merge 1 commit intochainloop-dev:mainfrom
SergioChan:fix-2812-token-audience-priority
Open

fix(cli): prefer user/api audience for mixed-aud JWTs#2828
SergioChan wants to merge 1 commit intochainloop-dev:mainfrom
SergioChan:fix-2812-token-audience-priority

Conversation

@SergioChan
Copy link

@SergioChan SergioChan commented Mar 9, 2026

Summary

  • handle JWT aud claims as an ordered set instead of trusting the first item in an array
  • prioritize api-token-auth.chainloop and user-auth.chainloop ahead of generic chainloop when multiple audiences are present
  • add a regression test for mixed-audience user tokens (["chainloop", "user-auth.chainloop"]) so user identity is selected instead of issuer fallback

Testing

  • go test ./app/cli/internal/token

Related

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 9, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

@SergioChan SergioChan force-pushed the fix-2812-token-audience-priority branch from b3a0ca9 to 5885882 Compare March 9, 2026 20:26
@SergioChan
Copy link
Author

SergioChan commented Mar 9, 2026

Thanks for the checks — I force-pushed an amended commit with DCO sign-off so the DCO status should now pass.

No functional code changes were introduced in this push.

@migmartri
Copy link
Member

migmartri commented Mar 12, 2026

Thanks for the contribution

Could you elaborate on what was the root cause of the problem?

Thanks

@SergioChan
Copy link
Author

SergioChan commented Mar 12, 2026

Thanks for the detailed review feedback 鈥?I鈥檓 working through the requested updates and will post a focused patch (or direct answers) shortly.

1 similar comment
@SergioChan
Copy link
Author

SergioChan commented Mar 12, 2026

Thanks for the detailed review feedback 鈥?I鈥檓 working through the requested updates and will post a focused patch (or direct answers) shortly.

@SergioChan
Copy link
Author

SergioChan commented Mar 12, 2026

Thanks for asking — root cause was in the CLI audience selection logic, not tmux itself.

Before this patch, we effectively trusted the first value when aud was an array. For affected user tokens the audience list can be mixed, e.g. ["chainloop", "user-auth.chainloop"], where the generic chainloop value may appear before the specific auth audience.

That caused the CLI to classify the token via the generic audience path and then fall back to issuer resolution (cp.chainloop), which is where the issuer not found: cp.chainloop error came from.

The fix changes audience handling to treat aud as a set and apply explicit priority (api-token-auth.chainloop / user-auth.chainloop before generic chainloop) so mixed-audience user tokens are classified correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@matiasinsaurralde matiasinsaurralde Awaiting requested review from matiasinsaurralde

@jiparis jiparis Awaiting requested review from jiparis

@javirln javirln Awaiting requested review from javirln

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ERR failed to load issuer: authorization error: issuer not found: cp.chainloop

2 participants

@SergioChan @migmartri