OAuth2 Token Validation Fails with Nested Claims #3812
Description
System Info
git main branch
Information
- The official example scripts
- My own modified scripts
🐛 Describe the bug
OAuth2 token validation fails when the claims_mapping configuration uses nested claim paths (dot notation) like resource_access.llamastack.roles. This is a common pattern in Keycloak and other identity providers that structure roles and permissions hierarchically in JWT tokens.
Steps to Reproduce
Configure OAuth2 authentication with a claims mapping that references nested claims:
auth:
provider_config:
type: "oauth2_token"
jwks:
uri: "https://your-keycloak/realms/testrealm/protocol/openid-connect/certs"
issuer: "https://your-keycloak/realms/testrealm"
audience: "account"
claims_mapping:
resource_access.llamastack.roles: "roles"
Authenticate with a valid JWT token containing nested claims like:
{
"sub": "user123",
"resource_access": {
"llamastack": {
"roles": ["inference_max"]
}
}
}
Attempt to access a protected resource
Error logs
.
Expected behavior
The token should be validated successfully,
the roles ["inference_max"] should be extracted from resource_access.llamastack.roles and mapped to the roles attribute.
Token validation fails with the error: "User does not have inference_max in roles"
The get_attributes_from_claims() function only checks for top-level claim keys and doesn't traverse nested structures. When given the claim key resource_access.llamastack.roles, it looks for a literal key with that exact string
rather than traversing the nested path.