Check "irn" JWT header to decide if hybrid token must be introspected, PLTFRM-84867 by Semerokozlyat · Pull Request #63 · acronis/go-authkit

Semerokozlyat · 2025-12-30T15:37:45Z

Check Introspectable Resource Namespaces in JWT header to decide if hybrid token must be introspected

Closes PLTFRM-84867

vasayxtx · 2026-01-05T21:03:58Z

idptoken/introspector.go

+		return false
+	}
+	for i := range scopeFilter {
+		sfRN := strings.ToLower(strings.TrimSpace(scopeFilter[i].ResourceNamespace))


Let's use strings.EqualFold (https://pkg.go.dev/strings#EqualFold) instead of strings.ToLower() to avoid memory allocation for case when resource namespace or irn's item contains upper case letter.

vasayxtx · 2026-01-05T21:04:58Z

idptoken/introspector.go

+			continue
+		}
+		for _, iRN := range introspectableRNsArr {
+			if sfRN == strings.ToLower(strings.TrimSpace(iRN.(string))) {


If irn contains non-string array, panic will be. Suggest asserting to []string above.

Unfortunately it is not possible since json decoder returns []interface{} even if it was initially slice of strings.
I added "ok" notation to the type assertion of the individual slice element to avoid panic here

vasayxtx · 2026-01-05T21:07:26Z

idptoken/introspector.go

+	}
+	for i := range scopeFilter {
+		sfRN := strings.ToLower(strings.TrimSpace(scopeFilter[i].ResourceNamespace))
+		if sfRN == "" {


Why do we need to handle empty resource namespace separately? As I know, we may have empty rs in the scope filter.

Discussed, added empty string as a valid case.

vasayxtx · 2026-01-05T21:09:22Z

internal/idputil/idp_util.go


 const JWTTypeAppAccessToken = "application/at+jwt"

+const JWTHeaderFieldIRN = "irn" // array of Resource Namespaces for roles available after token introspection only


Let's add a comment what irn means hear - introspectable resource namespace.

vasayxtx · 2026-01-05T21:13:18Z

idptoken/introspector.go

+// 1. nri field indicates introspection is required (nri absent/false/0)
+// 2. irn (Introspectable Resource Namespace) field contains list of Resource Namespaces matching the scopeFilter
+func checkIntrospectionRequiredByJWTHeader(jwtHeader map[string]interface{}, scopeFilter jwt.ScopeFilter) bool {
+	return introspectionRequiredByNRIField(jwtHeader) &&


I would suggest checking "nri" only if "irn" is missing since the first is deprecated (pls add a comment about it). Otherwise, will be not be able to remove "nri" in the future - this library will not be ready for it.

vasayxtx · 2026-01-08T08:13:44Z

idptoken/introspector.go

+				continue
+			}
+			if strings.EqualFold(
+				strings.TrimSpace(scopeFilter[i].ResourceNamespace),


let's move space trimming outside of the nested cycle

Ok, fixed, but actually I have checked it before and this strings.TrimSpace does not affect performance (cpu or mem):

before:

goos: darwin goarch: arm64 pkg: github.com/acronis/go-authkit/idptoken cpu: Apple M1 Pro BenchmarkIntrospectionRequiredByIRNField-10 44315258 22.89 ns/op 0 B/op 0 allocs/op

after:

goos: darwin goarch: arm64 pkg: github.com/acronis/go-authkit/idptoken cpu: Apple M1 Pro BenchmarkIntrospectionRequiredByIRNField-10 46749982 22.94 ns/op 0 B/op 0 allocs/op

vasayxtx · 2026-01-08T08:15:07Z

idptoken/introspector.go

+}
+
+func introspectionRequiredByNRIField(jwtHeader map[string]interface{}) bool {
 	notRequiredIntrospection, ok := jwtHeader["nri"]


since you defined a const JWTHeaderFieldIRN, may I ask you to define another const for the "nri" header as well with small comment what is it and highlight that that header will be deprecated soon?

…ybrid token must be introspected, closes PLTFRM-84867

Semerokozlyat requested a review from vasayxtx as a code owner December 30, 2025 15:37

Semerokozlyat force-pushed the feature/PLTFRM-84867-introspect-token-on-condition-hybrid-rns branch from f350ce4 to c681f21 Compare December 31, 2025 12:37

vasayxtx requested changes Jan 5, 2026

View reviewed changes

Semerokozlyat force-pushed the feature/PLTFRM-84867-introspect-token-on-condition-hybrid-rns branch 4 times, most recently from 1cbdc3e to 43fe8ff Compare January 6, 2026 15:54

vasayxtx reviewed Jan 8, 2026

View reviewed changes

Semerokozlyat force-pushed the feature/PLTFRM-84867-introspect-token-on-condition-hybrid-rns branch from 43fe8ff to f63abdf Compare January 8, 2026 13:36

Check Introspectable Resource Namespaces in JWT header to decide if h…

5233555

…ybrid token must be introspected, closes PLTFRM-84867

Semerokozlyat force-pushed the feature/PLTFRM-84867-introspect-token-on-condition-hybrid-rns branch from f63abdf to 5233555 Compare January 8, 2026 14:17

vasayxtx approved these changes Jan 8, 2026

View reviewed changes

vasayxtx merged commit 381cb63 into acronis:main Jan 8, 2026
5 checks passed


		const JWTTypeAppAccessToken = "application/at+jwt"

		const JWTHeaderFieldIRN = "irn" // array of Resource Namespaces for roles available after token introspection only

Conversation

Semerokozlyat commented Dec 30, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants