claims: add JSON serialization for interface arrays

othman-essabir · othman-essabir · commit c1342b6c24cd · 2025-11-06T14:19:08.000Z
Implement handling of []interface{} types by serializing them to
JSON string format. This allows arrays like ["role1", "role2"] to
be converted to string representations for further processing.
diff --git a/.changelog/26958.txt b/.changelog/26958.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+oidc: add support for array-based OIDC claims
+```
diff --git a/lib/auth/claims.go b/lib/auth/claims.go
@@ -152,16 +152,23 @@ func getClaim(all map[string]interface{}, claim string) interface{} {
 // stringifyClaimValue will try to convert the provided raw value into a
 // faithful string representation of that value per these rules:
 //
-// - strings      => unchanged
-// - bool         => "true" / "false"
-// - json.Number  => String()
-// - float32/64   => truncated to int64 and then formatted as an ascii string
-// - intXX/uintXX => casted to int64 and then formatted as an ascii string
+// - []interface{} => marshaling to JSON string
+// - strings       => unchanged
+// - bool          => "true" / "false"
+// - json.Number   => String()
+// - float32/64    => truncated to int64 and then formatted as an ascii string
+// - intXX/uintXX  => casted to int64 and then formatted as an ascii string
 //
 // If successful the string value and true are returned. otherwise an empty
 // string and false are returned.
 func stringifyClaimValue(rawValue interface{}) (string, bool) {
 	switch v := rawValue.(type) {
+	case []interface{}:
+		b, err := json.Marshal(v)
+		if err != nil {
+			return "", false
+		}
+		return string(b), true
 	case string:
 		return v, true
 	case bool:
diff --git a/lib/auth/claims_test.go b/lib/auth/claims_test.go
@@ -68,6 +68,24 @@ func TestSelectorData(t *testing.T) {
 				},
 			},
 		},
+
+		{
+			"nested list claim",
+			nil,
+			map[string]string{"roles": "r"},
+			map[string]any{
+				"roles": []any{
+					[]any{"role1", "role2", "roleN"}, 42, false,
+				},
+			},
+			&structs.ACLAuthClaims{
+				Value: map[string]string{},
+				List: map[string][]string{
+					"r": {`["role1","role2","roleN"]`, "42", "false"},
+				},
+			},
+		},
+
 	}
 
 	for _, tt := range cases {

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:improvement
	`2`	`+oidc: add support for array-based OIDC claims`
	`3`	+```