Skip to content

feat: allow amr claim to be array of strings or objects#2274

Merged
cemalkilic merged 4 commits intomasterfrom
cemal/feat-loose-amr-claim-check
Dec 17, 2025
Merged

feat: allow amr claim to be array of strings or objects#2274
cemalkilic merged 4 commits intomasterfrom
cemal/feat-loose-amr-claim-check

Conversation

@cemalkilic
Copy link
Contributor

@cemalkilic cemalkilic commented Dec 1, 2025
edited
Loading

Summary

This PR loosens the validation for the amr (Authentication Method Reference) claim in custom access token hooks to accept both array of strings and array of objects, instead of only array of objects.

  • Test Coverage: Added two new test cases:
    • Modify amr to be array of strings - Verifies that amr as an array of strings passes validation
    • Modify amr to be array of objects - Verifies that amr as an array of objects still works (backward compatibility)

Motivation

This change provides more flexibility for custom access token hooks. RFC-8176 requires amr to be array of strings.

Testing

All tests pass, including:

  • Existing custom access token tests
  • New test for amr as array of strings
  • New test for amr as array of objects

Backward Compatibility

Fully backward compatible - The change only adds support for an additional format. Existing hooks that return amr as an array of objects will continue to work without any changes.

@cemalkilic cemalkilic requested a review from a team as a code owner December 1, 2025 06:13
depthfirst-app[bot]
depthfirst-app bot reviewed Dec 1, 2025
View reviewed changes
@coveralls
Copy link

coveralls commented Dec 1, 2025
edited
Loading

Pull Request Test Coverage Report for Build 20258077816

Details

  • 21 of 28 (75.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.009%) to 68.536%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/tokens/service.go 21 28 75.0%
Totals Coverage Status
Change from base Build 20136212429: 0.009%
Covered Lines: 14703
Relevant Lines: 21453
💛 - Coveralls

@cemalkilic cemalkilic force-pushed the cemal/feat-loose-amr-claim-check branch from 8ffca8c to b4cb5fb Compare December 11, 2025 04:52
@cemalkilic cemalkilic mentioned this pull request Dec 17, 2025
Merged
6 tasks
@cemalkilic cemalkilic merged commit 607da43 into master Dec 17, 2025
6 checks passed
@cemalkilic cemalkilic deleted the cemal/feat-loose-amr-claim-check branch December 17, 2025 15:18
@github-actions github-actions bot mentioned this pull request Dec 11, 2025
Merged
hf added a commit that referenced this pull request Jan 12, 2026
@hf
Revert "feat: allow amr claim to be array of strings or objects (#2274)"
2dbfec9 
This reverts commit 607da43.
@hf hf mentioned this pull request Jan 12, 2026
Merged
cemalkilic pushed a commit that referenced this pull request Jan 12, 2026
@hf @depthfirst-app
feat: reset main branch to 2.185.0 (#2325)
b9d0500 
Resets the main branch (`master`) to have the same changeset as 2.184.0
but under 2.185.0.

Original release please notes:


### Features

* Add Sb-Forwarded-For header and IP-based rate limiting
([#2295](#2295))
([e8f679b](e8f679b))
* allow amr claim to be array of strings or objects
([#2274](#2274))
([607da43](607da43))
* Treat rate limit header value as comma-separated list
([#2282](#2282))
([5f2e279](5f2e279))


### Bug Fixes

* check each type independently
([#2290](#2290))
([d9de0af](d9de0af))
* fix the wrong error return value
([#1950](#1950))
([e2dfb5d](e2dfb5d))
* **indexworker:** remove pg_trgm extension
([#2301](#2301))
([c553b10](c553b10))
* **oauth-server:** allow custom URI schemes in client redirect URIs
([#2298](#2298))
([ea72f57](ea72f57))
* tighten email validation rules
([#2304](#2304))
([33bb372](33bb372))

---------

Co-authored-by: depthfirst-app[bot] <184448029+depthfirst-app[bot]@users.noreply.github.com>
cemalkilic pushed a commit that referenced this pull request Jan 12, 2026
@github-actions
chore(master): release 2.185.0 (#2287)
711763c 
🤖 I have created a release *beep* *boop*
---


##
[2.185.0](v2.184.0...v2.185.0)
(2026-01-12)


### Features

* Add Sb-Forwarded-For header and IP-based rate limiting
([#2295](#2295))
([e8f679b](e8f679b))
* allow amr claim to be array of strings or objects
([#2274](#2274))
([607da43](607da43))
* reset main branch to 2.185.0
([#2325](#2325))
([b9d0500](b9d0500))
* Treat rate limit header value as comma-separated list
([#2282](#2282))
([5f2e279](5f2e279))


### Bug Fixes

* additional provider and issuer checks
([#2326](#2326))
([cb79a74](cb79a74))
* check each type independently
([#2290](#2290))
([d9de0af](d9de0af))
* fix the wrong error return value
([#1950](#1950))
([e2dfb5d](e2dfb5d))
* **indexworker:** remove pg_trgm extension
([#2301](#2301))
([c553b10](c553b10))
* **oauth-server:** allow custom URI schemes in client redirect URIs
([#2298](#2298))
([ea72f57](ea72f57))
* tighten email validation rules
([#2304](#2304))
([33bb372](33bb372))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Bewinxed pushed a commit that referenced this pull request Jan 19, 2026
@cemalkilic
feat: allow amr claim to be array of strings or objects (#2274)
77d4d24 
## Summary

This PR loosens the validation for the `amr` (Authentication Method
Reference) claim in custom access token hooks to accept both array of
strings and array of objects, instead of only array of objects.

- **Test Coverage**: Added two new test cases:
- Modify amr to be array of strings - Verifies that `amr` as an array of
strings passes validation
- Modify amr to be array of objects - Verifies that `amr` as an array of
objects still works (backward compatibility)

## Motivation

This change provides more flexibility for custom access token hooks.
[RFC-8176
](https://www.rfc-editor.org/rfc/rfc8176.html#section-1)requires `amr`
to be array of strings.

## Testing

All tests pass, including:
- Existing custom access token tests
- New test for `amr` as array of strings
- New test for `amr` as array of objects

## Backward Compatibility

**Fully backward compatible** - The change only adds support for an
additional format. Existing hooks that return `amr` as an array of
objects will continue to work without any changes.
@cemalkilic cemalkilic mentioned this pull request Jan 21, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@depthfirst-app depthfirst-app[bot] depthfirst-app[bot] left review comments

@hf hf hf approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cemalkilic @coveralls @hf