feat: add configuration to skip copying assertion audience in JWT bearer grant type

[elatt]

Introduce a configuration option to control whether the audience from the assertion JWT is copied into the resulting access token in the JWT bearer grant type. By default, this behavior remains enabled. The implementation includes updates to the configuration interface, handler logic, and tests to ensure expected functionality.

Summary by CodeRabbit

• New Features

  • Added JWT-bearer grant configuration option to control whether assertion audience claims are propagated to the access token (default: false for backward compatibility).

• Configuration

  • New oauth2.grant.jwt.omit_assertion_audience boolean setting available for OAuth2 JWT-bearer grant configuration.

• Tests

  • Added test coverage for JWT assertion audience handling behavior.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ elatt
❌ Copilot
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 355a25c9-100f-4ede-a3a4-97eed9f86459

📥 Commits

Reviewing files that changed from the base of the PR and between 71f365d and 5e37f04.

⛔ Files ignored due to path filters (3)

• go.sum is excluded by !**/*.sum
• oryx/go.sum is excluded by !**/*.sum
• oryx/randx/strength/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• fosite/handler/rfc7523/handler.go
• oryx/go.mod

---

📝 Walkthrough

Walkthrough

This change introduces a new configuration flag omit_assertion_audience for the JWT bearer grant type, allowing control over whether the audience claim from an assertion JWT is propagated to the resulting access token. Implementation spans configuration schemas, provider interfaces, handler logic, and corresponding test coverage.

Changes

Cohort / File(s)	Summary
Configuration Schemas .schema/config.schema.json, spec/config.json	Added new optional boolean field oauth2.grant.jwt.omit_assertion_audience with default value false to both JSON and schema definitions.
Driver Configuration Provider driver/config/provider.go, driver/config/provider_test.go	Added constant KeyOAuth2GrantJWTOmitAssertionAudience and corresponding getter method GetGrantTypeJWTBearerOmitAssertionAudience() to read the flag from configuration; extended tests to verify default false behavior and override capability.
Fosite Configuration Interfaces fosite/config.go, fosite/config_default.go	Introduced GrantTypeJWTBearerOmitAssertionAudienceProvider interface and added corresponding field and getter method to default Config struct; updated compile-time provider interface assertion checks.
JWT Bearer Handler Logic fosite/handler/rfc7523/handler.go, fosite/handler/rfc7523/handler_test.go	Added conditional audience claim propagation in HandleTokenEndpointRequest()—audience is only granted when omission is disabled; includes tests for both default behavior (audience propagated) and omission enabled (audience omitted).
Dependency Management oryx/go.mod	Reorganized dependency declarations by removing several direct require entries and promoting them to indirect dependencies; also removed legacy github.com/golang/protobuf.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description explains the feature and implementation approach, but lacks the required template structure including related issue references and checklist confirmation.	Follow the repository's PR description template by including a 'Related issue(s)' section with a link to the design document and completing the required checklist items.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding configuration to skip copying assertion audience in JWT bearer grant.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

fosite/fosite.go (1)

101-112: ⚠️ Potential issue | 🟠 Major

Avoid widening Configurator; this is a public breaking change.

Adding GrantTypeJWTBearerOmitAssertionAudienceProvider here will make any downstream custom fosite.Configurator implementation fail to compile on upgrade. Prefer checking for this capability via an optional interface in rfc7523.Handler so existing configurators remain source-compatible.

Compatibility-preserving sketch

--- a/fosite/fosite.go
+++ b/fosite/fosite.go
 type Configurator interface {
 	IDTokenIssuerProvider
 	IDTokenLifespanProvider
 	AllowedPromptsProvider
 	EnforcePKCEProvider
 	EnforcePKCEForPublicClientsProvider
 	EnablePKCEPlainChallengeMethodProvider
 	GrantTypeJWTBearerCanSkipClientAuthProvider
 	GrantTypeJWTBearerIDOptionalProvider
 	GrantTypeJWTBearerIssuedDateOptionalProvider
-	GrantTypeJWTBearerOmitAssertionAudienceProvider
 	GetJWTMaxDurationProvider
 	AudienceStrategyProvider
 	ScopeStrategyProvider
 	...
 }

// fosite/handler/rfc7523/handler.go
type omitAssertionAudienceProvider interface {
	GetGrantTypeJWTBearerOmitAssertionAudience(ctx context.Context) bool
}

omitAudience := false
if p, ok := c.Config.(omitAssertionAudienceProvider); ok {
	omitAudience = p.GetGrantTypeJWTBearerOmitAssertionAudience(ctx)
}

if !omitAudience {
	for _, audience := range claims.Audience {
		request.GrantAudience(audience)
	}
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@fosite/fosite.go` around lines 101 - 112, The Configurator interface was
widened by adding GrantTypeJWTBearerOmitAssertionAudienceProvider which breaks
downstream implementers; remove that addition and instead perform a capability
check inside the rfc7523.Handler: define a local optional interface (e.g.,
omitAssertionAudienceProvider with
GetGrantTypeJWTBearerOmitAssertionAudience(ctx context.Context) bool), detect it
via a type assertion against c.Config, set omitAudience accordingly, and only
call request.GrantAudience for each entry in claims.Audience when omitAudience
is false (use the existing symbols Configurator, rfc7523.Handler,
omitAssertionAudienceProvider, GetGrantTypeJWTBearerOmitAssertionAudience,
claims.Audience, request.GrantAudience to locate and implement the change).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@fosite/handler/rfc7523/handler_test.go`:
- Line 783: Update the failing test's description string to reflect the renamed
config: replace the text "CopyAssertionAudience" with
"GrantTypeJWTBearerOmitAssertionAudience" in the test case message so it reads
e.g. "audience from assertion JWT should NOT be copied when
GrantTypeJWTBearerOmitAssertionAudience is false"; locate the string in the test
in handler_test.go (the test that references the
GrantTypeJWTBearerOmitAssertionAudience config) and change only the message to
match the current config name.

---

Outside diff comments:
In `@fosite/fosite.go`:
- Around line 101-112: The Configurator interface was widened by adding
GrantTypeJWTBearerOmitAssertionAudienceProvider which breaks downstream
implementers; remove that addition and instead perform a capability check inside
the rfc7523.Handler: define a local optional interface (e.g.,
omitAssertionAudienceProvider with
GetGrantTypeJWTBearerOmitAssertionAudience(ctx context.Context) bool), detect it
via a type assertion against c.Config, set omitAudience accordingly, and only
call request.GrantAudience for each entry in claims.Audience when omitAudience
is false (use the existing symbols Configurator, rfc7523.Handler,
omitAssertionAudienceProvider, GetGrantTypeJWTBearerOmitAssertionAudience,
claims.Audience, request.GrantAudience to locate and implement the change).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1b57bef9-9d95-4ade-b014-074e28e79f76

📥 Commits

Reviewing files that changed from the base of the PR and between a54baeb and 292ee8a.

📒 Files selected for processing (9)

• .schema/config.schema.json
• driver/config/provider.go
• driver/config/provider_test.go
• fosite/config.go
• fosite/config_default.go
• fosite/fosite.go
• fosite/handler/rfc7523/handler.go
• fosite/handler/rfc7523/handler_test.go
• spec/config.json

[coderabbitai]

🧹 Nitpick comments (1)

fosite/handler/rfc7523/handler_test.go (1)

737-755: Make this audience fixture explicit in the test to reduce coupling.

This test currently depends on createStandardClaim()’s shared default Audience. Consider setting cl.Audience explicitly here so this behavior test doesn’t break if that helper changes for unrelated cases.

♻️ Proposed refactor

 	cl := s.createStandardClaim()
+	cl.Audience = jwt.Audience{"https://www.example.com/token", "leela", "fry"}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@fosite/handler/rfc7523/handler_test.go` around lines 737 - 755, The test
relies on a shared default Audience from createStandardClaim(); make the fixture
explicit by setting cl.Audience directly after cl := s.createStandardClaim()
(e.g., cl.Audience = []string{"https://www.example.com/token", "leela", "fry"})
before calling s.createTestAssertion and HandleTokenEndpointRequest, so the
assertion JWT audience is deterministic and the assertion of
s.accessRequest.GetGrantedAudience() remains stable even if
createStandardClaim() changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@fosite/handler/rfc7523/handler_test.go`:
- Around line 737-755: The test relies on a shared default Audience from
createStandardClaim(); make the fixture explicit by setting cl.Audience directly
after cl := s.createStandardClaim() (e.g., cl.Audience =
[]string{"https://www.example.com/token", "leela", "fry"}) before calling
s.createTestAssertion and HandleTokenEndpointRequest, so the assertion JWT
audience is deterministic and the assertion of
s.accessRequest.GetGrantedAudience() remains stable even if
createStandardClaim() changes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f23ea16f-3b5b-456b-b012-2bfd6a5ec2df

📥 Commits

Reviewing files that changed from the base of the PR and between 292ee8a and 71f365d.

📒 Files selected for processing (1)

• fosite/handler/rfc7523/handler_test.go