feat: add support for exchanging session to JWT in Kratos

ewelinagr · ewelinagr · commit f3f3a5dc6617 · 2025-08-12T10:01:41.000+02:00
diff --git a/charts/management-portal/templates/secrets-keystore.yaml b/charts/management-portal/templates/secrets-keystore.yaml
@@ -10,3 +10,4 @@ metadata:
 type: Opaque
 data:
   keystore.p12: {{ .Values.keystore }}
+  public-jwks.json: {{ .Values.public_jwks }}
diff --git a/charts/management-portal/values.yaml b/charts/management-portal/values.yaml
@@ -277,6 +277,12 @@ keystore: ""
 # or with SOPS
 #   keystore: {{ exec "sops" (list "-d" "keystore.p12") | b64enc | quote }}
 
+# The public keys used for JWT signing in radar-kratos
+public_jwks: ""
+# With helmfile, this can be set in a production.yaml.gotmpl
+# file by setting
+#  public_jwks: {{ readFile "../etc/management-portal/public-kratos-jwks.json" | b64enc | quote }}
+
 # Configuration of the Postgres database to store data from Management Portal
 postgres:
   # -- host name of the postgres db
diff --git a/charts/radar-hydra/README.md b/charts/radar-hydra/README.md
@@ -49,7 +49,7 @@ Consult the [documentation](https://artifacthub.io/packages/helm/ory/hydra) of t
 | oauth_clients[0].grantTypes[1] | string | `"refresh_token"` |  |
 | oauth_clients[0].responseTypes[0] | string | `"code"` |  |
 | oauth_clients[0].responseTypes[1] | string | `"id_token"` |  |
-| oauth_clients[0].scope | string | `"SOURCEDATA.CREATE SOURCETYPE.UPDATE SOURCETYPE.DELETE AUTHORITY.UPDATE MEASUREMENT.DELETE PROJECT.READ AUDIT.CREATE USER.DELETE AUTHORITY.DELETE SUBJECT.DELETE MEASUREMENT.UPDATE SOURCEDATA.UPDATE SUBJECT.READ USER.UPDATE SOURCETYPE.CREATE AUTHORITY.READ USER.CREATE SOURCE.CREATE SOURCE.READ SUBJECT.CREATE ROLE.UPDATE ROLE.READ MEASUREMENT.READ PROJECT.UPDATE PROJECT.DELETE ROLE.DELETE SOURCE.DELETE SOURCETYPE.READ ROLE.CREATE SOURCEDATA.DELETE SUBJECT.UPDATE SOURCE.UPDATE PROJECT.CREATE AUDIT.READ MEASUREMENT.CREATE AUDIT.DELETE AUDIT.UPDATE AUTHORITY.CREATE USER.READ SOURCEDATA.READ ORGANIZATION.READ ORGANIZATION.CREATE ORGANIZATION.UPDATE"` |  |
+| oauth_clients[0].scope | string | `"SOURCEDATA.CREATE SOURCETYPE.UPDATE SOURCETYPE.DELETE AUTHORITY.UPDATE MEASUREMENT.DELETE PROJECT.READ AUDIT.CREATE USER.DELETE AUTHORITY.DELETE SUBJECT.DELETE MEASUREMENT.UPDATE SOURCEDATA.UPDATE SUBJECT.READ USER.UPDATE SOURCETYPE.CREATE AUTHORITY.READ USER.CREATE SOURCE.CREATE SOURCE.READ SUBJECT.CREATE ROLE.UPDATE ROLE.READ MEASUREMENT.READ PROJECT.UPDATE PROJECT.DELETE ROLE.DELETE SOURCE.DELETE SOURCETYPE.READ ROLE.CREATE SOURCEDATA.DELETE SUBJECT.UPDATE SOURCE.UPDATE PROJECT.CREATE AUDIT.READ MEASUREMENT.CREATE AUDIT.DELETE AUDIT.UPDATE AUTHORITY.CREATE USER.READ SOURCEDATA.READ ORGANIZATION.READ ORGANIZATION.CREATE ORGANIZATION.UPDATE OAUTHCLIENTS.READ OAUTHCLIENTS.CREATE OAUTHCLIENTS.UPDATE"` |  |
 | oauth_clients[0].audience[0] | string | `"res_ManagementPortal"` |  |
 | oauth_clients[0].allowed_cors_origins[0] | string | `"http://localhost:3000"` |  |
 | oauth_clients[0].skip_consent | bool | `true` |  |
diff --git a/charts/radar-hydra/values.yaml b/charts/radar-hydra/values.yaml
@@ -98,7 +98,7 @@ oauth_clients:
     responseTypes:
       - code
       - id_token
-    scope: SOURCEDATA.CREATE SOURCETYPE.UPDATE SOURCETYPE.DELETE AUTHORITY.UPDATE MEASUREMENT.DELETE PROJECT.READ AUDIT.CREATE USER.DELETE AUTHORITY.DELETE SUBJECT.DELETE MEASUREMENT.UPDATE SOURCEDATA.UPDATE SUBJECT.READ USER.UPDATE SOURCETYPE.CREATE AUTHORITY.READ USER.CREATE SOURCE.CREATE SOURCE.READ SUBJECT.CREATE ROLE.UPDATE ROLE.READ MEASUREMENT.READ PROJECT.UPDATE PROJECT.DELETE ROLE.DELETE SOURCE.DELETE SOURCETYPE.READ ROLE.CREATE SOURCEDATA.DELETE SUBJECT.UPDATE SOURCE.UPDATE PROJECT.CREATE AUDIT.READ MEASUREMENT.CREATE AUDIT.DELETE AUDIT.UPDATE AUTHORITY.CREATE USER.READ SOURCEDATA.READ ORGANIZATION.READ ORGANIZATION.CREATE ORGANIZATION.UPDATE
+    scope: SOURCEDATA.CREATE SOURCETYPE.UPDATE SOURCETYPE.DELETE AUTHORITY.UPDATE MEASUREMENT.DELETE PROJECT.READ AUDIT.CREATE USER.DELETE AUTHORITY.DELETE SUBJECT.DELETE MEASUREMENT.UPDATE SOURCEDATA.UPDATE SUBJECT.READ USER.UPDATE SOURCETYPE.CREATE AUTHORITY.READ USER.CREATE SOURCE.CREATE SOURCE.READ SUBJECT.CREATE ROLE.UPDATE ROLE.READ MEASUREMENT.READ PROJECT.UPDATE PROJECT.DELETE ROLE.DELETE SOURCE.DELETE SOURCETYPE.READ ROLE.CREATE SOURCEDATA.DELETE SUBJECT.UPDATE SOURCE.UPDATE PROJECT.CREATE AUDIT.READ MEASUREMENT.CREATE AUDIT.DELETE AUDIT.UPDATE AUTHORITY.CREATE USER.READ SOURCEDATA.READ ORGANIZATION.READ ORGANIZATION.CREATE ORGANIZATION.UPDATE OAUTHCLIENTS.READ OAUTHCLIENTS.CREATE OAUTHCLIENTS.UPDATE
     audience:
       - res_ManagementPortal
     allowed_cors_origins:
diff --git a/charts/radar-kratos/README.md b/charts/radar-kratos/README.md
@@ -45,3 +45,7 @@ Consult the [documentation](https://artifacthub.io/packages/helm/ory/kratos) of
 | kratos.advertised_protocol | string | `"https"` | Protocol for the Kratos service (allowed values: http, https) |
 | kratos.kratos.automigration | object | `{"enabled":true}` | Enables database migration |
 | kratos.kratos.identitySchemas | object | `{"identity.schema.admin.json":"{\n  \"$schema\": \"http://json-schema.org/draft-07/schema#\",\n  \"$id\": \"admin\",\n  \"title\": \"admin\",\n  \"type\": \"object\",\n  \"properties\": {\n    \"traits\": {\n      \"type\": \"object\",\n      \"properties\": {\n        \"email\": {\n          \"type\": \"string\",\n          \"format\": \"email\",\n          \"title\": \"E-Mail\",\n          \"minLength\": 5,\n          \"ory.sh/kratos\": {\n            \"credentials\": {\n              \"password\": {\n                \"identifier\": true\n              },\n              \"totp\": {\n                \"account_name\": true\n              }\n            },\n            \"verification\": {\n              \"via\": \"email\"\n            },\n            \"recovery\": {\n              \"via\": \"email\"\n            }\n          }\n        }\n      },\n      \"required\": [\"email\"]\n    }\n  },\n  \"additionalProperties\": false\n}\n","identity.schema.researcher.json":"{\n  \"$schema\": \"http://json-schema.org/draft-07/schema#\",\n  \"$id\": \"user\",\n  \"title\": \"user\",\n  \"type\": \"object\",\n  \"properties\": {\n    \"traits\": {\n      \"type\": \"object\",\n      \"properties\": {\n        \"email\": {\n          \"type\": \"string\",\n          \"format\": \"email\",\n          \"title\": \"E-Mail\",\n          \"minLength\": 5,\n          \"ory.sh/kratos\": {\n            \"credentials\": {\n              \"password\": {\n                \"identifier\": true\n              },\n              \"totp\": {\n                \"account_name\": true\n              }\n            },\n            \"verification\": {\n              \"via\": \"email\"\n            },\n            \"recovery\": {\n              \"via\": \"email\"\n            }\n          }\n        }\n      },\n      \"required\": [\"email\"]\n    }\n  },\n  \"additionalProperties\": false\n}\n","identity.schema.subject.json":"{\n  \"$schema\": \"http://json-schema.org/draft-07/schema#\",\n  \"$id\": \"subject\",\n  \"title\": \"subject\",\n  \"type\": \"object\",\n  \"properties\": {\n    \"traits\": {\n      \"type\": \"object\",\n      \"properties\": {\n        \"email\": {\n          \"type\": \"string\",\n          \"format\": \"email\",\n          \"title\": \"E-Mail\",\n          \"minLength\": 5,\n          \"ory.sh/kratos\": {\n            \"credentials\": {\n              \"password\": {\n                \"identifier\": true\n              },\n              \"totp\": {\n                \"account_name\": true\n              }\n            },\n            \"verification\": {\n              \"via\": \"email\"\n            },\n            \"recovery\": {\n              \"via\": \"email\"\n            }\n          }\n        }\n      },\n      \"required\": [\"email\"]\n    }\n  },\n  \"additionalProperties\": false\n}\n"}` | You can add multiple identity schemas here. You can pass JSON schema using `--set-file` Helm CLI argument. |
+| kratos.kratos.config.session.whoami.tokenizer | object | `{"enabled":true,"templates":{"mp_jwt_template":{"claims_mapper_url":"file:///etc/kratos/claims-mapper.jsonnet","jwks_url":"file:///etc/kratos/jwks.json","ttl":"1h"}}}` | Session-to-JWT token exchange configuration This enables Kratos to convert session tokens to JWT tokens for ManagementPortal integration |
+| kratos.kratos.config.session.whoami.tokenizer.templates.mp_jwt_template.ttl | string | `"1h"` | JWT token time-to-live |
+| kratos.kratos.config.session.whoami.tokenizer.templates.mp_jwt_template.claims_mapper_url | string | `"file:///etc/kratos/claims-mapper.jsonnet"` | JWT claims mapper URL pointing to JsonNet template |
+| keystore | string | `""` | Keystore for JWT signing |
diff --git a/charts/radar-kratos/templates/configmap-claims-mapper.yaml b/charts/radar-kratos/templates/configmap-claims-mapper.yaml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "common.names.fullname" . }}-claims-mapper
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+data:
+  claims-mapper.jsonnet: |
+    local claims = std.extVar("claims");
+    local session = std.extVar("session");
+
+    {
+      claims: {
+        // Standard JWT claims
+        iss: claims.iss,
+        sub: claims.sub,
+        exp: claims.exp,
+        jti: claims.jti,
+        sid: claims.sid,
+        nbf: claims.nbf,
+        iat: claims.iat,
+        aud: "res_ManagementPortal",
+
+        // Custom claims
+        authorities: if std.objectHas(session.identity, "metadata_public") &&
+          std.objectHas(session.identity.metadata_public, "authorities") &&
+          session.identity.metadata_public.authorities != null
+          then session.identity.metadata_public.authorities
+          else [],
+
+        roles: if std.objectHas(session.identity, "metadata_public") &&
+          std.objectHas(session.identity.metadata_public, "roles") &&
+          session.identity.metadata_public.roles != null
+          then session.identity.metadata_public.roles
+          else [],
+
+        scope: if std.objectHas(session.identity, "metadata_public") &&
+          std.objectHas(session.identity.metadata_public, "scope") &&
+          session.identity.metadata_public.scope != null
+          then std.join(" ", session.identity.metadata_public.scope)
+          else "",
+
+        sources: if std.objectHas(session.identity, "metadata_public") &&
+          std.objectHas(session.identity.metadata_public, "sources") &&
+          session.identity.metadata_public.sources != null
+          then session.identity.metadata_public.sources
+          else [],
+
+        grant_type: if std.objectHas(session.identity, "metadata_public") &&
+          std.objectHas(session.identity.metadata_public, "grant_type") &&
+          session.identity.metadata_public.grant_type != null
+          then session.identity.metadata_public.grant_type
+          else "password",
+
+        client_id: if std.objectHas(session.identity, "metadata_public") &&
+          std.objectHas(session.identity.metadata_public, "client_id") &&
+          session.identity.metadata_public.client_id != null
+          then session.identity.metadata_public.client_id
+          else "",
+
+        user_name: if std.objectHas(session.identity, "metadata_public") &&
+          std.objectHas(session.identity.metadata_public, "mp_login") &&
+          session.identity.metadata_public.mp_login != null
+          then session.identity.metadata_public.mp_login
+          else if std.objectHas(session.identity.traits, "email")
+          then session.identity.traits.email
+          else ""
+      }
+    }
diff --git a/charts/radar-kratos/templates/secrets-keystore.yaml b/charts/radar-kratos/templates/secrets-keystore.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "common.names.fullname" . }}-keystore
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: Opaque
+data:
+  jwks.json: {{ .Values.keystore }}
diff --git a/charts/radar-kratos/values.yaml b/charts/radar-kratos/values.yaml
@@ -172,6 +172,19 @@ kratos:
         cookie:
           ## -- If false, cookie is removed when the browser is closed --##
           persistent: false
+        whoami:
+          # -- Session-to-JWT token exchange configuration
+          # This enables Kratos to convert session tokens to JWT tokens for ManagementPortal integration
+          tokenizer:
+            enabled: true
+            templates:
+              mp_jwt_template:
+#                # -- JSON keystore file path for JWT signing keys
+                jwks_url: "file:///etc/kratos/jwks.json"
+                # -- JWT token time-to-live
+                ttl: 1h
+                # -- JWT claims mapper URL pointing to JsonNet template
+                claims_mapper_url: "file:///etc/kratos/claims-mapper.jsonnet"
 
       courier:
         smtp:
@@ -343,6 +356,20 @@ kratos:
             key: uri
       - name: DSN
         value: "$(POSTGRES_URI)?sslmode=disable&max_conns=20&max_idle_conns=4"
+    extraVolumes:
+      - name: keystore
+        secret:
+          secretName: radar-kratos-keystore
+      - name: claims-mapper
+        configMap:
+          name: radar-kratos-claims-mapper
+    extraVolumeMounts:
+      - name: keystore
+        mountPath: /etc/kratos/jwks.json
+        subPath: jwks.json
+      - name: claims-mapper
+        mountPath: /etc/kratos/claims-mapper.jsonnet
+        subPath: claims-mapper.jsonnet
   statefulSet:
     extraEnv:
       - name: POSTGRES_URI
@@ -352,6 +379,20 @@ kratos:
             key: uri
       - name: DSN
         value: "$(POSTGRES_URI)?sslmode=disable&max_conns=20&max_idle_conns=4"
+    extraVolumes:
+      - name: keystore
+        secret:
+          secretName: radar-kratos-keystore
+      - name: claims-mapper
+        configMap:
+          name: radar-kratos-claims-mapper
+    extraVolumeMounts:
+      - name: keystore
+        mountPath: /etc/kratos/keystore.jks
+        subPath: keystore.jks
+      - name: claims-mapper
+        mountPath: /etc/kratos/claims-mapper.jsonnet
+        subPath: claims-mapper.jsonnet
   job:
     extraEnv:
       - name: POSTGRES_URI
@@ -371,3 +412,9 @@ kratos:
               key: uri
         - name: DSN
           value: "$(POSTGRES_URI)?sslmode=disable&max_conns=20&max_idle_conns=4"
+
+# -- Keystore for JWT signing
+keystore: ""
+# With helmfile, this can be set in a production.yaml.gotmpl
+# file by setting
+#   keystore: {{ readFile "../etc/radar-kratos/jwks.json" }}
