[SSO] Thread JWT groups and add sync diff logic#36308
Open
mtabebe wants to merge 1 commit intoMaterializeInc:mainfrom
Open
[SSO] Thread JWT groups and add sync diff logic#36308mtabebe wants to merge 1 commit intoMaterializeInc:mainfrom
mtabebe wants to merge 1 commit intoMaterializeInc:mainfrom
Conversation
Thread JWT group claims through the auth pipeline and add the core sync diff function: - Add groups: Option<Vec<String>> to User, SessionConfig, ValidatedClaims, and AuthedUser so JWT group claims extracted during OIDC auth are available in handle_startup_inner. OIDC paths extract groups from ValidatedClaims; all non-OIDC paths pass groups: None. - Add sync_jwt_groups_diff function that computes Op::GrantRole and Op::RevokeRole operations by diffing current role memberships against JWT group claims. Only manages memberships granted by MZ_JWT_SYNC_ROLE_ID — manually-granted roles are never touched. No behavioral change yet as nothing calls the sync function.
mtabebe
force-pushed
the
ma/sso/jwt-groups
branch
from
2d9e694 to
d312c26
Compare
SangJunBak
reviewed
Apr 30, 2026
| /// - `member_id`: The user's role ID. | ||
| /// - `current_membership`: The user's current `RoleMembership.map` | ||
| /// (role_id → grantor_id). | ||
| /// - `target_role_ids`: Role IDs resolved from the JWT group names. |
Contributor
There was a problem hiding this comment.
Might be worth adding target_role_ids will be lowercase
SangJunBak
reviewed
Apr 30, 2026
| pub fn compute_group_sync_diff( | ||
| member_id: RoleId, | ||
| current_membership: &BTreeMap<RoleId, RoleId>, | ||
| target_role_ids: &BTreeSet<RoleId>, |
Contributor
There was a problem hiding this comment.
One part that's confusing to me is how we'll get from String to RoleId.
Contributor
There was a problem hiding this comment.
Like will we just have to search the current membership for roles that match the strings in groups outside of this function?
SangJunBak
approved these changes
Apr 30, 2026
Contributor
SangJunBak
left a comment
SangJunBak
left a comment
There was a problem hiding this comment.
I did have a comment but I think the function and code makes sense!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Thread JWT group claims through the auth pipeline and add the core sync diff function:
Add groups: Option<Vec> to User, SessionConfig, ValidatedClaims, and AuthedUser so JWT group claims extracted during OIDC auth are available in handle_startup_inner. OIDC paths extract groups from ValidatedClaims; all non-OIDC paths pass groups: None.
Add sync_jwt_groups_diff function that computes Op::GrantRole and Op::RevokeRole operations by diffing current role memberships against JWT group claims. Only manages memberships granted by MZ_JWT_SYNC_ROLE_ID — manually-granted roles are never touched.
No behavioral change yet as nothing calls the sync function.
SQL-179 and SQL-180