When using OIDC API keys for authentication, JWT teams/groups claims are completely ignored, only the sub claim is processed. Teams must be pre-configured statically when creating the OIDC API key, making it impossible to pass through user group/team information dynamically at runtime.
We are building a custom Backstage integration with Spacelift to enable self-service infrastructure provisioning with per-user permission boundaries. The Backstage plugin is not suitable as it uses a single admin API key. We need OIDC API keys to pass through the current user and respect Spacelift login policies, as is currently possible with SAML via input.session.teams.
With thousands of team/service combinations, the existing workarounds (static API keys per team or subject-based encoding) are not viable at scale.
Please authenticate to join the conversation.
π In Review
π‘ Feature Requests
OIDC
About 6 hours ago
Get notified by email when there are changes.
π In Review
π‘ Feature Requests
OIDC
About 6 hours ago
Get notified by email when there are changes.