pub struct ClientExtension {
pub client_id: String,
pub client_name: Option<String>,
pub trust_level: ClientTrustLevel,
pub authorized_scopes: Vec<String>,
pub authorized_audiences: Vec<String>,
pub roles: Vec<String>,
pub permissions: Vec<String>,
pub teams: Vec<String>,
pub claims: HashMap<String, Value>,
}Expand description
The OAuth client / gateway-access principal — what application
is brokering the request, as opposed to which user is using it
(SubjectExtension) and which attested workload is the network
peer (WorkloadIdentity). Populated from a client-credentials or
session JWT by an identity-resolver plugin (or supplied directly
by a trusted upstream gateway).
The shape is deliberately symmetric with SubjectExtension —
roles / permissions / teams / claims appear on both. That lets APL
policies write client.roles.contains("partner") and
subject.roles.contains("admin") with the same idiom; some IdPs
(Keycloak service accounts, Auth0 M2M apps, AWS IAM role grants)
attach RBAC grants to clients directly.
Fields§
§client_id: StringOAuth client_id — required. Anchor identifier for the client.
client_name: Option<String>Human-readable client name from the IdP. Useful for audit logs.
trust_level: ClientTrustLevelTrust classification — see ClientTrustLevel.
OAuth scopes the IdP authorized for this client (across all audiences). Policy authors use this to gate on what the IdP believes the client is allowed to ask for, before checking whether the specific request stays within those scopes.
OAuth audiences the IdP authorized this client to address. Different IdPs encode this differently; the resolver normalizes them into this list.
roles: Vec<String>Platform-native RBAC roles attached to the client (Keycloak
service-account-roles, Auth0 M2M permissions, IAM role grants).
Distinct from authorized_scopes — scopes are OAuth-issued,
roles are platform-issued.
permissions: Vec<String>Platform-native permissions attached to the client.
teams: Vec<String>Team / tenant / account memberships, for multi-tenant platforms that scope clients to organizational units.
claims: HashMap<String, Value>Raw remaining JWT claims (or equivalent), keyed by claim name.
Value (not String) because claim values can be booleans,
numbers, nested objects, arrays — policy authors who reach
here generally know the claim’s expected shape.
Trait Implementations§
Source§impl Clone for ClientExtension
impl Clone for ClientExtension
Source§fn clone(&self) -> ClientExtension
fn clone(&self) -> ClientExtension
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more