From 44e368ceb5079827b950ce462f287239bdae8fe7 Mon Sep 17 00:00:00 2001 From: Ben Pearce Date: Fri, 27 Feb 2026 17:07:26 +1000 Subject: [PATCH 1/2] added single-value context claims docs --- .../infrastructure/accounts/openid-connect.md | 32 +++++++++++++++++-- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/src/pages/docs/infrastructure/accounts/openid-connect.md b/src/pages/docs/infrastructure/accounts/openid-connect.md index 30eb0f4c74..78c10321ae 100644 --- a/src/pages/docs/infrastructure/accounts/openid-connect.md +++ b/src/pages/docs/infrastructure/accounts/openid-connect.md @@ -54,8 +54,7 @@ The subject can be modified for the three different uses within Octopus: - **Type** - **Feed** - -### Deployments and Runbooks {#deployments-and-runbooks} +## Deployments and Runbooks {#deployments-and-runbooks} The **Subject** claim for a deployment or a runbook supports the following parts: @@ -85,7 +84,6 @@ The default format for a health check is `space:[space-slug]:target:[target-slug The value for the type is `health`. - ## Account Test {#account-test} The Account Test **Subject** claim supports the **Space** slug, the **Account** slug and the **Type** @@ -98,3 +96,31 @@ The Feed **Subject** claim supports the **Space** slug and the **Feed** slug. Th The default format for feeds is `space:[space-slug]:feed:[feed-slug]`. +## Context specific value claims {#context-specific-value-claims} + +In addition to the customizable subject claim, the JWT token will also include specific single-value claims for the deployment or runbook execution. +Each of these claims will be prefixed with `https://octopus.com/claims/` and will represent all the values that can be included in the subject configuration. + +```json +{ + "aud": "api://default", + "iss": "https://example.octopus.app/", + "exp": 1234567890, + "iat": 1234567890, + "nbf": 1234567890, + "jti": "abc", + "https://octopus.com/claims/space": "space-slug", + "https://octopus.com/claims/project": "project-slug", + "https://octopus.com/claims/runbook": "runbook-slug", // only on a runbook run + "https://octopus.com/claims/projectgroup": "project-group-slug", + "https://octopus.com/claims/environment": "environment-slug", + "https://octopus.com/claims/tenant": "teannt-slug", + "https://octopus.com/claims/type": "deployment", // or runbook for a runbook run + "https://octopus.com/claims/account": "account-slug", + "sub": "space:[space-slug]:project:[project-slug]:environment:[environment-slug]" +} +``` + +:::div{.hint} +These namespaced claims are only available in **Octopus 2026.1**. +::: \ No newline at end of file From 580ad23193fc26f569b6916ec0c222c5a4c3e8cb Mon Sep 17 00:00:00 2001 From: Ben Pearce Date: Mon, 2 Mar 2026 11:18:53 +1000 Subject: [PATCH 2/2] whitespace --- .../infrastructure/accounts/openid-connect.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/pages/docs/infrastructure/accounts/openid-connect.md b/src/pages/docs/infrastructure/accounts/openid-connect.md index 78c10321ae..0acabb7211 100644 --- a/src/pages/docs/infrastructure/accounts/openid-connect.md +++ b/src/pages/docs/infrastructure/accounts/openid-connect.md @@ -13,14 +13,14 @@ navOrder: 70 If you are using Octopus Cloud, you will not need to do anything to expose the instance to the public internet, this is already configured for you. ::: -To use federated credentials, your Octopus instance will need to have two anonymous URLs exposed to the public internet. +To use federated credentials, your Octopus instance will need to have two anonymous URLs exposed to the public internet. - `https://server-host/.well-known/openid-configuration` - `https://server-host/.well-known/jwks` These must be exposed with anonymous access on HTTPS. Without this, the OpenID Connect protocol will not be able to complete the authentication flow. -The hostname of the URL that these two endpoints are available on must either be configured under **Configuration->Nodes->Server Uri** or set as the first ListenPrefix in the server configuration. +The hostname of the URL that these two endpoints are available on must either be configured under **Configuration->Nodes->Server Uri** or set as the first ListenPrefix in the server configuration. ## Authenticating using OpenID Connect with third party services and tools @@ -43,16 +43,16 @@ The subject can be modified for the three different uses within Octopus: - Only the requested keys for a **Subject** claim will be include in the generated **Subject** claim - Any Octopus resource types included in the **Subject** claim will use the slug value for the Octopus resource. The slug value is generated from the name of the Octopus resource when it was created, it can be edited on the edit page of resource type. -- The **Subject** claim parts will always be in the following order - - **Space** - - **Project** - - **Runbook** - - **Tenant** - - **Environment** - - **Target** - - **Account** - - **Type** - - **Feed** +- The **Subject** claim parts will always be in the following order: + - **Space** + - **Project** + - **Runbook** + - **Tenant** + - **Environment** + - **Target** + - **Account** + - **Type** + - **Feed** ## Deployments and Runbooks {#deployments-and-runbooks} @@ -71,7 +71,7 @@ The default format for a deployment and runbook is `space:[space-slug]:project:[ The value for the type is either `deployment` or `runbook`. -When changing the **Subject** claim format for a deployment and runbook, the runbook value will not be included (if specified) when running a deployment. +When changing the **Subject** claim format for a deployment and runbook, the runbook value will not be included (if specified) when running a deployment. For example, in the **Default** space, you have a project called **Deploy Web App**, and a runbook called **Restart**. If you set the **Subject** claim format to `space`, `project`, `runbook` and `type`, when running a deployment the **Subject** claim will be `space:default:project:deploy-web-app:type:deployment` and for the run of the runbook the **Subject** claim would be `space:default:project:deploy-web-app:runbook:restart:type:runbook`. This is using the default generated slug values for the space, project and runbook. @@ -123,4 +123,4 @@ Each of these claims will be prefixed with `https://octopus.com/claims/` and wil :::div{.hint} These namespaced claims are only available in **Octopus 2026.1**. -::: \ No newline at end of file +:::