Module token 

JWT mint extension.

Replaces the legacy TokenClaimsExtender trait in yeti-auth. Plugins that want to add extra claims to issued JWTs (an Okta plugin embedding groups[], an Azure AD plugin embedding appRoles[], etc.) register a tower::Service<TokenRequest, Response = TokenResponse>.

The host runs the registered pipeline as part of every JWT mint (login, magic-link consume, refresh). Each plugin’s Service returns a (possibly modified) TokenResponse; the next plugin receives that response as its input.

The actual JwtClaims type lives in yeti-auth::auth_types. To keep yeti-types zero-dep on yeti crates (per the crate’s own README), this module uses serde_json::Value as the on-the- wire representation. Adapter glue in yeti-auth converts to/from the typed JwtClaims.

Structs

TokenRequest

Input to the token-mint pipeline. Carries the username being minted for, the apps the token will be scoped to, and a place for plugins to drop extra claims.

Constants

TOKEN_HOOK_CHAIN_NAME

Versioned hook chain name for JWT mint extension services (ADR-009). See super::oauth::OAUTH_HOOK_CHAIN_NAME for the rationale behind placing the constant here.

Type Aliases

TokenResponse

Output of the token-mint pipeline — the (possibly mutated) TokenRequest ready to be folded back into the canonical JwtClaims and signed.

TokenService

Tower-shaped JWT-mint extension service. Plugins register BoxCloneSyncService::new(service_fn(...)) against this type; yeti-auth chains every registered service per JWT mint, threading the TokenRequest (with its extra claims accumulator) through each in turn before signing.