From 67af202da8760c2ec063539a4c08cf123f1486ac Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Thu, 17 Apr 2025 17:23:18 +0100
Subject: [PATCH 01/29] Fix/silence lint issues

---
 web/packages/teleport/src/JoinTokens/JoinTokens.tsx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/web/packages/teleport/src/JoinTokens/JoinTokens.tsx b/web/packages/teleport/src/JoinTokens/JoinTokens.tsx
index 1e92c92d4b8a0..c4d6ea292cfa3 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokens.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokens.tsx
@@ -134,6 +134,9 @@ export const JoinTokens = () => {
 
   useEffect(() => {
     runJoinTokensAttempt();
+
+    // runJoinTokensAttempt is not stable and causes a render loop
+    // eslint-disable-next-line react-hooks/exhaustive-deps
   }, []);
 
   return (
@@ -395,7 +398,7 @@ function TokenDelete({
         <DialogTitle>Delete Join Token?</DialogTitle>
       </DialogHeader>
       <DialogContent>
-        {attempt.status === 'error' && <Alert children={attempt.statusText} />}
+        {attempt.status === 'error' && <Alert>{attempt.statusText}</Alert>}
         <Text mb={4}>
           You are about to delete join token
           <Text bold as="span">

From 3645dd7d2712f231b4542e2712a42b2932ba70c9 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Thu, 17 Apr 2025 17:23:54 +0100
Subject: [PATCH 02/29] Fix spacing on side panel

---
 web/packages/teleport/src/JoinTokens/JoinTokens.tsx           | 2 +-
 .../teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx         | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/web/packages/teleport/src/JoinTokens/JoinTokens.tsx b/web/packages/teleport/src/JoinTokens/JoinTokens.tsx
index c4d6ea292cfa3..82853c3c9420d 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokens.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokens.tsx
@@ -164,7 +164,7 @@ export const JoinTokens = () => {
           </InfoGuideButton>
         )}
       </FeatureHeader>
-      <Flex>
+      <Flex gap={24}>
         <Box
           css={`
             flex-grow: 1;
diff --git a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
index fe9a56f1b9065..3402c45fb115d 100644
--- a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
+++ b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
@@ -236,8 +236,6 @@ export const UpsertJoinTokenDialog = ({
   return (
     <Flex width="500px">
       <Box
-        pr={4}
-        pl={4}
         css={`
           overflow: auto;
           width: 100%;
@@ -253,7 +251,7 @@ export const UpsertJoinTokenDialog = ({
         >
           <Flex alignItems="center" mr={3}>
             <HoverTooltip tipContent="Back to Join Tokens">
-              <ButtonIcon onClick={onClose} mr={2} ml={'-8px'}>
+              <ButtonIcon onClick={onClose} mr={2}>
                 <Cross size="medium" />
               </ButtonIcon>
             </HoverTooltip>

From f197c2925700d8287a1cc07b76a09071b3133fb0 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Wed, 23 Apr 2025 16:15:51 +0100
Subject: [PATCH 03/29] Return github-specific config from `GET /webapi/tokens`

---
 api/types/provisioning.go   |  7 ++++
 lib/web/join_tokens_test.go | 81 +++++++++++++++++++++++++++++++++++++
 lib/web/ui/join_token.go    |  7 ++++
 3 files changed, 95 insertions(+)

diff --git a/api/types/provisioning.go b/api/types/provisioning.go
index 9768e25ab863e..32589bc591b07 100644
--- a/api/types/provisioning.go
+++ b/api/types/provisioning.go
@@ -135,6 +135,8 @@ type ProvisionToken interface {
 	SetAllowRules([]*TokenRule)
 	// GetGCPRules will return the GCP rules within this token.
 	GetGCPRules() *ProvisionTokenSpecV2GCP
+	// GetGithubRules will return the GitHub rules within this token.
+	GetGithubRules() *ProvisionTokenSpecV2GitHub
 	// GetAWSIIDTTL returns the TTL of EC2 IIDs
 	GetAWSIIDTTL() Duration
 	// GetJoinMethod returns joining method that must be used with this token.
@@ -437,6 +439,11 @@ func (p *ProvisionTokenV2) GetGCPRules() *ProvisionTokenSpecV2GCP {
 	return p.Spec.GCP
 }
 
+// GetGithubRules will return the GitHub rules within this token.
+func (p *ProvisionTokenV2) GetGithubRules() *ProvisionTokenSpecV2GitHub {
+	return p.Spec.GitHub
+}
+
 // GetAWSIIDTTL returns the TTL of EC2 IIDs
 func (p *ProvisionTokenV2) GetAWSIIDTTL() Duration {
 	return p.Spec.AWSIIDTTL
diff --git a/lib/web/join_tokens_test.go b/lib/web/join_tokens_test.go
index d47e2c1b137f3..8dbbd72bc4133 100644
--- a/lib/web/join_tokens_test.go
+++ b/lib/web/join_tokens_test.go
@@ -27,6 +27,7 @@ import (
 	"net/http"
 	"net/url"
 	"regexp"
+	"slices"
 	"strconv"
 	"testing"
 	"time"
@@ -268,6 +269,86 @@ func TestGetTokens(t *testing.T) {
 	}
 }
 
+func TestGetGithubTokens(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+
+	username := "test-user@example.com"
+	expiry := time.Now().UTC().Add(30 * time.Minute)
+
+	env := newWebPack(t, 1)
+	proxy := env.proxies[0]
+	pack := proxy.authPack(t, username, nil /* roles */)
+
+	td := tokenData{
+		name:   "github-test-token",
+		expiry: expiry,
+		roles:  types.SystemRoles{types.RoleBot},
+	}
+
+	token, err := types.NewProvisionTokenFromSpec(td.name, td.expiry, types.ProvisionTokenSpecV2{
+		Roles:      td.roles,
+		BotName:    "test-bot",
+		JoinMethod: types.JoinMethodGitHub,
+
+		GitHub: &types.ProvisionTokenSpecV2GitHub{
+			EnterpriseServerHost: "github.example.com",
+			StaticJWKS:           "{\"keys\":[]}",
+			Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
+				{
+					Repository:      "gravitational/teleport",
+					RepositoryOwner: "gravitational",
+					Sub:             "test-sub",
+					Workflow:        "test-workflow",
+					Environment:     "test-environment",
+					Actor:           "octocat",
+					Ref:             "ref/heads/main",
+					RefType:         "branch",
+				},
+			},
+		},
+	})
+	require.NoError(t, err)
+	err = env.server.Auth().CreateToken(ctx, token)
+	require.NoError(t, err)
+
+	endpoint := pack.clt.Endpoint("webapi", "tokens")
+	re, err := pack.clt.Get(ctx, endpoint, url.Values{})
+	require.NoError(t, err)
+
+	resp := GetTokensResponse{}
+	require.NoError(t, json.Unmarshal(re.Bytes(), &resp))
+
+	require.Len(t, resp.Items, 2) // Including a static token
+
+	githubTokenIndex := slices.IndexFunc(resp.Items, func(item ui.JoinToken) bool { return item.Method == types.JoinMethodGitHub })
+	require.NotEqual(t, githubTokenIndex, -1)
+	require.Empty(t, cmp.Diff(resp.Items[githubTokenIndex], ui.JoinToken{
+		ID:       "github-test-token",
+		SafeName: "github-test-token",
+		BotName:  "test-bot",
+		Expiry:   expiry,
+		Roles:    types.SystemRoles{"Bot"},
+		Method:   types.JoinMethodGitHub,
+		Github: &types.ProvisionTokenSpecV2GitHub{
+			EnterpriseServerHost: "github.example.com",
+			StaticJWKS:           "{\"keys\":[]}",
+			Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
+				{
+					Repository:      "gravitational/teleport",
+					RepositoryOwner: "gravitational",
+					Sub:             "test-sub",
+					Workflow:        "test-workflow",
+					Environment:     "test-environment",
+					Actor:           "octocat",
+					Ref:             "ref/heads/main",
+					RefType:         "branch",
+				},
+			},
+		},
+	}, cmpopts.IgnoreFields(ui.JoinToken{}, "Content")))
+}
+
 func TestDeleteToken(t *testing.T) {
 	ctx := context.Background()
 	username := "test-user@example.com"
diff --git a/lib/web/ui/join_token.go b/lib/web/ui/join_token.go
index be068482aa1ba..2319841375e22 100644
--- a/lib/web/ui/join_token.go
+++ b/lib/web/ui/join_token.go
@@ -47,6 +47,8 @@ type JoinToken struct {
 	Allow []*types.TokenRule `json:"allow,omitempty"`
 	// GCP allows the configuration of options specific to the "gcp" join method.
 	GCP *types.ProvisionTokenSpecV2GCP `json:"gcp,omitempty"`
+	// GitHub-specific configuration for the join method.
+	Github *types.ProvisionTokenSpecV2GitHub `json:"github,omitempty"`
 	// Content is resource yaml content.
 	Content string `json:"content"`
 }
@@ -71,6 +73,11 @@ func MakeJoinToken(token types.ProvisionToken) (*JoinToken, error) {
 	if uiToken.Method == types.JoinMethodGCP {
 		uiToken.GCP = token.GetGCPRules()
 	}
+
+	if uiToken.Method == types.JoinMethodGitHub {
+		uiToken.Github = token.GetGithubRules()
+	}
+
 	return uiToken, nil
 }
 

From c7805d29d3f3a6ff08670617f7fd19de840e420e Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Thu, 24 Apr 2025 10:08:37 +0100
Subject: [PATCH 04/29] Add github form for create/edit

---
 web/packages/design/src/utils/testing.tsx     |   6 +-
 .../components/Validation/rules.test.ts       |  22 +
 .../shared/components/Validation/rules.ts     |  21 +
 .../JoinTokens/JoinTokenGithubForm.test.tsx   | 388 ++++++++++++++++++
 .../src/JoinTokens/JoinTokenGithubForm.tsx    | 263 ++++++++++++
 .../teleport/src/JoinTokens/JoinTokens.tsx    |   3 +-
 .../src/JoinTokens/UpsertJoinTokenDialog.tsx  |  99 ++++-
 .../src/services/joinToken/makeJoinToken.ts   |   4 +-
 .../teleport/src/services/joinToken/types.ts  |  32 ++
 9 files changed, 824 insertions(+), 14 deletions(-)
 create mode 100644 web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.test.tsx
 create mode 100644 web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx

diff --git a/web/packages/design/src/utils/testing.tsx b/web/packages/design/src/utils/testing.tsx
index 7312f4eb1a5af..b68eecff79cfe 100644
--- a/web/packages/design/src/utils/testing.tsx
+++ b/web/packages/design/src/utils/testing.tsx
@@ -25,6 +25,7 @@ import {
   render as testingRender,
   waitFor,
   waitForElementToBeRemoved,
+  within,
 } from '@testing-library/react';
 import userEvent from '@testing-library/user-event';
 import { ReactNode } from 'react';
@@ -78,8 +79,8 @@ screen.debug = () => {
 };
 
 type RenderOptions = {
-  wrapper: React.FC;
-  container: HTMLElement;
+  wrapper?: React.FC;
+  container?: HTMLElement;
 };
 
 export {
@@ -95,4 +96,5 @@ export {
   Router,
   userEvent,
   waitForElementToBeRemoved,
+  within,
 };
diff --git a/web/packages/shared/components/Validation/rules.test.ts b/web/packages/shared/components/Validation/rules.test.ts
index 827264949d559..3a216ea44c87d 100644
--- a/web/packages/shared/components/Validation/rules.test.ts
+++ b/web/packages/shared/components/Validation/rules.test.ts
@@ -18,6 +18,7 @@
 
 import {
   arrayOf,
+  falsyField,
   requiredConfirmedPassword,
   requiredEmailLike,
   requiredField,
@@ -212,3 +213,24 @@ test.each([
 ])('arrayOf: $name', ({ items, expected }) => {
   expect(arrayOf(requiredField('required'))(items)()).toEqual(expected);
 });
+
+describe('falsyField', () => {
+  const errMsg = 'error text';
+  const validator = falsyField(errMsg);
+
+  test.each`
+    input                | expected
+    ${'not empty value'} | ${{ valid: false, message: errMsg }}
+    ${1}                 | ${{ valid: false, message: errMsg }}
+    ${true}              | ${{ valid: false, message: errMsg }}
+    ${{}}                | ${{ valid: false, message: errMsg }}
+    ${[]}                | ${{ valid: false, message: errMsg }}
+    ${''}                | ${{ valid: true, message: undefined }}
+    ${null}              | ${{ valid: true, message: undefined }}
+    ${undefined}         | ${{ valid: true, message: undefined }}
+    ${0}                 | ${{ valid: true, message: undefined }}
+    ${false}             | ${{ valid: true, message: undefined }}
+  `('input with: $input', ({ input, expected }) => {
+    expect(validator(input)()).toEqual(expected);
+  });
+});
diff --git a/web/packages/shared/components/Validation/rules.ts b/web/packages/shared/components/Validation/rules.ts
index aa111dc786c11..668aa9d70a48d 100644
--- a/web/packages/shared/components/Validation/rules.ts
+++ b/web/packages/shared/components/Validation/rules.ts
@@ -260,6 +260,26 @@ const requiredPort: Rule = port => () => {
   };
 };
 
+/**
+ * falsyField checks the the value is falsy
+ * @param message the message to return if invalid
+ * @returns validaton result
+ */
+const falsyField =
+  <T = string>(message: string): Rule<T> =>
+  value =>
+  () => {
+    if (value) {
+      return {
+        valid: false,
+        message,
+      };
+    }
+    return {
+      valid: true,
+    };
+  };
+
 /**
  * A rule function that combines multiple inner rule functions. All rules must
  * return `valid`, otherwise it returns a comma separated string containing all
@@ -379,4 +399,5 @@ export {
   requiredPort,
   arrayOf,
   precomputed,
+  falsyField,
 };
diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.test.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.test.tsx
new file mode 100644
index 0000000000000..074025aaa3c79
--- /dev/null
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.test.tsx
@@ -0,0 +1,388 @@
+/**
+ * Teleport
+ * Copyright (C) 2025 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+import userEvent from '@testing-library/user-event';
+import { PropsWithChildren } from 'react';
+
+import { fireEvent, render, screen, within } from 'design/utils/testing';
+import Validation, { useValidation } from 'shared/components/Validation';
+
+import { ThemeProvider } from 'teleport/ThemeProvider';
+
+import { JoinTokenGithubForm } from './JoinTokenGithubForm';
+import { NewJoinTokenState } from './UpsertJoinTokenDialog';
+
+const populateRuleFieldTest =
+  (
+    field: keyof NewJoinTokenState['github']['rules'][number],
+    placeholer: string,
+    value: string
+  ) =>
+  async () => {
+    const state = baseState();
+    const onUpdate = jest.fn();
+
+    render(
+      <JoinTokenGithubForm tokenState={state} onUpdateState={onUpdate} />,
+      { wrapper: Wrapper }
+    );
+
+    fireEvent.change(screen.getByPlaceholderText(placeholer), {
+      target: { value },
+    });
+
+    expect(onUpdate).toHaveBeenCalledTimes(1);
+    expect(onUpdate).toHaveBeenLastCalledWith(
+      baseState({
+        rules: [
+          {
+            ...state.github.rules[0],
+            [field]: value,
+          },
+        ],
+      })
+    );
+  };
+
+const populateFieldTest =
+  ({
+    field,
+    placeholer,
+    value,
+  }: {
+    field: keyof NewJoinTokenState['github'];
+    placeholer: string;
+    value: string;
+  }) =>
+  async () => {
+    const state = baseState();
+    const onUpdate = jest.fn();
+
+    render(
+      <JoinTokenGithubForm tokenState={state} onUpdateState={onUpdate} />,
+      { wrapper: Wrapper }
+    );
+
+    fireEvent.change(screen.getByPlaceholderText(placeholer), {
+      target: { value },
+    });
+
+    expect(onUpdate).toHaveBeenCalledTimes(1);
+    expect(onUpdate).toHaveBeenLastCalledWith(
+      baseState({
+        [field]: value,
+      })
+    );
+  };
+
+describe('GithubJoinTokenForm', () => {
+  it('a rule can be added', async () => {
+    const state = baseState();
+    const onUpdate = jest.fn();
+
+    render(
+      <JoinTokenGithubForm tokenState={state} onUpdateState={onUpdate} />,
+      { wrapper: Wrapper }
+    );
+
+    await userEvent.click(
+      screen.getByRole('button', { name: /Add another GitHub rule/i })
+    );
+
+    expect(onUpdate).toHaveBeenCalledTimes(1);
+    expect(onUpdate).toHaveBeenLastCalledWith(
+      baseState({
+        rules: [
+          ...state.github.rules,
+          {
+            ref_type: 'any',
+          },
+        ],
+      })
+    );
+  });
+
+  it('delete button is hidden when only one rule exists', async () => {
+    const state = baseState();
+
+    render(
+      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      { wrapper: Wrapper }
+    );
+
+    expect(screen.queryByTestId('delete_rule')).not.toBeInTheDocument();
+  });
+
+  it('delete button is visible when more than one rule exists', async () => {
+    const state = baseState({
+      rules: [{}, {}],
+    });
+
+    render(
+      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      { wrapper: Wrapper }
+    );
+
+    expect(screen.queryAllByTestId('delete_rule').length).toBe(2);
+  });
+
+  it('a rule can be deleted', async () => {
+    const state = baseState({
+      rules: [{}, {}],
+    });
+    const onUpdate = jest.fn();
+
+    render(
+      <JoinTokenGithubForm tokenState={state} onUpdateState={onUpdate} />,
+      { wrapper: Wrapper }
+    );
+
+    const rule0 = screen.getByTestId('rule_0');
+    const deleteButton0 = within(rule0).getByTestId('delete_rule');
+
+    await userEvent.click(deleteButton0);
+
+    expect(onUpdate).toHaveBeenCalledTimes(1);
+    expect(onUpdate).toHaveBeenLastCalledWith(
+      baseState({
+        rules: [state.github.rules[0]],
+      })
+    );
+  });
+
+  // eslint-disable-next-line jest/expect-expect
+  it(
+    'repository field can be populated',
+    populateRuleFieldTest(
+      'repository',
+      'gravitational/teleport',
+      'gravitational/teleport'
+    )
+  );
+
+  it('repository field is disabled when a repository owner is populated', async () => {
+    const state = baseState({
+      rules: [
+        {
+          repository_owner: 'something',
+        },
+      ],
+    });
+
+    render(
+      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      { wrapper: Wrapper }
+    );
+
+    const field = screen.getByPlaceholderText('gravitational/teleport');
+
+    expect(field).toBeDisabled();
+  });
+
+  it('repository field shows a validation message', async () => {
+    const state = baseState();
+
+    render(
+      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      { wrapper: Wrapper }
+    );
+
+    await userEvent.click(screen.getByTestId('submit'));
+
+    expect(
+      screen.getByText('Either repository name or owner is required')
+    ).toBeInTheDocument();
+  });
+
+  // eslint-disable-next-line jest/expect-expect
+  it(
+    'repository owner field can be populated',
+    populateRuleFieldTest('repository_owner', 'gravitational', 'gravitational')
+  );
+
+  it('repository owner field is disabled when a repository name is populated', async () => {
+    const state = baseState({
+      rules: [
+        {
+          repository: 'something',
+        },
+      ],
+    });
+
+    render(
+      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      { wrapper: Wrapper }
+    );
+
+    const field = screen.getByPlaceholderText('gravitational');
+
+    expect(field).toBeDisabled();
+  });
+
+  it('repository owner field shows a validation message', async () => {
+    const state = baseState();
+
+    render(
+      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      { wrapper: Wrapper }
+    );
+
+    await userEvent.click(screen.getByTestId('submit'));
+
+    expect(
+      screen.getByText('Either repository owner or name is required')
+    ).toBeInTheDocument();
+  });
+
+  // eslint-disable-next-line jest/expect-expect
+  it(
+    'workflow field can be populated',
+    populateRuleFieldTest('workflow', 'my-workflow', 'my-workflow')
+  );
+
+  // eslint-disable-next-line jest/expect-expect
+  it(
+    'environment field can be populated',
+    populateRuleFieldTest('environment', 'production', 'production')
+  );
+
+  // eslint-disable-next-line jest/expect-expect
+  it(
+    'ref field can be populated',
+    populateRuleFieldTest('ref', 'ref/heads/main', 'ref/heads/main')
+  );
+
+  it('ref type is disabled when ref is not populated', async () => {
+    const state = baseState();
+
+    render(
+      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      { wrapper: Wrapper }
+    );
+
+    expect(screen.getByLabelText('Ref type')).toBeDisabled();
+  });
+
+  it('ref type can be selected', async () => {
+    const state = baseState({
+      rules: [
+        {
+          ref: 'ref/heads/main',
+          ref_type: 'any',
+        },
+      ],
+    });
+    const onUpdate = jest.fn();
+
+    render(
+      <JoinTokenGithubForm tokenState={state} onUpdateState={onUpdate} />,
+      { wrapper: Wrapper }
+    );
+
+    const selectElement = screen.getByLabelText('Ref type');
+    expect(selectElement).toBeEnabled();
+
+    // Seems to be the only way to interact with react-select component
+    fireEvent.keyDown(selectElement, { key: 'ArrowDown' });
+    const existingItem = await screen.findByText('Branch');
+    fireEvent.click(existingItem);
+
+    expect(onUpdate).toHaveBeenCalledTimes(1);
+    expect(onUpdate).toHaveBeenLastCalledWith(
+      baseState({
+        rules: [
+          {
+            ...state.github.rules[0],
+            ref_type: 'branch',
+          },
+        ],
+      })
+    );
+  });
+
+  // eslint-disable-next-line jest/expect-expect
+  it(
+    'server host field can be populated',
+    populateFieldTest({
+      field: 'server_host',
+      placeholer: 'github.example.com',
+      value: 'github.example.com',
+    })
+  );
+
+  // eslint-disable-next-line jest/expect-expect
+  it(
+    'slug field can be populated',
+    populateFieldTest({
+      field: 'enterprise_slug',
+      placeholer: 'octo-enterprise',
+      value: 'octo-enterprise',
+    })
+  );
+
+  // eslint-disable-next-line jest/expect-expect
+  it(
+    'jwks field can be populated',
+    populateFieldTest({
+      field: 'static_jwks',
+      placeholer: '{"keys":[--snip--]}',
+      value: '{"keys":[]}',
+    })
+  );
+});
+
+const Wrapper = ({ children }: PropsWithChildren) => {
+  return (
+    <ThemeProvider>
+      <Validation>
+        <SubmitWrapper>{children}</SubmitWrapper>
+      </Validation>
+    </ThemeProvider>
+  );
+};
+
+const SubmitWrapper = ({ children }: PropsWithChildren) => {
+  const validation = useValidation();
+
+  return (
+    <>
+      {children}
+      <button data-testid="submit" onClick={() => validation.validate()} />
+    </>
+  );
+};
+
+const baseState = (
+  github: Partial<NewJoinTokenState['github']> = {}
+): NewJoinTokenState => ({
+  name: 'test-name',
+  method: { label: 'github', value: 'github' },
+  roles: [{ label: 'Bot', value: 'Bot' }],
+  bot_name: 'test-bot-name',
+  github: {
+    ...github,
+    rules: github.rules ?? [
+      {
+        ref_type: 'any',
+      },
+    ],
+  },
+  iam: [],
+  gcp: [],
+  oracle: [],
+});
diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
new file mode 100644
index 0000000000000..621e1d21bb8ac
--- /dev/null
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
@@ -0,0 +1,263 @@
+/**
+ * Teleport
+ * Copyright (C) 2025 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+import styled from 'styled-components';
+
+import Box from 'design/Box/Box';
+import { ButtonText } from 'design/Button/Button';
+import ButtonIcon from 'design/ButtonIcon/ButtonIcon';
+import Flex from 'design/Flex/Flex';
+import { Plus } from 'design/Icon/Icons/Plus';
+import { Trash } from 'design/Icon/Icons/Trash';
+import Text from 'design/Text/Text';
+import FieldInput from 'shared/components/FieldInput/FieldInput';
+import FieldSelect from 'shared/components/FieldSelect';
+import { falsyField, requiredField } from 'shared/components/Validation/rules';
+
+import { NewJoinTokenState } from './UpsertJoinTokenDialog';
+
+export const JoinTokenGithubForm = ({
+  tokenState,
+  onUpdateState,
+}: {
+  tokenState: NewJoinTokenState;
+  onUpdateState: (newToken: NewJoinTokenState) => void;
+}) => {
+  const { github } = tokenState;
+  const { rules } = github;
+
+  function removeRule(index: number) {
+    const newRules = rules.filter((_, i) => index !== i);
+    const newState = {
+      ...tokenState,
+      github: {
+        ...tokenState.github,
+        rules: newRules,
+      },
+    };
+    onUpdateState(newState);
+  }
+
+  function addNewRule() {
+    const newState = {
+      ...tokenState,
+      github: {
+        ...tokenState.github,
+        rules: [
+          ...rules,
+          {
+            ref_type: 'any' as const,
+          },
+        ],
+      },
+    };
+    onUpdateState(newState);
+  }
+
+  function updateRuleField(index: number, fieldName: string, opts: unknown) {
+    const newState = {
+      ...tokenState,
+      github: {
+        ...tokenState.github,
+        rules: rules.map((rule, i) => {
+          if (i === index) {
+            return { ...rule, [fieldName]: opts };
+          }
+          return rule;
+        }),
+      },
+    };
+    onUpdateState(newState);
+  }
+
+  return (
+    <>
+      {rules.map((rule, index) => (
+        <RuleBox
+          data-testid={`rule_${index}`}
+          key={index} // order doesn't change without updating the referrenced array
+        >
+          <Flex alignItems="center" justifyContent="space-between">
+            <Text fontWeight={700} mb={2}>
+              GitHub Rule
+            </Text>
+
+            {rules.length > 1 && ( // at least one rule is required, so lets not allow the user to remove it
+              <ButtonIcon
+                data-testid="delete_rule"
+                onClick={() => removeRule(index)}
+              >
+                <Trash size={16} color="text.muted" />
+              </ButtonIcon>
+            )}
+          </Flex>
+
+          <FieldInput
+            label="Repository"
+            placeholder="gravitational/teleport"
+            toolTipContent="Fully qualified name of a GitHub repository (i.e. including the owner)"
+            value={rule.repository}
+            onChange={e => updateRuleField(index, 'repository', e.target.value)}
+            rule={
+              rule.repository_owner
+                ? falsyField(
+                    'Repository name cannot be provided with repository owner'
+                  )
+                : requiredField('Either repository name or owner is required')
+            }
+            disabled={!!rule.repository_owner}
+          />
+
+          <Text fontWeight="regular" textAlign="center">
+            - or -
+          </Text>
+
+          <FieldInput
+            label="Repository owner"
+            placeholder="gravitational"
+            toolTipContent="Name of an organization or user that a repository belongs to"
+            value={rule.repository_owner}
+            onChange={e =>
+              updateRuleField(index, 'repository_owner', e.target.value)
+            }
+            rule={
+              rule.repository
+                ? falsyField(
+                    'Repository owner cannot be provided with repository name'
+                  )
+                : requiredField('Either repository owner or name is required')
+            }
+            disabled={!!rule.repository}
+          />
+
+          <FieldInput
+            label="Workflow name"
+            placeholder="my-workflow"
+            value={rule.workflow}
+            onChange={e => updateRuleField(index, 'workflow', e.target.value)}
+          />
+
+          <FieldInput
+            label="Environment"
+            placeholder="production"
+            value={rule.environment}
+            onChange={e =>
+              updateRuleField(index, 'environment', e.target.value)
+            }
+          />
+
+          <Flex fullWidth gap={2}>
+            <FieldInput
+              flex={2}
+              label="Git ref"
+              placeholder="ref/heads/main"
+              value={rule.ref}
+              onChange={e => updateRuleField(index, 'ref', e.target.value)}
+            />
+
+            <FieldSelect
+              flex={1}
+              label="Ref type"
+              options={refTypeOptions}
+              value={refTypeOptions.find(o => o.value === rule.ref_type)}
+              onChange={opts => updateRuleField(index, 'ref_type', opts.value)}
+              isDisabled={!rule.ref}
+              data-testid="ref-type-select"
+            />
+          </Flex>
+        </RuleBox>
+      ))}
+
+      <ButtonText onClick={addNewRule} compact>
+        <Plus size={16} mr={2} />
+        Add another GitHub rule
+      </ButtonText>
+
+      <Text fontWeight={700} mt={5}>
+        GHES configuration
+      </Text>
+
+      <Text fontWeight="regular" mb={2}>
+        Additional settings for configuring GitHub Enterprise Server.
+      </Text>
+
+      <FieldInput
+        label="Server host"
+        placeholder="github.example.com"
+        value={github.server_host}
+        onChange={e =>
+          onUpdateState({
+            ...tokenState,
+            github: {
+              ...tokenState.github,
+              server_host: e.target.value,
+            },
+          })
+        }
+      />
+
+      <FieldInput
+        label="Slug"
+        placeholder="octo-enterprise"
+        value={github.enterprise_slug}
+        onChange={e =>
+          onUpdateState({
+            ...tokenState,
+            github: {
+              ...tokenState.github,
+              enterprise_slug: e.target.value,
+            },
+          })
+        }
+      />
+
+      <FieldInput
+        label="Static JWKS"
+        placeholder='{"keys":[--snip--]}'
+        toolTipContent="JSON Web Key Set used to verify the token issued by GitHub Actions"
+        value={github.static_jwks}
+        onChange={e =>
+          onUpdateState({
+            ...tokenState,
+            github: {
+              ...tokenState.github,
+              static_jwks: e.target.value,
+            },
+          })
+        }
+      />
+    </>
+  );
+};
+
+const refTypeOptions = [
+  { value: 'any' as const, label: 'Any' },
+  { value: 'branch' as const, label: 'Branch' },
+  { value: 'tag' as const, label: 'Tag' },
+];
+
+const RuleBox = styled(Box)`
+  border-color: ${props => props.theme.colors.interactive.tonal.neutral[0]};
+  border-width: 2px;
+  border-style: solid;
+  border-radius: ${props => props.theme.radii[2]}px;
+
+  margin-bottom: ${props => props.theme.space[3]}px;
+
+  padding: ${props => props.theme.space[3]}px;
+`;
diff --git a/web/packages/teleport/src/JoinTokens/JoinTokens.tsx b/web/packages/teleport/src/JoinTokens/JoinTokens.tsx
index 82853c3c9420d..94ece31cd1831 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokens.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokens.tsx
@@ -234,7 +234,8 @@ export const JoinTokens = () => {
                         if (
                           token.method === 'iam' ||
                           token.method === 'gcp' ||
-                          token.method === 'token'
+                          token.method === 'token' ||
+                          (token.method === 'github' && token.github)
                         ) {
                           setEditingToken(token);
                           return;
diff --git a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
index 3402c45fb115d..72baf92a15a37 100644
--- a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
+++ b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
@@ -34,7 +34,7 @@ import { HoverTooltip } from 'design/Tooltip';
 import FieldInput from 'shared/components/FieldInput';
 import { FieldSelect } from 'shared/components/FieldSelect';
 import { Option } from 'shared/components/Select';
-import Validation from 'shared/components/Validation';
+import Validation, { Validator } from 'shared/components/Validation';
 import { requiredField } from 'shared/components/Validation/rules';
 import { useAsync } from 'shared/hooks/useAsync';
 
@@ -52,6 +52,7 @@ import {
   JoinTokenIAMForm,
   JoinTokenOracleForm,
 } from './JoinTokenForms';
+import { JoinTokenGithubForm } from './JoinTokenGithubForm';
 
 const maxWidth = '550px';
 
@@ -65,12 +66,15 @@ const joinRoleOptions: OptionJoinRole[] = [
   'Discovery',
 ].map(role => ({ value: role as JoinRole, label: role as JoinRole }));
 
-const availableJoinMethods: OptionJoinMethod[] = ['iam', 'gcp', 'oracle'].map(
-  method => ({
-    value: method as JoinMethod,
-    label: method as JoinMethod,
-  })
-);
+const availableJoinMethods: OptionJoinMethod[] = [
+  'iam',
+  'gcp',
+  'oracle',
+  'github',
+].map(method => ({
+  value: method as JoinMethod,
+  label: method as JoinMethod,
+}));
 
 export type AllowOption = Option<string, string>;
 type OptionJoinMethod = Option<JoinMethod, JoinMethod>;
@@ -86,6 +90,20 @@ type NewJoinTokenOracleState = {
   regions: AllowOption[];
 };
 
+type NewJoinTokenGithubState = {
+  server_host?: string;
+  static_jwks?: string | undefined;
+  enterprise_slug?: string | undefined;
+  rules: {
+    repository?: string;
+    repository_owner?: string | undefined;
+    workflow?: string | undefined;
+    environment?: string | undefined;
+    ref?: string;
+    ref_type?: 'any' | 'branch' | 'tag';
+  }[];
+};
+
 export type NewJoinTokenState = {
   name: string;
   // bot_name is only required when Bot is selected in the roles
@@ -95,6 +113,7 @@ export type NewJoinTokenState = {
   iam: AWSRules[];
   gcp: NewJoinTokenGCPState[];
   oracle: NewJoinTokenOracleState[];
+  github: NewJoinTokenGithubState;
 };
 
 export const defaultNewTokenState: NewJoinTokenState = {
@@ -105,6 +124,13 @@ export const defaultNewTokenState: NewJoinTokenState = {
   iam: [{ aws_account: '', aws_arn: '' }],
   gcp: [{ project_ids: [], service_accounts: [], locations: [] }],
   oracle: [{ tenancy: '', parent_compartments: [], regions: [] }],
+  github: {
+    rules: [
+      {
+        ref_type: 'any',
+      },
+    ],
+  },
 };
 
 function makeDefaultEditState(token: JoinToken): NewJoinTokenState {
@@ -130,9 +156,35 @@ function makeDefaultEditState(token: JoinToken): NewJoinTokenState {
       })),
       regions: r.regions?.map(i => ({ value: i, label: i })),
     })),
+    github: token.github
+      ? {
+          server_host: token.github.enterprise_server_host,
+          enterprise_slug: token.github.enterprise_slug,
+          static_jwks: token.github.static_jwks,
+          rules: token.github.allow.map(r => ({
+            repository: r.repository,
+            actor: r.actor,
+            environment: r.environment,
+            ref: r.ref,
+            ref_type: parseGithubRefType(r.ref_type),
+            repository_owner: r.repository_owner,
+            workflow: r.workflow,
+          })),
+        }
+      : undefined,
   };
 }
 
+function parseGithubRefType(refType: string) {
+  if (refType == 'branch') {
+    return 'branch';
+  } else if (refType == 'tag') {
+    return 'tag';
+  } else {
+    return 'any';
+  }
+}
+
 export const UpsertJoinTokenDialog = ({
   onClose,
   updateTokenList,
@@ -157,12 +209,12 @@ export const UpsertJoinTokenDialog = ({
     }
   );
 
-  function reset(validator) {
+  function reset(validator: Validator) {
     validator.reset();
     setNewTokenState(defaultNewTokenState);
   }
 
-  async function save(validator) {
+  async function save(validator: Validator) {
     if (!validator.validate()) {
       return;
     }
@@ -207,6 +259,27 @@ export const UpsertJoinTokenDialog = ({
       request.oracle = oracle;
     }
 
+    if (newTokenState.method.value === 'github') {
+      const github: (typeof request)['github'] = {
+        allow: newTokenState.github.rules.map(rule => ({
+          environment: rule.environment,
+          ref: rule.ref,
+          ref_type: rule.ref ? rule.ref_type : undefined,
+          repository: rule.repository,
+          repository_owner: rule.repository_owner,
+          workflow: rule.workflow,
+
+          actor: null, // Unsupported field
+          sub: null, // Unsupported field
+        })),
+        enterprise_server_host: newTokenState.github.server_host,
+        enterprise_slug: newTokenState.github.enterprise_slug,
+        static_jwks: newTokenState.github.static_jwks,
+      };
+
+      request.github = github;
+    }
+
     runCreateTokenAttempt(request);
   }
 
@@ -344,6 +417,12 @@ export const UpsertJoinTokenDialog = ({
                   onUpdateState={newState => setNewTokenState(newState)}
                 />
               )}
+              {newTokenState.method.value === 'github' && (
+                <JoinTokenGithubForm
+                  tokenState={newTokenState}
+                  onUpdateState={setNewTokenState}
+                />
+              )}
               <Flex
                 mt={4}
                 py={4}
@@ -353,7 +432,7 @@ export const UpsertJoinTokenDialog = ({
                   bottom: 0;
                   background: ${({ theme }) => theme.colors.levels.sunken};
                   border-top: 1px solid
-                    ${props => props.theme.colors.spotBackground[1]};
+                    ${({ theme }) => theme.colors.spotBackground[1]};
                 `}
               >
                 <ButtonPrimary
diff --git a/web/packages/teleport/src/services/joinToken/makeJoinToken.ts b/web/packages/teleport/src/services/joinToken/makeJoinToken.ts
index 92ab74bc6f53f..a4da7b2a47a62 100644
--- a/web/packages/teleport/src/services/joinToken/makeJoinToken.ts
+++ b/web/packages/teleport/src/services/joinToken/makeJoinToken.ts
@@ -22,7 +22,7 @@ import type { JoinToken } from './types';
 
 export const INTERNAL_RESOURCE_ID_LABEL_KEY = 'teleport.internal/resource-id';
 
-export default function makeToken(json): JoinToken {
+export default function makeToken(json: any): JoinToken {
   json = json || {};
   const {
     id,
@@ -30,6 +30,7 @@ export default function makeToken(json): JoinToken {
     isStatic,
     allow,
     gcp,
+    github,
     bot_name,
     expiry,
     method,
@@ -48,6 +49,7 @@ export default function makeToken(json): JoinToken {
     method,
     allow,
     gcp,
+    github,
     roles: roles?.sort((a, b) => a.localeCompare(b)) || [],
     suggestedLabels: labels,
     internalResourceId: extractInternalResourceId(labels),
diff --git a/web/packages/teleport/src/services/joinToken/types.ts b/web/packages/teleport/src/services/joinToken/types.ts
index c934f798f2c12..3ddb86200f82c 100644
--- a/web/packages/teleport/src/services/joinToken/types.ts
+++ b/web/packages/teleport/src/services/joinToken/types.ts
@@ -50,6 +50,7 @@ export type JoinToken = {
   oracle?: {
     allow: OracleRules[];
   };
+  github?: GithubConfig;
 };
 
 // JoinRole defines built-in system roles and are roles associated with
@@ -114,6 +115,36 @@ export type OracleRules = {
   regions: string[];
 };
 
+type GithubConfig = {
+  /** enterprise_server_host allows joining from GitHub Actions workflows in a GitHub Enterprise Server instance. For normal situations, where you are using github.com, this option should be omitted. If you are using GHES, this value should be configured to the hostname of your GHES instance. */
+  enterprise_server_host: string | null;
+  /** static_jwks allows the JSON Web Key Set (JWKS) used to verify the token issued by GitHub Actions to be overridden. This can be used in scenarios where the Teleport Auth Service is unable to reach a GHES server. */
+  static_jwks: string | null;
+  /** enterprise_slug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the include_enterprise_slug option in GHE. */
+  enterprise_slug: string | null;
+  /** allow is an array of rule configurations for which GitHub Actions workflows should be allowed to join */
+  allow: GithubRules[];
+};
+
+export type GithubRules = {
+  /** repository is a fully qualified (e.g. including the owner) name of a GitHub repository. */
+  repository: string | null;
+  /** repository_owner is the name of an organization or user that a repository belongs to. */
+  repository_owner: string | null;
+  /** workflow is the exact name of a workflow as configured in the GitHub Action workflow YAML file. */
+  workflow: string | null;
+  /** environment is the environment associated with the GitHub Actions run. If no environment is configured for the GitHub Actions run, this will be empty. */
+  environment: string | null;
+  /** actor is the GitHub username that caused the GitHub Actions run, whether by committing or by directly despatching the workflow. */
+  actor: string | null;
+  /** ref is the git ref that triggered the action run. */
+  ref: string | null;
+  /** ref_type is the type of the git ref that triggered the action run. */
+  ref_type: string | null;
+  /** sub is a concatenated string of various attributes of the workflow run. GitHub explains the format of this string at: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims */
+  sub: string | null;
+};
+
 export type JoinTokenRulesObject = AWSRules | GCPRules;
 
 export type CreateJoinTokenRequest = {
@@ -134,6 +165,7 @@ export type CreateJoinTokenRequest = {
   oracle?: {
     allow: OracleRules[];
   };
+  github?: GithubConfig;
 };
 
 export type JoinTokenRequest = {

From bb2bf9ae5015df10c2a2bd99ff52806a4eb2fc1b Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Fri, 25 Apr 2025 10:27:00 +0100
Subject: [PATCH 05/29] Handle unsupported fields during edit

---
 lib/web/yaml.go                               |  24 +
 lib/web/yaml_test.go                          | 107 ++++-
 .../src/JoinTokens/JoinTokenForms.tsx         |  36 ++
 .../src/JoinTokens/JoinTokenGithubForm.tsx    |  30 +-
 .../src/JoinTokens/JoinTokens.test.tsx        | 116 ++++-
 .../src/JoinTokens/UpsertJoinTokenDialog.tsx  | 445 ++++++++++++------
 .../src/JoinTokens/collectKeys.test.ts        |  97 ++++
 .../teleport/src/JoinTokens/collectKeys.ts    |  42 ++
 .../teleport/src/services/yaml/types.ts       |   1 +
 web/packages/teleport/src/teleportContext.tsx |   2 +
 10 files changed, 734 insertions(+), 166 deletions(-)
 create mode 100644 web/packages/teleport/src/JoinTokens/collectKeys.test.ts
 create mode 100644 web/packages/teleport/src/JoinTokens/collectKeys.ts

diff --git a/lib/web/yaml.go b/lib/web/yaml.go
index ac0c49ef23770..db766099e608e 100644
--- a/lib/web/yaml.go
+++ b/lib/web/yaml.go
@@ -71,6 +71,14 @@ func (h *Handler) yamlParse(w http.ResponseWriter, r *http.Request, params httpr
 
 		return yamlParseResponse{Resource: resource}, nil
 
+	case types.KindToken:
+		resource, err := yamlToProvisionToken(req.YAML)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+
+		return yamlParseResponse{Resource: resource}, nil
+
 	default:
 		return nil, trace.NotImplemented("parsing YAML for kind %q is not supported", kind)
 	}
@@ -148,3 +156,19 @@ func yamlToRole(yaml string) (types.Role, error) {
 
 	return resource, nil
 }
+
+func yamlToProvisionToken(yaml string) (types.ProvisionToken, error) {
+	extractedRes, err := extractResource(yaml)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	if extractedRes.Kind != types.KindToken {
+		return nil, trace.BadParameter("resource kind %q is invalid, only token is allowed", extractedRes.Kind)
+	}
+	resource, err := services.UnmarshalProvisionToken(extractedRes.Raw)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return resource, nil
+}
diff --git a/lib/web/yaml_test.go b/lib/web/yaml_test.go
index 6399ed8082ea3..8b5cc980da6db 100644
--- a/lib/web/yaml_test.go
+++ b/lib/web/yaml_test.go
@@ -23,6 +23,7 @@ import (
 	"encoding/json"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/require"
 
 	accessmonitoringrulesv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1"
@@ -44,6 +45,28 @@ spec:
 version: v1
 `
 
+const validTokenYaml = `kind: token
+metadata:
+  name: test-name
+spec:
+  github:
+    enterprise_server_host: test-server-host
+    static_jwks: test-twks
+    allow:
+    - actor: test-actor
+      environment: test-environment
+      ref: test-ref
+      ref_type: test-ref-type
+      repository: test-repository
+      repository_owner: test-owner
+      workflow: test-workflow
+      sub: test-sub
+  join_method: github
+  roles:
+  - Node
+version: v2
+`
+
 func getAccessMonitoringRuleResource() *accessmonitoringrulesv1.AccessMonitoringRule {
 	return &accessmonitoringrulesv1.AccessMonitoringRule{
 		Kind:    types.KindAccessMonitoringRule,
@@ -62,6 +85,36 @@ func getAccessMonitoringRuleResource() *accessmonitoringrulesv1.AccessMonitoring
 	}
 }
 
+func getTokenResource() *types.ProvisionTokenV2 {
+	return &types.ProvisionTokenV2{
+		Kind:    types.KindToken,
+		Version: types.V2,
+		Metadata: types.Metadata{
+			Name: "test-name",
+		},
+		Spec: types.ProvisionTokenSpecV2{
+			Roles:      []types.SystemRole{types.RoleNode},
+			JoinMethod: types.JoinMethodGitHub,
+			GitHub: &types.ProvisionTokenSpecV2GitHub{
+				EnterpriseServerHost: "test-server-host",
+				StaticJWKS:           "test-twks",
+				Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
+					{
+						Sub:             "test-sub",
+						Repository:      "test-repository",
+						RepositoryOwner: "test-owner",
+						Workflow:        "test-workflow",
+						Environment:     "test-environment",
+						Actor:           "test-actor",
+						Ref:             "test-ref",
+						RefType:         "test-ref-type",
+					},
+				},
+			},
+		},
+	}
+}
+
 func TestYAMLParse_Valid(t *testing.T) {
 	t.Parallel()
 
@@ -69,26 +122,48 @@ func TestYAMLParse_Valid(t *testing.T) {
 	proxy := env.proxies[0]
 	pack := proxy.authPack(t, "test@example.com", nil)
 
-	endpoint := pack.clt.Endpoint("webapi", "yaml", "parse", types.KindAccessMonitoringRule)
-	re, err := pack.clt.PostJSON(context.Background(), endpoint, yamlParseRequest{
-		YAML: validAccessMonitoringRuleYaml,
-	})
-	require.NoError(t, err)
+	testCases := []struct {
+		name     string
+		kind     string
+		yaml     string
+		expected any
+	}{
+		{
+			name:     "AccessMonitoringRule",
+			kind:     types.KindAccessMonitoringRule,
+			yaml:     validAccessMonitoringRuleYaml,
+			expected: getAccessMonitoringRuleResource(),
+		},
+		{
+			name:     "Token",
+			kind:     types.KindToken,
+			yaml:     validTokenYaml,
+			expected: getTokenResource(),
+		},
+	}
 
-	var endpointResp yamlParseResponse
-	require.NoError(t, json.Unmarshal(re.Bytes(), &endpointResp))
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			endpoint := pack.clt.Endpoint("webapi", "yaml", "parse", tc.kind)
+			re, err := pack.clt.PostJSON(context.Background(), endpoint, yamlParseRequest{
+				YAML: tc.yaml,
+			})
+			require.NoError(t, err)
 
-	expectedResource := getAccessMonitoringRuleResource()
+			var endpointResp yamlParseResponse
+			require.NoError(t, json.Unmarshal(re.Bytes(), &endpointResp))
 
-	// Can't cast a unmarshaled interface{} into the expected type, so
-	// we are transforming the expected type to the same type as the
-	// one we got as a response.
-	b, err := json.Marshal(yamlParseResponse{Resource: expectedResource})
-	require.NoError(t, err)
-	var expectedResp yamlParseResponse
-	require.NoError(t, json.Unmarshal(b, &expectedResp))
+			// Can't cast a unmarshaled interface{} into the expected type, so
+			// we are transforming the expected type to the same type as the
+			// one we got as a response.
+			b, err := json.Marshal(yamlParseResponse{Resource: tc.expected})
+			require.NoError(t, err)
+			var expectedResp yamlParseResponse
+			require.NoError(t, json.Unmarshal(b, &expectedResp))
 
-	require.Equal(t, expectedResp.Resource, endpointResp.Resource)
+			require.Empty(t, cmp.Diff(expectedResp.Resource, endpointResp.Resource))
+		})
+	}
 }
 
 func TestYAMLParse_Errors(t *testing.T) {
diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
index 5c9b7a4f5a806..0ec2a259ed67c 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
@@ -22,6 +22,7 @@ import FieldInput from 'shared/components/FieldInput';
 import { FieldSelectCreatable } from 'shared/components/FieldSelect';
 import { requiredField } from 'shared/components/Validation/rules';
 
+import { collectKeys } from './collectKeys';
 import {
   AllowOption,
   NewJoinTokenState,
@@ -31,9 +32,11 @@ import {
 export const JoinTokenIAMForm = ({
   tokenState,
   onUpdateState,
+  readonly,
 }: {
   tokenState: NewJoinTokenState;
   onUpdateState: (newToken: NewJoinTokenState) => void;
+  readonly: boolean;
 }) => {
   const rules = tokenState.iam;
 
@@ -104,6 +107,7 @@ export const JoinTokenIAMForm = ({
             onChange={e =>
               setTokenRulesField(index, 'aws_account', e.target.value)
             }
+            readonly={readonly}
           />
           <FieldInput
             label="ARN"
@@ -111,6 +115,7 @@ export const JoinTokenIAMForm = ({
             placeholder="arn:aws:iam::account-id:role/*"
             value={rule.aws_arn}
             onChange={e => setTokenRulesField(index, 'aws_arn', e.target.value)}
+            readonly={readonly}
           />
         </RuleBox>
       ))}
@@ -122,12 +127,21 @@ export const JoinTokenIAMForm = ({
   );
 };
 
+export const checkIAMYAMLData = (data: unknown) => {
+  const keys = collectKeys(data);
+  return (
+    !keys || new Set(keys).isSubsetOf(new Set(['.aws_account', '.aws_arn']))
+  );
+};
+
 export const JoinTokenGCPForm = ({
   tokenState,
   onUpdateState,
+  readonly,
 }: {
   tokenState: NewJoinTokenState;
   onUpdateState: (newToken: NewJoinTokenState) => void;
+  readonly: boolean;
 }) => {
   const rules = tokenState.gcp;
   function removeRule(index: number) {
@@ -198,6 +212,7 @@ export const JoinTokenGCPForm = ({
             value={rule.project_ids}
             label="Add Project ID(s)"
             rule={requiredField('At least 1 Project ID required')}
+            isDisabled={readonly}
           />
           <FieldSelectCreatable
             placeholder="us-west1, us-east1-a"
@@ -210,6 +225,7 @@ export const JoinTokenGCPForm = ({
             value={rule.locations}
             label="Add Locations"
             helperText="Allows regions and/or zones."
+            isDisabled={readonly}
           />
           <FieldSelectCreatable
             placeholder="PROJECT_compute@developer.gserviceaccount.com"
@@ -221,6 +237,7 @@ export const JoinTokenGCPForm = ({
             }
             value={rule.service_accounts}
             label="Add Service Account Emails"
+            isDisabled={readonly}
           />
         </RuleBox>
       ))}
@@ -232,12 +249,28 @@ export const JoinTokenGCPForm = ({
   );
 };
 
+export const checkGCPYAMLData = (data: unknown) => {
+  const keys = collectKeys(data);
+  return (
+    !keys ||
+    new Set(keys).isSubsetOf(
+      new Set([
+        '.allow.project_ids',
+        '.allow.locations',
+        '.allow.service_accounts',
+      ])
+    )
+  );
+};
+
 export const JoinTokenOracleForm = ({
   tokenState,
   onUpdateState,
+  readonly,
 }: {
   tokenState: NewJoinTokenState;
   onUpdateState: (newToken: NewJoinTokenState) => void;
+  readonly: boolean;
 }) => {
   const rules = tokenState.oracle;
   function removeRule(index: number) {
@@ -301,6 +334,7 @@ export const JoinTokenOracleForm = ({
             placeholder="ocid1.tenancy.oc1..<unique ID>"
             value={rule.tenancy}
             onChange={e => updateRuleField(index, 'tenancy', e.target.value)}
+            readonly={readonly}
           />
           <FieldSelectCreatable
             placeholder="ocid1.compartment.oc1..<unique ID>"
@@ -317,6 +351,7 @@ export const JoinTokenOracleForm = ({
             value={rule.parent_compartments}
             label="Add Compartments"
             helperText="Direct parent compartments only, no nested compartments."
+            isDisabled={readonly}
           />
           <FieldSelectCreatable
             placeholder="us-ashburn-1, phx"
@@ -328,6 +363,7 @@ export const JoinTokenOracleForm = ({
             }
             value={rule.regions}
             label="Add Regions"
+            isDisabled={readonly}
           />
         </RuleBox>
       ))}
diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
index 621e1d21bb8ac..02aac142bd9c1 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
@@ -29,14 +29,17 @@ import FieldInput from 'shared/components/FieldInput/FieldInput';
 import FieldSelect from 'shared/components/FieldSelect';
 import { falsyField, requiredField } from 'shared/components/Validation/rules';
 
+import { collectKeys } from './collectKeys';
 import { NewJoinTokenState } from './UpsertJoinTokenDialog';
 
 export const JoinTokenGithubForm = ({
   tokenState,
   onUpdateState,
+  readonly,
 }: {
   tokenState: NewJoinTokenState;
   onUpdateState: (newToken: NewJoinTokenState) => void;
+  readonly: boolean;
 }) => {
   const { github } = tokenState;
   const { rules } = github;
@@ -121,6 +124,7 @@ export const JoinTokenGithubForm = ({
                 : requiredField('Either repository name or owner is required')
             }
             disabled={!!rule.repository_owner}
+            readonly={readonly}
           />
 
           <Text fontWeight="regular" textAlign="center">
@@ -143,6 +147,7 @@ export const JoinTokenGithubForm = ({
                 : requiredField('Either repository owner or name is required')
             }
             disabled={!!rule.repository}
+            readonly={readonly}
           />
 
           <FieldInput
@@ -150,6 +155,7 @@ export const JoinTokenGithubForm = ({
             placeholder="my-workflow"
             value={rule.workflow}
             onChange={e => updateRuleField(index, 'workflow', e.target.value)}
+            readonly={readonly}
           />
 
           <FieldInput
@@ -159,6 +165,7 @@ export const JoinTokenGithubForm = ({
             onChange={e =>
               updateRuleField(index, 'environment', e.target.value)
             }
+            readonly={readonly}
           />
 
           <Flex fullWidth gap={2}>
@@ -168,6 +175,7 @@ export const JoinTokenGithubForm = ({
               placeholder="ref/heads/main"
               value={rule.ref}
               onChange={e => updateRuleField(index, 'ref', e.target.value)}
+              readonly={readonly}
             />
 
             <FieldSelect
@@ -176,7 +184,7 @@ export const JoinTokenGithubForm = ({
               options={refTypeOptions}
               value={refTypeOptions.find(o => o.value === rule.ref_type)}
               onChange={opts => updateRuleField(index, 'ref_type', opts.value)}
-              isDisabled={!rule.ref}
+              isDisabled={!rule.ref || readonly}
               data-testid="ref-type-select"
             />
           </Flex>
@@ -209,6 +217,7 @@ export const JoinTokenGithubForm = ({
             },
           })
         }
+        readonly={readonly}
       />
 
       <FieldInput
@@ -224,6 +233,7 @@ export const JoinTokenGithubForm = ({
             },
           })
         }
+        readonly={readonly}
       />
 
       <FieldInput
@@ -240,6 +250,7 @@ export const JoinTokenGithubForm = ({
             },
           })
         }
+        readonly={readonly}
       />
     </>
   );
@@ -261,3 +272,20 @@ const RuleBox = styled(Box)`
 
   padding: ${props => props.theme.space[3]}px;
 `;
+
+const supportedFields = new Set([
+  '.enterprise_server_host',
+  '.static_jwks',
+  '.enterprise_slug',
+  '.allow.repository',
+  '.allow.repository_owner',
+  '.allow.workflow',
+  '.allow.environment',
+  '.allow.ref',
+  '.allow.ref_type',
+]);
+
+export const checkGithubYAMLData = (data: unknown) => {
+  const keys = collectKeys(data);
+  return !keys || new Set(keys).isSubsetOf(supportedFields);
+};
diff --git a/web/packages/teleport/src/JoinTokens/JoinTokens.test.tsx b/web/packages/teleport/src/JoinTokens/JoinTokens.test.tsx
index 977dbd01867a9..65f35cbe78582 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokens.test.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokens.test.tsx
@@ -57,6 +57,12 @@ describe('JoinTokens', () => {
     expect(
       screen.getByDisplayValue(token.allow[0].aws_account)
     ).toBeInTheDocument();
+
+    expect(
+      screen.queryByText(
+        'This token has configuration that is not visible. To edit this token please use the YAML editor.'
+      )
+    ).not.toBeInTheDocument();
   });
 
   test('create form fails if roles arent selected', async () => {
@@ -126,14 +132,122 @@ describe('JoinTokens', () => {
     const buttons = screen.queryAllByTestId('delete_rule');
     expect(buttons).toHaveLength(2);
   });
+
+  describe('when editing', () => {
+    describe("when the join method is 'iam'", () => {
+      test('shows a warning when a resource field is not supported', async () => {
+        const mockedYamlObject = {
+          spec: {
+            join_method: 'iam',
+            allow: [
+              {
+                unsupportedField: true,
+              },
+            ],
+          },
+        };
+
+        render(<Component parseYamlMock={mockedYamlObject} />);
+
+        // wait for re-render
+        await act(tick);
+
+        const optionButtons = await screen.findAllByText(/options/i);
+        await userEvent.click(optionButtons[0]);
+        const editButtons = await screen.findAllByText(/view\/edit/i);
+        await userEvent.click(editButtons[0]);
+        expect(screen.getByText(/edit token/i)).toBeInTheDocument();
+
+        expect(
+          screen.getByText(
+            'This token has configuration that is not visible. To edit this token please use the YAML editor.'
+          )
+        ).toBeInTheDocument();
+      });
+    });
+
+    describe("when the join method is 'gcp'", () => {
+      test('shows a warning when a resource field is not supported', async () => {
+        const mockedYamlObject = {
+          spec: {
+            join_method: 'gcp',
+            gcp: {
+              allow: [
+                {
+                  unsupportedField: true,
+                },
+              ],
+            },
+          },
+        };
+
+        render(<Component parseYamlMock={mockedYamlObject} />);
+
+        // wait for re-render
+        await act(tick);
+
+        const optionButtons = await screen.findAllByText(/options/i);
+        await userEvent.click(optionButtons[0]);
+        const editButtons = await screen.findAllByText(/view\/edit/i);
+        await userEvent.click(editButtons[0]);
+        expect(screen.getByText(/edit token/i)).toBeInTheDocument();
+
+        expect(
+          screen.getByText(
+            'This token has configuration that is not visible. To edit this token please use the YAML editor.'
+          )
+        ).toBeInTheDocument();
+      });
+    });
+
+    describe("when the join method is 'github'", () => {
+      test('shows a warning when a resource field is not supported', async () => {
+        const mockedYamlObject = {
+          spec: {
+            join_method: 'github',
+            github: {
+              unsupportedField: true,
+            },
+          },
+        };
+
+        render(<Component parseYamlMock={mockedYamlObject} />);
+
+        // wait for re-render
+        await act(tick);
+
+        const optionButtons = await screen.findAllByText(/options/i);
+        await userEvent.click(optionButtons[0]);
+        const editButtons = await screen.findAllByText(/view\/edit/i);
+        await userEvent.click(editButtons[0]);
+        expect(screen.getByText(/edit token/i)).toBeInTheDocument();
+
+        expect(
+          screen.getByText(
+            'This token has configuration that is not visible. To edit this token please use the YAML editor.'
+          )
+        ).toBeInTheDocument();
+      });
+    });
+  });
 });
 
-const Component = () => {
+const Component = ({ parseYamlMock }: { parseYamlMock?: object }) => {
   const ctx = createTeleportContext();
+
   jest
     .spyOn(ctx.joinTokenService, 'fetchJoinTokens')
     .mockResolvedValue({ items: tokens.map(makeJoinToken) });
 
+  jest.spyOn(ctx.yamlService, 'parse').mockResolvedValue(
+    parseYamlMock ?? {
+      spec: {
+        join_method: 'iam',
+        allow: [],
+      },
+    }
+  );
+
   jest.spyOn(ctx.joinTokenService, 'createJoinToken').mockResolvedValue(
     makeJoinToken({
       id: 'the_token',
diff --git a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
index 72baf92a15a37..461dee6bccc0f 100644
--- a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
+++ b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
@@ -16,7 +16,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-import { useState } from 'react';
+import { useEffect, useMemo, useState } from 'react';
 import styled from 'styled-components';
 
 import {
@@ -27,6 +27,7 @@ import {
   ButtonSecondary,
   ButtonText,
   Flex,
+  Indicator,
   Text,
 } from 'design';
 import { Cross } from 'design/Icon';
@@ -46,13 +47,25 @@ import {
   JoinRole,
   JoinToken,
 } from 'teleport/services/joinToken';
+import { yamlService } from 'teleport/services/yaml';
+
+import 'teleport/services/resources';
+
+import { Info } from 'design/Alert/Alert';
+
+import { YamlSupportedResourceKind } from 'teleport/services/yaml/types';
 
 import {
+  checkGCPYAMLData,
+  checkIAMYAMLData,
   JoinTokenGCPForm,
   JoinTokenIAMForm,
   JoinTokenOracleForm,
 } from './JoinTokenForms';
-import { JoinTokenGithubForm } from './JoinTokenGithubForm';
+import {
+  checkGithubYAMLData,
+  JoinTokenGithubForm,
+} from './JoinTokenGithubForm';
 
 const maxWidth = '550px';
 
@@ -209,6 +222,52 @@ export const UpsertJoinTokenDialog = ({
     }
   );
 
+  const [parseYAMLAttempt, parseYAML] = useAsync(
+    async (yaml: string): Promise<unknown | null> => {
+      return {
+        yaml,
+        object: await ctx.yamlService.parse<unknown>(
+          YamlSupportedResourceKind.ProvisionToken,
+          {
+            yaml,
+          }
+        ),
+      };
+    }
+  );
+
+  // Convert the resource YAML to an object for compatibility checking
+  useEffect(() => {
+    if (editToken) {
+      parseYAML(editToken.content);
+    }
+    // parseYAML is not stable
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [editToken]);
+
+  const hasUnsupportedFields = useMemo(() => {
+    if (!editToken) {
+      return false;
+    }
+
+    const { data } = parseYAMLAttempt;
+
+    if (!checkYAMLData(data)) {
+      return true;
+    }
+
+    switch (data.object.spec.join_method) {
+      case 'iam':
+        return !checkIAMYAMLData(data.object.spec.allow);
+      case 'gcp':
+        return !checkGCPYAMLData(data.object.spec.gcp);
+      case 'github':
+        return !checkGithubYAMLData(data.object.spec.github);
+    }
+
+    return false;
+  }, [editToken, parseYAMLAttempt]);
+
   function reset(validator: Validator) {
     validator.reset();
     setNewTokenState(defaultNewTokenState);
@@ -307,164 +366,254 @@ export const UpsertJoinTokenDialog = ({
   }
 
   return (
-    <Flex width="500px">
-      <Box
-        css={`
-          overflow: auto;
-          width: 100%;
-          min-height: 50vh;
-          padding-bottom: 0;
-        `}
-      >
-        <Flex
-          alignItems="center"
-          mb={3}
-          justifyContent="space-between"
-          maxWidth={maxWidth}
-        >
-          <Flex alignItems="center" mr={3}>
-            <HoverTooltip tipContent="Back to Join Tokens">
-              <ButtonIcon onClick={onClose} mr={2}>
-                <Cross size="medium" />
-              </ButtonIcon>
-            </HoverTooltip>
-            <Text typography="h3" fontWeight={400}>
-              {editToken ? `Edit Token` : 'Create a New Join Token'}
-            </Text>
-          </Flex>
-          {editToken && (
-            <ButtonText
-              p={2}
-              onClick={() => {
-                onClose();
-                editTokenWithYAML(editToken.id);
-              }}
-            >
-              <Text color="buttons.link.default">Use YAML editor</Text>
-            </ButtonText>
-          )}
+    <>
+      {parseYAMLAttempt.status === 'processing' && (
+        <Flex justifyContent="center">
+          <Indicator />
         </Flex>
-        <Validation>
-          {({ validator }) => (
-            <Box maxWidth={maxWidth}>
-              {createTokenAttempt.status === 'error' && (
-                <Alert kind="danger">{createTokenAttempt.statusText}</Alert>
-              )}
-              {!editToken && ( // We only want to change the method when creating a new token
-                <FieldSelect
-                  label="Method"
-                  rule={requiredField<Option>('Select a join method')}
-                  isSearchable
-                  isClearable={false}
-                  value={newTokenState.method}
-                  onChange={setTokenMethod}
-                  options={availableJoinMethods}
-                />
-              )}
-              {newTokenState.method.value !== 'token' && ( // if the method is token, we generate the name for them on the backend
-                <FieldInput
-                  label="Token name"
-                  data-testid="name_field"
-                  toolTipContent={
-                    editToken ? 'Editing token names is not supported.' : ''
-                  }
-                  rule={requiredField('Token name is required')}
-                  placeholder={`${newTokenState.method.value}-token-name`}
-                  autoFocus
-                  value={newTokenState.name}
-                  onChange={e => setTokenField('name', e.target.value)}
-                  readonly={!!editToken}
-                />
-              )}
-              <FieldSelect
-                label="Join Roles"
-                inputId="role_select"
-                rule={requiredField('At least one role is required')}
-                placeholder="Click to select roles"
-                isSearchable
-                isMulti
-                mb={5}
-                isClearable={false}
-                value={newTokenState.roles}
-                onChange={setTokenRoles}
-                options={joinRoleOptions}
-              />
-              {newTokenState.roles.some(i => i.value === 'Bot') && ( // if Bot is included, we must get a bot name as well
-                <FieldInput
-                  label="Bot name"
-                  toolTipContent="Bot names are required when the Bot role is selected"
-                  rule={requiredField('Bot name is required')}
-                  placeholder="Enter bot name"
-                  value={newTokenState.bot_name}
-                  onChange={e => setTokenField('bot_name', e.target.value)}
-                />
-              )}
-              {newTokenState.method.value === 'iam' && (
-                <JoinTokenIAMForm
-                  tokenState={newTokenState}
-                  onUpdateState={newState => setNewTokenState(newState)}
-                />
-              )}
-              {newTokenState.method.value === 'gcp' && (
-                <JoinTokenGCPForm
-                  tokenState={newTokenState}
-                  onUpdateState={newState => setNewTokenState(newState)}
-                />
-              )}
-              {newTokenState.method.value === 'oracle' && (
-                <JoinTokenOracleForm
-                  tokenState={newTokenState}
-                  onUpdateState={newState => setNewTokenState(newState)}
-                />
-              )}
-              {newTokenState.method.value === 'github' && (
-                <JoinTokenGithubForm
-                  tokenState={newTokenState}
-                  onUpdateState={setNewTokenState}
-                />
-              )}
-              <Flex
-                mt={4}
-                py={4}
-                gap={2}
-                css={`
-                  position: sticky;
-                  bottom: 0;
-                  background: ${({ theme }) => theme.colors.levels.sunken};
-                  border-top: 1px solid
-                    ${({ theme }) => theme.colors.spotBackground[1]};
-                `}
-              >
-                <ButtonPrimary
-                  width="100%"
-                  size="large"
-                  textTransform="none"
-                  onClick={() => save(validator)}
-                  disabled={createTokenAttempt.status === 'processing'}
+      )}
+
+      {parseYAMLAttempt.status === 'error' && (
+        <Alert kind="danger">{parseYAMLAttempt.statusText}</Alert>
+      )}
+
+      {parseYAMLAttempt.status !== 'error' ? (
+        <Flex width="500px">
+          <Box
+            css={`
+              overflow: auto;
+              width: 100%;
+              min-height: 50vh;
+              padding-bottom: 0;
+            `}
+          >
+            <Flex
+              alignItems="center"
+              mb={3}
+              justifyContent="space-between"
+              maxWidth={maxWidth}
+            >
+              <Flex alignItems="center" mr={3}>
+                <HoverTooltip tipContent="Back to Join Tokens">
+                  <ButtonIcon onClick={onClose} mr={2}>
+                    <Cross size="medium" />
+                  </ButtonIcon>
+                </HoverTooltip>
+                <Text typography="h3" fontWeight={400}>
+                  {editToken ? `Edit Token` : 'Create a New Join Token'}
+                </Text>
+              </Flex>
+
+              {editToken && !hasUnsupportedFields && (
+                <ButtonText
+                  p={2}
+                  onClick={() => {
+                    onClose();
+                    editTokenWithYAML(editToken.id);
+                  }}
                 >
-                  {editToken ? 'Edit' : 'Create'} Join Token
-                </ButtonPrimary>
+                  <Text color="buttons.link.default">Use YAML editor</Text>
+                </ButtonText>
+              )}
+            </Flex>
+
+            {hasUnsupportedFields ? (
+              <Info alignItems="flex-start">
+                <Text>
+                  This token has configuration that is not visible. To edit this
+                  token please use the YAML editor.
+                </Text>
                 <ButtonSecondary
-                  width="100%"
-                  textTransform="none"
                   size="large"
+                  my={2}
                   onClick={() => {
-                    reset(validator);
                     onClose();
+                    editTokenWithYAML(editToken.id);
                   }}
-                  disabled={false}
                 >
-                  Cancel
+                  Use YAML editor
                 </ButtonSecondary>
-              </Flex>
-            </Box>
-          )}
-        </Validation>
-      </Box>
-    </Flex>
+              </Info>
+            ) : undefined}
+
+            <Validation>
+              {({ validator }) => (
+                <Box maxWidth={maxWidth}>
+                  {createTokenAttempt.status === 'error' && (
+                    <Alert kind="danger">{createTokenAttempt.statusText}</Alert>
+                  )}
+                  {!editToken && ( // We only want to change the method when creating a new token
+                    <FieldSelect
+                      label="Method"
+                      rule={requiredField<Option>('Select a join method')}
+                      isSearchable
+                      isClearable={false}
+                      value={newTokenState.method}
+                      onChange={setTokenMethod}
+                      options={availableJoinMethods}
+                    />
+                  )}
+                  {newTokenState.method.value !== 'token' && ( // if the method is token, we generate the name for them on the backend
+                    <FieldInput
+                      label="Token name"
+                      data-testid="name_field"
+                      toolTipContent={
+                        editToken ? 'Editing token names is not supported.' : ''
+                      }
+                      rule={requiredField('Token name is required')}
+                      placeholder={`${newTokenState.method.value}-token-name`}
+                      autoFocus
+                      value={newTokenState.name}
+                      onChange={e => setTokenField('name', e.target.value)}
+                      readonly={!!editToken}
+                    />
+                  )}
+                  <FieldSelect
+                    label="Join Roles"
+                    inputId="role_select"
+                    rule={requiredField('At least one role is required')}
+                    placeholder="Click to select roles"
+                    isSearchable
+                    isMulti
+                    mb={5}
+                    isClearable={false}
+                    value={newTokenState.roles}
+                    onChange={setTokenRoles}
+                    options={joinRoleOptions}
+                    isDisabled={hasUnsupportedFields}
+                  />
+                  {newTokenState.roles.some(i => i.value === 'Bot') && ( // if Bot is included, we must get a bot name as well
+                    <FieldInput
+                      label="Bot name"
+                      toolTipContent="Bot names are required when the Bot role is selected"
+                      rule={requiredField('Bot name is required')}
+                      placeholder="Enter bot name"
+                      value={newTokenState.bot_name}
+                      onChange={e => setTokenField('bot_name', e.target.value)}
+                      readonly={hasUnsupportedFields}
+                    />
+                  )}
+                  {newTokenState.method.value === 'iam' && (
+                    <JoinTokenIAMForm
+                      tokenState={newTokenState}
+                      onUpdateState={newState => setNewTokenState(newState)}
+                      readonly={hasUnsupportedFields}
+                    />
+                  )}
+                  {newTokenState.method.value === 'gcp' && (
+                    <JoinTokenGCPForm
+                      tokenState={newTokenState}
+                      onUpdateState={newState => setNewTokenState(newState)}
+                      readonly={hasUnsupportedFields}
+                    />
+                  )}
+                  {newTokenState.method.value === 'oracle' && (
+                    <JoinTokenOracleForm
+                      tokenState={newTokenState}
+                      onUpdateState={newState => setNewTokenState(newState)}
+                      readonly={hasUnsupportedFields}
+                    />
+                  )}
+                  {newTokenState.method.value === 'github' && (
+                    <JoinTokenGithubForm
+                      tokenState={newTokenState}
+                      onUpdateState={setNewTokenState}
+                      readonly={hasUnsupportedFields}
+                    />
+                  )}
+                  <Flex
+                    mt={4}
+                    py={4}
+                    gap={2}
+                    css={`
+                      position: sticky;
+                      bottom: 0;
+                      background: ${({ theme }) => theme.colors.levels.sunken};
+                      border-top: 1px solid
+                        ${({ theme }) => theme.colors.spotBackground[1]};
+                    `}
+                  >
+                    <ButtonPrimary
+                      width="100%"
+                      size="large"
+                      textTransform="none"
+                      onClick={() => save(validator)}
+                      disabled={
+                        createTokenAttempt.status === 'processing' ||
+                        hasUnsupportedFields
+                      }
+                    >
+                      {editToken ? 'Edit' : 'Create'} Join Token
+                    </ButtonPrimary>
+                    <ButtonSecondary
+                      width="100%"
+                      textTransform="none"
+                      size="large"
+                      onClick={() => {
+                        reset(validator);
+                        onClose();
+                      }}
+                      disabled={false}
+                    >
+                      Cancel
+                    </ButtonSecondary>
+                  </Flex>
+                </Box>
+              )}
+            </Validation>
+          </Box>
+        </Flex>
+      ) : undefined}
+    </>
   );
 };
 
+const checkYAMLData = (
+  data: unknown
+): data is {
+  object: {
+    spec: {
+      join_method: string;
+      allow: unknown;
+      gcp: unknown;
+      github: unknown;
+    };
+  };
+} => {
+  if (
+    !data ||
+    typeof data !== 'object' ||
+    data === null ||
+    !('object' in data)
+  ) {
+    return false;
+  }
+
+  const { object } = data;
+
+  if (
+    !object ||
+    typeof object !== 'object' ||
+    object === null ||
+    !('spec' in object)
+  ) {
+    return false;
+  }
+
+  const { spec } = object;
+
+  if (
+    !spec ||
+    typeof spec !== 'object' ||
+    spec === null ||
+    !('join_method' in spec)
+  ) {
+    return false;
+  }
+
+  return typeof spec.join_method === 'string';
+};
+
 export const RuleBox = styled(Box)`
   border-color: ${props => props.theme.colors.interactive.tonal.neutral[0]};
   border-width: 2px;
diff --git a/web/packages/teleport/src/JoinTokens/collectKeys.test.ts b/web/packages/teleport/src/JoinTokens/collectKeys.test.ts
new file mode 100644
index 0000000000000..9b7b736af7842
--- /dev/null
+++ b/web/packages/teleport/src/JoinTokens/collectKeys.test.ts
@@ -0,0 +1,97 @@
+/**
+ * Teleport
+ * Copyright (C) 2025 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+import { collectKeys } from './collectKeys';
+
+describe('collectKeys', () => {
+  it.each`
+    value
+    ${undefined}
+    ${null}
+    ${1}
+    ${true}
+    ${() => {}}
+  `('supports non object values ($value)', ({ value }) => {
+    const actual = collectKeys(value);
+    expect(actual).toBeNull();
+  });
+
+  it('supports empty object values', () => {
+    const actual = collectKeys({});
+    expect(actual).toEqual([]);
+  });
+
+  it('supports empty array values', () => {
+    const actual = collectKeys([]);
+    expect(actual).toEqual([]);
+  });
+
+  it('supports simple object values', () => {
+    const actual = collectKeys({
+      number: 1,
+      boolean: true,
+      string: 'string',
+      function: () => {},
+      null: null,
+      undefined: undefined,
+    });
+    expect(actual).toEqual([
+      '.number',
+      '.boolean',
+      '.string',
+      '.function',
+      '.null',
+      '.undefined',
+    ]);
+  });
+
+  it('supports simple array values', () => {
+    const actual = collectKeys([
+      { alpha: true },
+      { alpha: true },
+      { beta: true },
+    ]);
+    expect(actual).toEqual(['.alpha', '.alpha', '.beta']);
+  });
+
+  it('supports nested object values', () => {
+    const actual = collectKeys([
+      {
+        inner: {
+          foo: 'bar',
+        },
+      },
+    ]);
+    expect(actual).toEqual(['.inner.foo']);
+  });
+
+  it('supports nested array values', () => {
+    const actual = collectKeys([[{ foo: 'bar' }], { bar: 'foo' }]);
+    expect(actual).toEqual(['.foo', '.bar']);
+  });
+
+  it('allows a custom key prefix', () => {
+    const actual = collectKeys(
+      {
+        foo: 1,
+      },
+      'root'
+    );
+    expect(actual).toEqual(['root.foo']);
+  });
+});
diff --git a/web/packages/teleport/src/JoinTokens/collectKeys.ts b/web/packages/teleport/src/JoinTokens/collectKeys.ts
new file mode 100644
index 0000000000000..cb96b4358dba7
--- /dev/null
+++ b/web/packages/teleport/src/JoinTokens/collectKeys.ts
@@ -0,0 +1,42 @@
+/**
+ * Teleport
+ * Copyright (C) 2025 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/**
+ * `collectKeys` gathers object keys recursively and returns them. Arrays are
+ * traversed, but are transparent. Returns null if the value is not an object
+ * or array of objects, and an empty array of no keys are present.
+ *
+ * @param value Value from which keys will be collected
+ * @param prefix An optional value to be prepended to all keys returned
+ * @returns An array of the keys collected (if any) or null
+ */
+export const collectKeys = (value: unknown, prefix: string = '') => {
+  if (typeof value !== 'object' || value === null) {
+    return prefix ? [prefix] : null;
+  }
+
+  if (Array.isArray(value)) {
+    return value.flatMap(val => {
+      return collectKeys(val, prefix);
+    });
+  }
+
+  return Object.entries(value).flatMap(([k, v]) => {
+    return collectKeys(v, `${prefix}.${k}`);
+  });
+};
diff --git a/web/packages/teleport/src/services/yaml/types.ts b/web/packages/teleport/src/services/yaml/types.ts
index 8e006ba8aa272..bea3d3ff35d2c 100644
--- a/web/packages/teleport/src/services/yaml/types.ts
+++ b/web/packages/teleport/src/services/yaml/types.ts
@@ -27,4 +27,5 @@ export type YamlStringifyRequest<T> = {
 export enum YamlSupportedResourceKind {
   AccessMonitoringRule = 'access_monitoring_rule',
   Role = 'role',
+  ProvisionToken = 'token',
 }
diff --git a/web/packages/teleport/src/teleportContext.tsx b/web/packages/teleport/src/teleportContext.tsx
index e8da5e2d2b2c0..5d16955733ff6 100644
--- a/web/packages/teleport/src/teleportContext.tsx
+++ b/web/packages/teleport/src/teleportContext.tsx
@@ -38,6 +38,7 @@ import sessionService from './services/session';
 import { storageService } from './services/storageService';
 import userService from './services/user';
 import userGroupService from './services/userGroups';
+import { yamlService } from './services/yaml/yaml';
 import { StoreNav, StoreUserContext } from './stores';
 import * as types from './types';
 
@@ -62,6 +63,7 @@ class TeleportContext implements types.Context {
   userGroupService = userGroupService;
   mfaService = new MfaService();
   notificationService = new NotificationService();
+  yamlService = yamlService;
 
   notificationContentFactory = notificationContentFactory;
 

From 1ad2db8af0992b8075481919182980bf7b611286 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Fri, 25 Apr 2025 11:55:55 +0100
Subject: [PATCH 06/29] Add js docs for check functions

---
 .../teleport/src/JoinTokens/JoinTokenForms.tsx         | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
index 0ec2a259ed67c..1e30410503df1 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
@@ -127,6 +127,11 @@ export const JoinTokenIAMForm = ({
   );
 };
 
+/**
+ * `checkIAMYAMLData` determines if the provided value contains item/s that are not supported by the edit form.
+ * @param data a value representing the iam-specific config for a token
+ * @returns a boolean indicating if the provided value contains unsupported items
+ */
 export const checkIAMYAMLData = (data: unknown) => {
   const keys = collectKeys(data);
   return (
@@ -249,6 +254,11 @@ export const JoinTokenGCPForm = ({
   );
 };
 
+/**
+ * `checkGCPYAMLData` determines if the provided value contains item/s that are not supported by the edit form.
+ * @param data a value representing the gcp-specific config for a token
+ * @returns a boolean indicating if the provided value contains unsupported items
+ */
 export const checkGCPYAMLData = (data: unknown) => {
   const keys = collectKeys(data);
   return (

From 8d0d8483d3a4caeb74cc663c9504ba0297792948 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Fri, 25 Apr 2025 12:00:27 +0100
Subject: [PATCH 07/29] Add js docs for github check function

---
 web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
index 02aac142bd9c1..ff78abf0ef229 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
@@ -285,6 +285,11 @@ const supportedFields = new Set([
   '.allow.ref_type',
 ]);
 
+/**
+ * `checkGithubYAMLData` determines if the provided value contains item/s that are not supported by the edit form.
+ * @param data a value representing the github-specific config for a token
+ * @returns a boolean indicating if the provided value contains unsupported items
+ */
 export const checkGithubYAMLData = (data: unknown) => {
   const keys = collectKeys(data);
   return !keys || new Set(keys).isSubsetOf(supportedFields);

From 0353e4b3890a9e16b6885059bf4000e350002358 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Fri, 25 Apr 2025 12:01:55 +0100
Subject: [PATCH 08/29] Fix casing in test mocks

---
 web/packages/teleport/src/JoinTokens/JoinTokens.test.tsx | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/web/packages/teleport/src/JoinTokens/JoinTokens.test.tsx b/web/packages/teleport/src/JoinTokens/JoinTokens.test.tsx
index 65f35cbe78582..e03ed2d522ca7 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokens.test.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokens.test.tsx
@@ -141,7 +141,7 @@ describe('JoinTokens', () => {
             join_method: 'iam',
             allow: [
               {
-                unsupportedField: true,
+                unsupported_field: true,
               },
             ],
           },
@@ -174,7 +174,7 @@ describe('JoinTokens', () => {
             gcp: {
               allow: [
                 {
-                  unsupportedField: true,
+                  unsupported_field: true,
                 },
               ],
             },
@@ -206,7 +206,7 @@ describe('JoinTokens', () => {
           spec: {
             join_method: 'github',
             github: {
-              unsupportedField: true,
+              unsupported_field: true,
             },
           },
         };

From 54fa8246a9190f6a787814d9806fe92fd65a4ee2 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Fri, 25 Apr 2025 12:25:31 +0100
Subject: [PATCH 09/29] Fix missing `readonly` prop

---
 .../JoinTokens/JoinTokenGithubForm.test.tsx   | 72 +++++++++++++++----
 1 file changed, 60 insertions(+), 12 deletions(-)

diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.test.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.test.tsx
index 074025aaa3c79..956c60e11cbb8 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.test.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.test.tsx
@@ -38,7 +38,11 @@ const populateRuleFieldTest =
     const onUpdate = jest.fn();
 
     render(
-      <JoinTokenGithubForm tokenState={state} onUpdateState={onUpdate} />,
+      <JoinTokenGithubForm
+        tokenState={state}
+        onUpdateState={onUpdate}
+        readonly={false}
+      />,
       { wrapper: Wrapper }
     );
 
@@ -74,7 +78,11 @@ const populateFieldTest =
     const onUpdate = jest.fn();
 
     render(
-      <JoinTokenGithubForm tokenState={state} onUpdateState={onUpdate} />,
+      <JoinTokenGithubForm
+        tokenState={state}
+        onUpdateState={onUpdate}
+        readonly={false}
+      />,
       { wrapper: Wrapper }
     );
 
@@ -96,7 +104,11 @@ describe('GithubJoinTokenForm', () => {
     const onUpdate = jest.fn();
 
     render(
-      <JoinTokenGithubForm tokenState={state} onUpdateState={onUpdate} />,
+      <JoinTokenGithubForm
+        tokenState={state}
+        onUpdateState={onUpdate}
+        readonly={false}
+      />,
       { wrapper: Wrapper }
     );
 
@@ -121,7 +133,11 @@ describe('GithubJoinTokenForm', () => {
     const state = baseState();
 
     render(
-      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      <JoinTokenGithubForm
+        tokenState={state}
+        onUpdateState={jest.fn()}
+        readonly={false}
+      />,
       { wrapper: Wrapper }
     );
 
@@ -134,7 +150,11 @@ describe('GithubJoinTokenForm', () => {
     });
 
     render(
-      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      <JoinTokenGithubForm
+        tokenState={state}
+        onUpdateState={jest.fn()}
+        readonly={false}
+      />,
       { wrapper: Wrapper }
     );
 
@@ -148,7 +168,11 @@ describe('GithubJoinTokenForm', () => {
     const onUpdate = jest.fn();
 
     render(
-      <JoinTokenGithubForm tokenState={state} onUpdateState={onUpdate} />,
+      <JoinTokenGithubForm
+        tokenState={state}
+        onUpdateState={onUpdate}
+        readonly={false}
+      />,
       { wrapper: Wrapper }
     );
 
@@ -185,7 +209,11 @@ describe('GithubJoinTokenForm', () => {
     });
 
     render(
-      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      <JoinTokenGithubForm
+        tokenState={state}
+        onUpdateState={jest.fn()}
+        readonly={false}
+      />,
       { wrapper: Wrapper }
     );
 
@@ -198,7 +226,11 @@ describe('GithubJoinTokenForm', () => {
     const state = baseState();
 
     render(
-      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      <JoinTokenGithubForm
+        tokenState={state}
+        onUpdateState={jest.fn()}
+        readonly={false}
+      />,
       { wrapper: Wrapper }
     );
 
@@ -225,7 +257,11 @@ describe('GithubJoinTokenForm', () => {
     });
 
     render(
-      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      <JoinTokenGithubForm
+        tokenState={state}
+        onUpdateState={jest.fn()}
+        readonly={false}
+      />,
       { wrapper: Wrapper }
     );
 
@@ -238,7 +274,11 @@ describe('GithubJoinTokenForm', () => {
     const state = baseState();
 
     render(
-      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      <JoinTokenGithubForm
+        tokenState={state}
+        onUpdateState={jest.fn()}
+        readonly={false}
+      />,
       { wrapper: Wrapper }
     );
 
@@ -271,7 +311,11 @@ describe('GithubJoinTokenForm', () => {
     const state = baseState();
 
     render(
-      <JoinTokenGithubForm tokenState={state} onUpdateState={jest.fn()} />,
+      <JoinTokenGithubForm
+        tokenState={state}
+        onUpdateState={jest.fn()}
+        readonly={false}
+      />,
       { wrapper: Wrapper }
     );
 
@@ -290,7 +334,11 @@ describe('GithubJoinTokenForm', () => {
     const onUpdate = jest.fn();
 
     render(
-      <JoinTokenGithubForm tokenState={state} onUpdateState={onUpdate} />,
+      <JoinTokenGithubForm
+        tokenState={state}
+        onUpdateState={onUpdate}
+        readonly={false}
+      />,
       { wrapper: Wrapper }
     );
 

From c2a4dbb1efb80a412202e9f23202c50eb4e3d1f2 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Fri, 25 Apr 2025 14:02:07 +0100
Subject: [PATCH 10/29] Remove unused import

---
 web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
index 461dee6bccc0f..38352b4046292 100644
--- a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
+++ b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
@@ -47,7 +47,6 @@ import {
   JoinRole,
   JoinToken,
 } from 'teleport/services/joinToken';
-import { yamlService } from 'teleport/services/yaml';
 
 import 'teleport/services/resources';
 

From 26ebb15c170173139f4361c8239901cd56a52467 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Mon, 28 Apr 2025 15:05:36 +0100
Subject: [PATCH 11/29] Retain metadata (inc expiry) on token edit

---
 lib/web/join_tokens.go                        |  68 +++++--
 lib/web/join_tokens_test.go                   | 180 ++++++++++++++++++
 .../src/JoinTokens/UpsertJoinTokenDialog.tsx  |   8 +-
 .../src/services/joinToken/joinToken.ts       |  17 +-
 4 files changed, 247 insertions(+), 26 deletions(-)

diff --git a/lib/web/join_tokens.go b/lib/web/join_tokens.go
index b517b1f9fda30..f3fe414227f48 100644
--- a/lib/web/join_tokens.go
+++ b/lib/web/join_tokens.go
@@ -184,29 +184,43 @@ type upsertTokenHandleRequest struct {
 	Name string `json:"name"`
 }
 
-func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, params httprouter.Params, ctx *SessionContext) (interface{}, error) {
-	// if using the PUT route, tokenId will be present
-	// in the X-Teleport-TokenName header
-	editing := r.Method == "PUT"
-	tokenId := r.Header.Get(HeaderTokenName)
-	if editing && tokenId == "" {
-		return nil, trace.BadParameter("requires a token name to edit")
-	}
-
+func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, params httprouter.Params, ctx *SessionContext) (any, error) {
 	var req upsertTokenHandleRequest
 	if err := httplib.ReadResourceJSON(r, &req); err != nil {
 		return nil, trace.Wrap(err)
 	}
 
-	if editing && tokenId != req.Name {
-		return nil, trace.BadParameter("renaming tokens is not supported")
+	var tokenId string
+	if r.Method == "PUT" {
+		// if using the PUT route, tokenId will be present
+		// in the X-Teleport-TokenName header
+		tokenId = r.Header.Get(HeaderTokenName)
+
+		if tokenId != "" && tokenId != req.Name {
+			return nil, trace.BadParameter("renaming tokens is not supported")
+		}
+	} else {
+		tokenId = req.Name
+	}
+
+	clt, err := ctx.GetClient()
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	var existingToken types.ProvisionToken
+	if tokenId != "" {
+		existingToken, err = clt.GetToken(r.Context(), tokenId)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
 	}
 
 	var expires time.Time
 	switch req.JoinMethod {
-	case types.JoinMethodGCP, types.JoinMethodIAM, types.JoinMethodOracle:
-		// IAM, GCP, and Oracle tokens should never expire.
-		expires = time.Now().UTC().AddDate(1000, 0, 0)
+	case types.JoinMethodGCP, types.JoinMethodIAM, types.JoinMethodOracle, types.JoinMethodGitHub:
+		// IAM, GCP, Oracle and GitHub tokens should never expire.
+		expires = time.Time{}
 	default:
 		// Set expires time to default node join token TTL.
 		expires = time.Now().UTC().Add(defaults.NodeJoinTokenTTL)
@@ -226,9 +240,9 @@ func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, para
 		return nil, trace.Wrap(err)
 	}
 
-	clt, err := ctx.GetClient()
-	if err != nil {
-		return nil, trace.Wrap(err)
+	// If this is an edit, then overwrite the metadata to retain the existing fields
+	if existingToken != nil {
+		token.SetMetadata(existingToken.GetMetadata())
 	}
 
 	err = clt.UpsertToken(r.Context(), token)
@@ -246,7 +260,7 @@ func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, para
 
 // createTokenForDiscoveryHandle creates tokens used during guided discover flows.
 // V2 endpoint processes "suggestedLabels" field.
-func (h *Handler) createTokenForDiscoveryHandle(w http.ResponseWriter, r *http.Request, params httprouter.Params, ctx *SessionContext) (interface{}, error) {
+func (h *Handler) createTokenForDiscoveryHandle(w http.ResponseWriter, r *http.Request, params httprouter.Params, ctx *SessionContext) (any, error) {
 	clt, err := ctx.GetClient()
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -288,9 +302,18 @@ func (h *Handler) createTokenForDiscoveryHandle(w http.ResponseWriter, r *http.R
 		}
 
 		// IAM tokens should 'never' expire
-		expires = time.Now().UTC().AddDate(1000, 0, 0)
+		expires = time.Time{}
+	case types.JoinMethodGitHub:
+		// GitHub tokens should 'never' expire
+		expires = time.Time{}
+	case types.JoinMethodOracle:
+		// Oracle tokens should 'never' expire
+		expires = time.Time{}
+	case types.JoinMethodGCP:
+		// GCP tokens should 'never' expire
+		expires = time.Time{}
 	case types.JoinMethodAzure:
-		tokenName, err := generateAzureTokenName(req.Azure.Allow)
+		tokenName, err = generateAzureTokenName(req.Azure.Allow)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
@@ -317,11 +340,14 @@ func (h *Handler) createTokenForDiscoveryHandle(w http.ResponseWriter, r *http.R
 			}, nil
 		}
 	default:
+		expires = time.Now().UTC().Add(defaults.NodeJoinTokenTTL)
+	}
+
+	if tokenName == "" {
 		tokenName, err = utils.CryptoRandomHex(defaults.TokenLenBytes)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
-		expires = time.Now().UTC().Add(defaults.NodeJoinTokenTTL)
 	}
 
 	// If using the automatic method to add a Node, the `install.sh` will add the token's suggested labels
diff --git a/lib/web/join_tokens_test.go b/lib/web/join_tokens_test.go
index 8dbbd72bc4133..457c4a34feaf8 100644
--- a/lib/web/join_tokens_test.go
+++ b/lib/web/join_tokens_test.go
@@ -417,6 +417,186 @@ func TestDeleteToken(t *testing.T) {
 	require.Empty(t, cmp.Diff(resp.Items, []ui.JoinToken{staticUIToken}, cmpopts.IgnoreFields(ui.JoinToken{}, "Content")))
 }
 
+func TestEditToken(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+	username := "test-user@example.com"
+	env := newWebPack(t, 1)
+	proxy := env.proxies[0]
+	pack := proxy.authPack(t, username, nil /* roles */)
+
+	// Setup an existing token
+	spec := types.ProvisionTokenSpecV2{
+		Roles:      types.SystemRoles{types.RoleBot},
+		BotName:    "test-bot",
+		JoinMethod: types.JoinMethodGitHub,
+
+		GitHub: &types.ProvisionTokenSpecV2GitHub{
+			Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
+				{
+					Repository: "gravitational/teleport",
+				},
+			},
+		},
+	}
+	token, err := types.NewProvisionTokenFromSpec("github-test-token", time.Time{}, spec)
+	require.NoError(t, err)
+	token.SetLabels(map[string]string{
+		"test-key": "test-value",
+	})
+	err = env.server.Auth().CreateToken(ctx, token)
+	require.NoError(t, err)
+
+	// Make a simple edit
+	spec.BotName = "test-bot_EDITED"
+	data := struct {
+		types.ProvisionTokenSpecV2
+		Name string `json:"name"`
+	}{
+		ProvisionTokenSpecV2: spec,
+		Name:                 "github-test-token",
+	}
+	endpointV1 := pack.clt.Endpoint("v1", "webapi", "tokens")
+	_, err = pack.clt.PostJSON(ctx, endpointV1, data)
+	require.NoError(t, err)
+
+	// Fetch the token and compare
+	editedToken, err := env.server.Auth().GetToken(ctx, "github-test-token")
+	require.NoError(t, err)
+	require.Equal(t, "test-bot_EDITED", editedToken.GetBotName())
+	require.Equal(t, map[string]string{
+		"test-key": "test-value",
+	}, editedToken.GetMetadata().Labels)
+}
+
+func TestCreateTokenExpiry(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+	username := "test-user@example.com"
+	env := newWebPack(t, 1)
+	proxy := env.proxies[0]
+	pack := proxy.authPack(t, username, nil /* roles */)
+
+	for _, method := range types.JoinMethods {
+		t.Run(string(method), func(t *testing.T) {
+			// Skip enterprise-only methods
+			if method == types.JoinMethodTPM || method == types.JoinMethodSpacelift {
+				t.Skipf("Skipping %s, as it's enterprise-only", method)
+			}
+
+			spec := types.ProvisionTokenSpecV2{
+				Roles:      []types.SystemRole{types.RoleNode},
+				JoinMethod: method,
+			}
+			setMinimalConfigForMethod(&spec, method)
+
+			var expectedExpiry time.Time
+			switch method {
+			case types.JoinMethodGCP, types.JoinMethodIAM, types.JoinMethodOracle, types.JoinMethodGitHub:
+				expectedExpiry = time.Time{}
+			default:
+				expectedExpiry = time.Now().UTC().Add(4 * time.Hour)
+			}
+
+			endpointV1 := pack.clt.Endpoint("v1", "webapi", "tokens")
+			re, err := pack.clt.PostJSON(ctx, endpointV1, spec)
+			require.NoError(t, err)
+
+			resp := nodeJoinToken{}
+			require.NoError(t, json.Unmarshal(re.Bytes(), &resp))
+			require.Equal(t, method, resp.Method)
+			require.WithinDuration(t, expectedExpiry, resp.Expiry, 100*time.Millisecond)
+		})
+	}
+}
+
+func setMinimalConfigForMethod(spec *types.ProvisionTokenSpecV2, method types.JoinMethod) {
+	switch method {
+	case types.JoinMethodIAM, types.JoinMethodEC2:
+		spec.Allow = []*types.TokenRule{
+			{
+				AWSAccount: "test-account",
+			},
+		}
+	case types.JoinMethodAzure:
+		spec.Azure = &types.ProvisionTokenSpecV2Azure{
+			Allow: []*types.ProvisionTokenSpecV2Azure_Rule{
+				{
+					Subscription: "test-sub",
+				},
+			},
+		}
+	case types.JoinMethodBitbucket:
+		spec.Bitbucket = &types.ProvisionTokenSpecV2Bitbucket{
+			Audience:            "test-audience",
+			IdentityProviderURL: "test-identity-provider-url",
+			Allow: []*types.ProvisionTokenSpecV2Bitbucket_Rule{
+				{
+					WorkspaceUUID: "test-workspace-uuid",
+				},
+			},
+		}
+	case types.JoinMethodOracle:
+		spec.Oracle = &types.ProvisionTokenSpecV2Oracle{
+			Allow: []*types.ProvisionTokenSpecV2Oracle_Rule{
+				{
+					Tenancy: "ocid1.tenancy.oc1..test",
+				},
+			},
+		}
+	case types.JoinMethodTerraformCloud:
+		spec.TerraformCloud = &types.ProvisionTokenSpecV2TerraformCloud{
+			Allow: []*types.ProvisionTokenSpecV2TerraformCloud_Rule{
+				{
+					OrganizationID: "test-org-id",
+					ProjectID:      "test-proj-id",
+				},
+			},
+		}
+	case types.JoinMethodKubernetes:
+		spec.Kubernetes = &types.ProvisionTokenSpecV2Kubernetes{
+			Allow: []*types.ProvisionTokenSpecV2Kubernetes_Rule{
+				{
+					ServiceAccount: "test:service-account",
+				},
+			},
+		}
+	case types.JoinMethodGitLab:
+		spec.GitLab = &types.ProvisionTokenSpecV2GitLab{
+			Allow: []*types.ProvisionTokenSpecV2GitLab_Rule{
+				{
+					Sub: "test-sub",
+				},
+			},
+		}
+	case types.JoinMethodGitHub:
+		spec.GitHub = &types.ProvisionTokenSpecV2GitHub{
+			Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
+				{
+					Sub: "test-sub",
+				},
+			},
+		}
+	case types.JoinMethodGCP:
+		spec.GCP = &types.ProvisionTokenSpecV2GCP{
+			Allow: []*types.ProvisionTokenSpecV2GCP_Rule{
+				{
+					ProjectIDs: []string{"test-project-id"},
+				},
+			},
+		}
+	case types.JoinMethodCircleCI:
+		spec.CircleCI = &types.ProvisionTokenSpecV2CircleCI{
+			Allow: []*types.ProvisionTokenSpecV2CircleCI_Rule{
+				{
+					ProjectID: "test-project-id",
+				},
+			},
+			OrganizationID: "test-org-id",
+		}
+	}
+}
+
 func TestCreateTokenForDiscovery(t *testing.T) {
 	ctx := context.Background()
 	username := "test-user@example.com"
diff --git a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
index 38352b4046292..1abc7d9373bd3 100644
--- a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
+++ b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
@@ -214,8 +214,10 @@ export const UpsertJoinTokenDialog = ({
   );
 
   const [createTokenAttempt, runCreateTokenAttempt] = useAsync(
-    async (req: CreateJoinTokenRequest) => {
-      const token = await ctx.joinTokenService.createJoinToken(req);
+    async (req: CreateJoinTokenRequest, isEdit: boolean) => {
+      const token = isEdit
+        ? await ctx.joinTokenService.upsertJoinToken(req, editToken.id)
+        : await ctx.joinTokenService.createJoinToken(req);
       updateTokenList(token);
       onClose();
     }
@@ -338,7 +340,7 @@ export const UpsertJoinTokenDialog = ({
       request.github = github;
     }
 
-    runCreateTokenAttempt(request);
+    runCreateTokenAttempt(request, !!editToken);
   }
 
   function setTokenRoles(roles: OptionJoinRole[]) {
diff --git a/web/packages/teleport/src/services/joinToken/joinToken.ts b/web/packages/teleport/src/services/joinToken/joinToken.ts
index 5043569ee4b27..e0cb556be41ac 100644
--- a/web/packages/teleport/src/services/joinToken/joinToken.ts
+++ b/web/packages/teleport/src/services/joinToken/joinToken.ts
@@ -22,7 +22,12 @@ import api from 'teleport/services/api';
 import { makeLabelMapOfStrArrs } from '../agents/make';
 import { withUnsupportedLabelFeatureErrorConversion } from '../version/unsupported';
 import makeJoinToken from './makeJoinToken';
-import { JoinRule, JoinToken, JoinTokenRequest } from './types';
+import {
+  CreateJoinTokenRequest,
+  JoinRule,
+  JoinToken,
+  JoinTokenRequest,
+} from './types';
 
 const TeleportTokenNameHeader = 'X-Teleport-TokenName';
 
@@ -93,10 +98,18 @@ class JoinTokenService {
       .then(makeJoinToken);
   }
 
-  createJoinToken(req: JoinTokenRequest): Promise<JoinToken> {
+  async createJoinToken(req: CreateJoinTokenRequest) {
     return api.post(cfg.getJoinTokensUrl(), req).then(makeJoinToken);
   }
 
+  async upsertJoinToken(req: CreateJoinTokenRequest, tokenName: string) {
+    const json = await api.putWithHeaders(cfg.getJoinTokensUrl(), req, {
+      [TeleportTokenNameHeader]: tokenName,
+      'Content-Type': 'application/json',
+    });
+    return makeJoinToken(json);
+  }
+
   fetchJoinTokens(signal: AbortSignal = null): Promise<{ items: JoinToken[] }> {
     return api.get(cfg.getJoinTokensUrl(), signal).then(resp => {
       return {

From 93a2247aa802cafe5827d0ba1cab479758ded898 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Mon, 28 Apr 2025 15:07:47 +0100
Subject: [PATCH 12/29] Remove mutual-exclusivity on repo/owner fields

---
 .../components/Validation/rules.test.ts       | 22 ---------
 .../shared/components/Validation/rules.ts     | 21 ---------
 .../JoinTokens/JoinTokenGithubForm.test.tsx   | 46 -------------------
 .../src/JoinTokens/JoinTokenGithubForm.tsx    | 16 ++-----
 4 files changed, 3 insertions(+), 102 deletions(-)

diff --git a/web/packages/shared/components/Validation/rules.test.ts b/web/packages/shared/components/Validation/rules.test.ts
index 3a216ea44c87d..827264949d559 100644
--- a/web/packages/shared/components/Validation/rules.test.ts
+++ b/web/packages/shared/components/Validation/rules.test.ts
@@ -18,7 +18,6 @@
 
 import {
   arrayOf,
-  falsyField,
   requiredConfirmedPassword,
   requiredEmailLike,
   requiredField,
@@ -213,24 +212,3 @@ test.each([
 ])('arrayOf: $name', ({ items, expected }) => {
   expect(arrayOf(requiredField('required'))(items)()).toEqual(expected);
 });
-
-describe('falsyField', () => {
-  const errMsg = 'error text';
-  const validator = falsyField(errMsg);
-
-  test.each`
-    input                | expected
-    ${'not empty value'} | ${{ valid: false, message: errMsg }}
-    ${1}                 | ${{ valid: false, message: errMsg }}
-    ${true}              | ${{ valid: false, message: errMsg }}
-    ${{}}                | ${{ valid: false, message: errMsg }}
-    ${[]}                | ${{ valid: false, message: errMsg }}
-    ${''}                | ${{ valid: true, message: undefined }}
-    ${null}              | ${{ valid: true, message: undefined }}
-    ${undefined}         | ${{ valid: true, message: undefined }}
-    ${0}                 | ${{ valid: true, message: undefined }}
-    ${false}             | ${{ valid: true, message: undefined }}
-  `('input with: $input', ({ input, expected }) => {
-    expect(validator(input)()).toEqual(expected);
-  });
-});
diff --git a/web/packages/shared/components/Validation/rules.ts b/web/packages/shared/components/Validation/rules.ts
index 668aa9d70a48d..aa111dc786c11 100644
--- a/web/packages/shared/components/Validation/rules.ts
+++ b/web/packages/shared/components/Validation/rules.ts
@@ -260,26 +260,6 @@ const requiredPort: Rule = port => () => {
   };
 };
 
-/**
- * falsyField checks the the value is falsy
- * @param message the message to return if invalid
- * @returns validaton result
- */
-const falsyField =
-  <T = string>(message: string): Rule<T> =>
-  value =>
-  () => {
-    if (value) {
-      return {
-        valid: false,
-        message,
-      };
-    }
-    return {
-      valid: true,
-    };
-  };
-
 /**
  * A rule function that combines multiple inner rule functions. All rules must
  * return `valid`, otherwise it returns a comma separated string containing all
@@ -399,5 +379,4 @@ export {
   requiredPort,
   arrayOf,
   precomputed,
-  falsyField,
 };
diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.test.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.test.tsx
index 956c60e11cbb8..b9c9e817a35a3 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.test.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.test.tsx
@@ -199,29 +199,6 @@ describe('GithubJoinTokenForm', () => {
     )
   );
 
-  it('repository field is disabled when a repository owner is populated', async () => {
-    const state = baseState({
-      rules: [
-        {
-          repository_owner: 'something',
-        },
-      ],
-    });
-
-    render(
-      <JoinTokenGithubForm
-        tokenState={state}
-        onUpdateState={jest.fn()}
-        readonly={false}
-      />,
-      { wrapper: Wrapper }
-    );
-
-    const field = screen.getByPlaceholderText('gravitational/teleport');
-
-    expect(field).toBeDisabled();
-  });
-
   it('repository field shows a validation message', async () => {
     const state = baseState();
 
@@ -247,29 +224,6 @@ describe('GithubJoinTokenForm', () => {
     populateRuleFieldTest('repository_owner', 'gravitational', 'gravitational')
   );
 
-  it('repository owner field is disabled when a repository name is populated', async () => {
-    const state = baseState({
-      rules: [
-        {
-          repository: 'something',
-        },
-      ],
-    });
-
-    render(
-      <JoinTokenGithubForm
-        tokenState={state}
-        onUpdateState={jest.fn()}
-        readonly={false}
-      />,
-      { wrapper: Wrapper }
-    );
-
-    const field = screen.getByPlaceholderText('gravitational');
-
-    expect(field).toBeDisabled();
-  });
-
   it('repository owner field shows a validation message', async () => {
     const state = baseState();
 
diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
index ff78abf0ef229..e835d3e971fc3 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
@@ -27,7 +27,7 @@ import { Trash } from 'design/Icon/Icons/Trash';
 import Text from 'design/Text/Text';
 import FieldInput from 'shared/components/FieldInput/FieldInput';
 import FieldSelect from 'shared/components/FieldSelect';
-import { falsyField, requiredField } from 'shared/components/Validation/rules';
+import { requiredField } from 'shared/components/Validation/rules';
 
 import { collectKeys } from './collectKeys';
 import { NewJoinTokenState } from './UpsertJoinTokenDialog';
@@ -118,19 +118,12 @@ export const JoinTokenGithubForm = ({
             onChange={e => updateRuleField(index, 'repository', e.target.value)}
             rule={
               rule.repository_owner
-                ? falsyField(
-                    'Repository name cannot be provided with repository owner'
-                  )
+                ? undefined
                 : requiredField('Either repository name or owner is required')
             }
-            disabled={!!rule.repository_owner}
             readonly={readonly}
           />
 
-          <Text fontWeight="regular" textAlign="center">
-            - or -
-          </Text>
-
           <FieldInput
             label="Repository owner"
             placeholder="gravitational"
@@ -141,12 +134,9 @@ export const JoinTokenGithubForm = ({
             }
             rule={
               rule.repository
-                ? falsyField(
-                    'Repository owner cannot be provided with repository name'
-                  )
+                ? undefined
                 : requiredField('Either repository owner or name is required')
             }
-            disabled={!!rule.repository}
             readonly={readonly}
           />
 

From c2d02926d83974ac3c1df76cc71147161da47c7c Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Mon, 28 Apr 2025 15:11:09 +0100
Subject: [PATCH 13/29] Improve supported fields readability

---
 .../src/JoinTokens/JoinTokenForms.tsx         | 23 ++++++++-----------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
index 1e30410503df1..e024237af1219 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
@@ -127,6 +127,8 @@ export const JoinTokenIAMForm = ({
   );
 };
 
+const supportedFieldsIam = new Set(['.aws_account', '.aws_arn']);
+
 /**
  * `checkIAMYAMLData` determines if the provided value contains item/s that are not supported by the edit form.
  * @param data a value representing the iam-specific config for a token
@@ -134,9 +136,7 @@ export const JoinTokenIAMForm = ({
  */
 export const checkIAMYAMLData = (data: unknown) => {
   const keys = collectKeys(data);
-  return (
-    !keys || new Set(keys).isSubsetOf(new Set(['.aws_account', '.aws_arn']))
-  );
+  return !keys || new Set(keys).isSubsetOf(supportedFieldsIam);
 };
 
 export const JoinTokenGCPForm = ({
@@ -254,6 +254,12 @@ export const JoinTokenGCPForm = ({
   );
 };
 
+const supportedFieldsGcp = new Set([
+  '.allow.project_ids',
+  '.allow.locations',
+  '.allow.service_accounts',
+]);
+
 /**
  * `checkGCPYAMLData` determines if the provided value contains item/s that are not supported by the edit form.
  * @param data a value representing the gcp-specific config for a token
@@ -261,16 +267,7 @@ export const JoinTokenGCPForm = ({
  */
 export const checkGCPYAMLData = (data: unknown) => {
   const keys = collectKeys(data);
-  return (
-    !keys ||
-    new Set(keys).isSubsetOf(
-      new Set([
-        '.allow.project_ids',
-        '.allow.locations',
-        '.allow.service_accounts',
-      ])
-    )
-  );
+  return !keys || new Set(keys).isSubsetOf(supportedFieldsGcp);
 };
 
 export const JoinTokenOracleForm = ({

From e1f827b2772a6b791dc63f6473653056d812a740 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Mon, 28 Apr 2025 17:37:21 +0100
Subject: [PATCH 14/29] Hide GHES config

---
 .../src/JoinTokens/JoinTokenGithubForm.tsx    | 135 +++++++++++-------
 .../RoleEditor/StandardEditor/sections.tsx    |  10 +-
 2 files changed, 89 insertions(+), 56 deletions(-)

diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
index e835d3e971fc3..3939214d367b7 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
@@ -18,17 +18,23 @@
 
 import styled from 'styled-components';
 
+import { Info } from 'design/Alert/Alert';
 import Box from 'design/Box/Box';
 import { ButtonText } from 'design/Button/Button';
 import ButtonIcon from 'design/ButtonIcon/ButtonIcon';
 import Flex from 'design/Flex/Flex';
+import { ChevronDown } from 'design/Icon/Icons/ChevronDown';
 import { Plus } from 'design/Icon/Icons/Plus';
 import { Trash } from 'design/Icon/Icons/Trash';
+import Link from 'design/Link/Link';
 import Text from 'design/Text/Text';
 import FieldInput from 'shared/components/FieldInput/FieldInput';
 import FieldSelect from 'shared/components/FieldSelect';
 import { requiredField } from 'shared/components/Validation/rules';
 
+import cfg from 'teleport/config';
+import { SectionBox } from 'teleport/Roles/RoleEditor/StandardEditor/sections';
+
 import { collectKeys } from './collectKeys';
 import { NewJoinTokenState } from './UpsertJoinTokenDialog';
 
@@ -181,67 +187,90 @@ export const JoinTokenGithubForm = ({
         </RuleBox>
       ))}
 
-      <ButtonText onClick={addNewRule} compact>
+      <ButtonText onClick={addNewRule} compact mb={4}>
         <Plus size={16} mr={2} />
         Add another GitHub rule
       </ButtonText>
 
-      <Text fontWeight={700} mt={5}>
-        GHES configuration
-      </Text>
+      {/* TODO(nickmarais): Make SectionBox a component instead of reusing it from Roles */}
+      <SectionBox
+        titleSegments={['GitHub Enterprise Server']}
+        initiallyCollapsed={[
+          'server_host',
+          'enterprise_slug',
+          'static_jwks',
+        ].every(k => !github[k])}
+        validation={{
+          valid: true,
+        }}
+      >
+        <Text fontWeight="regular" mb={3}>
+          Additional settings for configuring GHES.
+        </Text>
 
-      <Text fontWeight="regular" mb={2}>
-        Additional settings for configuring GitHub Enterprise Server.
-      </Text>
+        {cfg.edition !== 'ent' ? (
+          <Info alignItems="flex-start">
+            GitHub Enterprise Server configuration requires Teleport Enterprise.
+            Please use a repository hosted at github.com or{' '}
+            <Link
+              target="_blank"
+              href="https://goteleport.com/signup/enterprise/"
+            >
+              contact us
+            </Link>
+            .
+          </Info>
+        ) : undefined}
 
-      <FieldInput
-        label="Server host"
-        placeholder="github.example.com"
-        value={github.server_host}
-        onChange={e =>
-          onUpdateState({
-            ...tokenState,
-            github: {
-              ...tokenState.github,
-              server_host: e.target.value,
-            },
-          })
-        }
-        readonly={readonly}
-      />
+        <FieldInput
+          label="Server host"
+          placeholder="github.example.com"
+          value={github.server_host}
+          onChange={e =>
+            onUpdateState({
+              ...tokenState,
+              github: {
+                ...tokenState.github,
+                server_host: e.target.value,
+              },
+            })
+          }
+          readonly={readonly}
+        />
 
-      <FieldInput
-        label="Slug"
-        placeholder="octo-enterprise"
-        value={github.enterprise_slug}
-        onChange={e =>
-          onUpdateState({
-            ...tokenState,
-            github: {
-              ...tokenState.github,
-              enterprise_slug: e.target.value,
-            },
-          })
-        }
-        readonly={readonly}
-      />
+        <FieldInput
+          label="Slug"
+          placeholder="octo-enterprise"
+          value={github.enterprise_slug}
+          onChange={e =>
+            onUpdateState({
+              ...tokenState,
+              github: {
+                ...tokenState.github,
+                enterprise_slug: e.target.value,
+              },
+            })
+          }
+          readonly={readonly}
+        />
 
-      <FieldInput
-        label="Static JWKS"
-        placeholder='{"keys":[--snip--]}'
-        toolTipContent="JSON Web Key Set used to verify the token issued by GitHub Actions"
-        value={github.static_jwks}
-        onChange={e =>
-          onUpdateState({
-            ...tokenState,
-            github: {
-              ...tokenState.github,
-              static_jwks: e.target.value,
-            },
-          })
-        }
-        readonly={readonly}
-      />
+        <FieldInput
+          label="Static JWKS"
+          placeholder='{"keys":[--snip--]}'
+          toolTipContent="JSON Web Key Set used to verify the token issued by GitHub Actions"
+          value={github.static_jwks}
+          onChange={e =>
+            onUpdateState({
+              ...tokenState,
+              github: {
+                ...tokenState.github,
+                static_jwks: e.target.value,
+              },
+            })
+          }
+          readonly={readonly}
+        />
+      </SectionBox>
     </>
   );
 };
diff --git a/web/packages/teleport/src/Roles/RoleEditor/StandardEditor/sections.tsx b/web/packages/teleport/src/Roles/RoleEditor/StandardEditor/sections.tsx
index 71d7af3ff306f..dd8fe7e900db0 100644
--- a/web/packages/teleport/src/Roles/RoleEditor/StandardEditor/sections.tsx
+++ b/web/packages/teleport/src/Roles/RoleEditor/StandardEditor/sections.tsx
@@ -80,19 +80,23 @@ export const SectionBox = ({
   tooltip,
   children,
   removable,
-  isProcessing,
+  isProcessing = false,
   validation,
   onRemove,
+  initiallyCollapsed = false,
 }: React.PropsWithChildren<{
   titleSegments: string[];
   tooltip?: string;
   removable?: boolean;
-  isProcessing: boolean;
+  isProcessing?: boolean;
   validation?: ValidationResult;
   onRemove?(): void;
+  initiallyCollapsed?: boolean;
 }>) => {
   const theme = useTheme();
-  const [expansionState, setExpansionState] = useState(ExpansionState.Expanded);
+  const [expansionState, setExpansionState] = useState(
+    initiallyCollapsed ? ExpansionState.Collapsed : ExpansionState.Expanded
+  );
   const expandTooltip =
     expansionState === ExpansionState.Collapsed ? 'Collapse' : 'Expand';
   const validator = useValidation();

From e8232a86b3d40a8fb732f62a63efe341765b1c35 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Mon, 28 Apr 2025 17:54:02 +0100
Subject: [PATCH 15/29] Ignore token not found errors when creating

---
 lib/web/join_tokens.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/web/join_tokens.go b/lib/web/join_tokens.go
index f3fe414227f48..64bee7da06a24 100644
--- a/lib/web/join_tokens.go
+++ b/lib/web/join_tokens.go
@@ -211,7 +211,7 @@ func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, para
 	var existingToken types.ProvisionToken
 	if tokenId != "" {
 		existingToken, err = clt.GetToken(r.Context(), tokenId)
-		if err != nil {
+		if err != nil && !trace.IsNotFound(err) {
 			return nil, trace.Wrap(err)
 		}
 	}

From 5234b8ab1cafdedb975a24b386cd3f05a4759a75 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Mon, 28 Apr 2025 17:54:35 +0100
Subject: [PATCH 16/29] Lock GHES fields when using OSS

---
 .../teleport/src/JoinTokens/JoinTokenGithubForm.tsx         | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
index 3939214d367b7..f198d231beb2b 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
@@ -235,7 +235,7 @@ export const JoinTokenGithubForm = ({
               },
             })
           }
-          readonly={readonly}
+          readonly={readonly || cfg.edition !== 'ent'}
         />
 
         <FieldInput
@@ -251,7 +251,7 @@ export const JoinTokenGithubForm = ({
               },
             })
           }
-          readonly={readonly}
+          readonly={readonly || cfg.edition !== 'ent'}
         />
 
         <FieldInput
@@ -268,7 +268,7 @@ export const JoinTokenGithubForm = ({
               },
             })
           }
-          readonly={readonly}
+          readonly={readonly || cfg.edition !== 'ent'}
         />
       </SectionBox>
     </>

From f7865f29ce0cecad5d0354d14544675f35daa7f4 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Tue, 29 Apr 2025 09:02:49 +0100
Subject: [PATCH 17/29] Lint fix

---
 web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
index f198d231beb2b..9f469bd6eaa0b 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
@@ -23,7 +23,6 @@ import Box from 'design/Box/Box';
 import { ButtonText } from 'design/Button/Button';
 import ButtonIcon from 'design/ButtonIcon/ButtonIcon';
 import Flex from 'design/Flex/Flex';
-import { ChevronDown } from 'design/Icon/Icons/ChevronDown';
 import { Plus } from 'design/Icon/Icons/Plus';
 import { Trash } from 'design/Icon/Icons/Trash';
 import Link from 'design/Link/Link';

From 05de19a490c8c21dc7bd2e1ae558113d459f7024 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Wed, 23 Apr 2025 16:15:51 +0100
Subject: [PATCH 18/29] Return github-specific config from `GET /webapi/tokens`

---
 api/types/provisioning.go   |  7 ++++
 lib/web/join_tokens_test.go | 81 +++++++++++++++++++++++++++++++++++++
 lib/web/ui/join_token.go    |  7 ++++
 3 files changed, 95 insertions(+)

diff --git a/api/types/provisioning.go b/api/types/provisioning.go
index 9768e25ab863e..32589bc591b07 100644
--- a/api/types/provisioning.go
+++ b/api/types/provisioning.go
@@ -135,6 +135,8 @@ type ProvisionToken interface {
 	SetAllowRules([]*TokenRule)
 	// GetGCPRules will return the GCP rules within this token.
 	GetGCPRules() *ProvisionTokenSpecV2GCP
+	// GetGithubRules will return the GitHub rules within this token.
+	GetGithubRules() *ProvisionTokenSpecV2GitHub
 	// GetAWSIIDTTL returns the TTL of EC2 IIDs
 	GetAWSIIDTTL() Duration
 	// GetJoinMethod returns joining method that must be used with this token.
@@ -437,6 +439,11 @@ func (p *ProvisionTokenV2) GetGCPRules() *ProvisionTokenSpecV2GCP {
 	return p.Spec.GCP
 }
 
+// GetGithubRules will return the GitHub rules within this token.
+func (p *ProvisionTokenV2) GetGithubRules() *ProvisionTokenSpecV2GitHub {
+	return p.Spec.GitHub
+}
+
 // GetAWSIIDTTL returns the TTL of EC2 IIDs
 func (p *ProvisionTokenV2) GetAWSIIDTTL() Duration {
 	return p.Spec.AWSIIDTTL
diff --git a/lib/web/join_tokens_test.go b/lib/web/join_tokens_test.go
index d47e2c1b137f3..8dbbd72bc4133 100644
--- a/lib/web/join_tokens_test.go
+++ b/lib/web/join_tokens_test.go
@@ -27,6 +27,7 @@ import (
 	"net/http"
 	"net/url"
 	"regexp"
+	"slices"
 	"strconv"
 	"testing"
 	"time"
@@ -268,6 +269,86 @@ func TestGetTokens(t *testing.T) {
 	}
 }
 
+func TestGetGithubTokens(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+
+	username := "test-user@example.com"
+	expiry := time.Now().UTC().Add(30 * time.Minute)
+
+	env := newWebPack(t, 1)
+	proxy := env.proxies[0]
+	pack := proxy.authPack(t, username, nil /* roles */)
+
+	td := tokenData{
+		name:   "github-test-token",
+		expiry: expiry,
+		roles:  types.SystemRoles{types.RoleBot},
+	}
+
+	token, err := types.NewProvisionTokenFromSpec(td.name, td.expiry, types.ProvisionTokenSpecV2{
+		Roles:      td.roles,
+		BotName:    "test-bot",
+		JoinMethod: types.JoinMethodGitHub,
+
+		GitHub: &types.ProvisionTokenSpecV2GitHub{
+			EnterpriseServerHost: "github.example.com",
+			StaticJWKS:           "{\"keys\":[]}",
+			Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
+				{
+					Repository:      "gravitational/teleport",
+					RepositoryOwner: "gravitational",
+					Sub:             "test-sub",
+					Workflow:        "test-workflow",
+					Environment:     "test-environment",
+					Actor:           "octocat",
+					Ref:             "ref/heads/main",
+					RefType:         "branch",
+				},
+			},
+		},
+	})
+	require.NoError(t, err)
+	err = env.server.Auth().CreateToken(ctx, token)
+	require.NoError(t, err)
+
+	endpoint := pack.clt.Endpoint("webapi", "tokens")
+	re, err := pack.clt.Get(ctx, endpoint, url.Values{})
+	require.NoError(t, err)
+
+	resp := GetTokensResponse{}
+	require.NoError(t, json.Unmarshal(re.Bytes(), &resp))
+
+	require.Len(t, resp.Items, 2) // Including a static token
+
+	githubTokenIndex := slices.IndexFunc(resp.Items, func(item ui.JoinToken) bool { return item.Method == types.JoinMethodGitHub })
+	require.NotEqual(t, githubTokenIndex, -1)
+	require.Empty(t, cmp.Diff(resp.Items[githubTokenIndex], ui.JoinToken{
+		ID:       "github-test-token",
+		SafeName: "github-test-token",
+		BotName:  "test-bot",
+		Expiry:   expiry,
+		Roles:    types.SystemRoles{"Bot"},
+		Method:   types.JoinMethodGitHub,
+		Github: &types.ProvisionTokenSpecV2GitHub{
+			EnterpriseServerHost: "github.example.com",
+			StaticJWKS:           "{\"keys\":[]}",
+			Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
+				{
+					Repository:      "gravitational/teleport",
+					RepositoryOwner: "gravitational",
+					Sub:             "test-sub",
+					Workflow:        "test-workflow",
+					Environment:     "test-environment",
+					Actor:           "octocat",
+					Ref:             "ref/heads/main",
+					RefType:         "branch",
+				},
+			},
+		},
+	}, cmpopts.IgnoreFields(ui.JoinToken{}, "Content")))
+}
+
 func TestDeleteToken(t *testing.T) {
 	ctx := context.Background()
 	username := "test-user@example.com"
diff --git a/lib/web/ui/join_token.go b/lib/web/ui/join_token.go
index be068482aa1ba..2319841375e22 100644
--- a/lib/web/ui/join_token.go
+++ b/lib/web/ui/join_token.go
@@ -47,6 +47,8 @@ type JoinToken struct {
 	Allow []*types.TokenRule `json:"allow,omitempty"`
 	// GCP allows the configuration of options specific to the "gcp" join method.
 	GCP *types.ProvisionTokenSpecV2GCP `json:"gcp,omitempty"`
+	// GitHub-specific configuration for the join method.
+	Github *types.ProvisionTokenSpecV2GitHub `json:"github,omitempty"`
 	// Content is resource yaml content.
 	Content string `json:"content"`
 }
@@ -71,6 +73,11 @@ func MakeJoinToken(token types.ProvisionToken) (*JoinToken, error) {
 	if uiToken.Method == types.JoinMethodGCP {
 		uiToken.GCP = token.GetGCPRules()
 	}
+
+	if uiToken.Method == types.JoinMethodGitHub {
+		uiToken.Github = token.GetGithubRules()
+	}
+
 	return uiToken, nil
 }
 

From 0943a83b19c16640fe9ff7c58b2569c79fbbea1c Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Fri, 25 Apr 2025 10:27:00 +0100
Subject: [PATCH 19/29] Support "token" in `/webapi/yaml/parse/:kind`

---
 lib/web/yaml.go      |  24 ++++++++++
 lib/web/yaml_test.go | 107 ++++++++++++++++++++++++++++++++++++-------
 2 files changed, 115 insertions(+), 16 deletions(-)

diff --git a/lib/web/yaml.go b/lib/web/yaml.go
index ac0c49ef23770..db766099e608e 100644
--- a/lib/web/yaml.go
+++ b/lib/web/yaml.go
@@ -71,6 +71,14 @@ func (h *Handler) yamlParse(w http.ResponseWriter, r *http.Request, params httpr
 
 		return yamlParseResponse{Resource: resource}, nil
 
+	case types.KindToken:
+		resource, err := yamlToProvisionToken(req.YAML)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+
+		return yamlParseResponse{Resource: resource}, nil
+
 	default:
 		return nil, trace.NotImplemented("parsing YAML for kind %q is not supported", kind)
 	}
@@ -148,3 +156,19 @@ func yamlToRole(yaml string) (types.Role, error) {
 
 	return resource, nil
 }
+
+func yamlToProvisionToken(yaml string) (types.ProvisionToken, error) {
+	extractedRes, err := extractResource(yaml)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	if extractedRes.Kind != types.KindToken {
+		return nil, trace.BadParameter("resource kind %q is invalid, only token is allowed", extractedRes.Kind)
+	}
+	resource, err := services.UnmarshalProvisionToken(extractedRes.Raw)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return resource, nil
+}
diff --git a/lib/web/yaml_test.go b/lib/web/yaml_test.go
index 6399ed8082ea3..8b5cc980da6db 100644
--- a/lib/web/yaml_test.go
+++ b/lib/web/yaml_test.go
@@ -23,6 +23,7 @@ import (
 	"encoding/json"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/require"
 
 	accessmonitoringrulesv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1"
@@ -44,6 +45,28 @@ spec:
 version: v1
 `
 
+const validTokenYaml = `kind: token
+metadata:
+  name: test-name
+spec:
+  github:
+    enterprise_server_host: test-server-host
+    static_jwks: test-twks
+    allow:
+    - actor: test-actor
+      environment: test-environment
+      ref: test-ref
+      ref_type: test-ref-type
+      repository: test-repository
+      repository_owner: test-owner
+      workflow: test-workflow
+      sub: test-sub
+  join_method: github
+  roles:
+  - Node
+version: v2
+`
+
 func getAccessMonitoringRuleResource() *accessmonitoringrulesv1.AccessMonitoringRule {
 	return &accessmonitoringrulesv1.AccessMonitoringRule{
 		Kind:    types.KindAccessMonitoringRule,
@@ -62,6 +85,36 @@ func getAccessMonitoringRuleResource() *accessmonitoringrulesv1.AccessMonitoring
 	}
 }
 
+func getTokenResource() *types.ProvisionTokenV2 {
+	return &types.ProvisionTokenV2{
+		Kind:    types.KindToken,
+		Version: types.V2,
+		Metadata: types.Metadata{
+			Name: "test-name",
+		},
+		Spec: types.ProvisionTokenSpecV2{
+			Roles:      []types.SystemRole{types.RoleNode},
+			JoinMethod: types.JoinMethodGitHub,
+			GitHub: &types.ProvisionTokenSpecV2GitHub{
+				EnterpriseServerHost: "test-server-host",
+				StaticJWKS:           "test-twks",
+				Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
+					{
+						Sub:             "test-sub",
+						Repository:      "test-repository",
+						RepositoryOwner: "test-owner",
+						Workflow:        "test-workflow",
+						Environment:     "test-environment",
+						Actor:           "test-actor",
+						Ref:             "test-ref",
+						RefType:         "test-ref-type",
+					},
+				},
+			},
+		},
+	}
+}
+
 func TestYAMLParse_Valid(t *testing.T) {
 	t.Parallel()
 
@@ -69,26 +122,48 @@ func TestYAMLParse_Valid(t *testing.T) {
 	proxy := env.proxies[0]
 	pack := proxy.authPack(t, "test@example.com", nil)
 
-	endpoint := pack.clt.Endpoint("webapi", "yaml", "parse", types.KindAccessMonitoringRule)
-	re, err := pack.clt.PostJSON(context.Background(), endpoint, yamlParseRequest{
-		YAML: validAccessMonitoringRuleYaml,
-	})
-	require.NoError(t, err)
+	testCases := []struct {
+		name     string
+		kind     string
+		yaml     string
+		expected any
+	}{
+		{
+			name:     "AccessMonitoringRule",
+			kind:     types.KindAccessMonitoringRule,
+			yaml:     validAccessMonitoringRuleYaml,
+			expected: getAccessMonitoringRuleResource(),
+		},
+		{
+			name:     "Token",
+			kind:     types.KindToken,
+			yaml:     validTokenYaml,
+			expected: getTokenResource(),
+		},
+	}
 
-	var endpointResp yamlParseResponse
-	require.NoError(t, json.Unmarshal(re.Bytes(), &endpointResp))
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			endpoint := pack.clt.Endpoint("webapi", "yaml", "parse", tc.kind)
+			re, err := pack.clt.PostJSON(context.Background(), endpoint, yamlParseRequest{
+				YAML: tc.yaml,
+			})
+			require.NoError(t, err)
 
-	expectedResource := getAccessMonitoringRuleResource()
+			var endpointResp yamlParseResponse
+			require.NoError(t, json.Unmarshal(re.Bytes(), &endpointResp))
 
-	// Can't cast a unmarshaled interface{} into the expected type, so
-	// we are transforming the expected type to the same type as the
-	// one we got as a response.
-	b, err := json.Marshal(yamlParseResponse{Resource: expectedResource})
-	require.NoError(t, err)
-	var expectedResp yamlParseResponse
-	require.NoError(t, json.Unmarshal(b, &expectedResp))
+			// Can't cast a unmarshaled interface{} into the expected type, so
+			// we are transforming the expected type to the same type as the
+			// one we got as a response.
+			b, err := json.Marshal(yamlParseResponse{Resource: tc.expected})
+			require.NoError(t, err)
+			var expectedResp yamlParseResponse
+			require.NoError(t, json.Unmarshal(b, &expectedResp))
 
-	require.Equal(t, expectedResp.Resource, endpointResp.Resource)
+			require.Empty(t, cmp.Diff(expectedResp.Resource, endpointResp.Resource))
+		})
+	}
 }
 
 func TestYAMLParse_Errors(t *testing.T) {

From 413cde5489a08ee3f0c17fd3ac9a10a064bc43fc Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Mon, 28 Apr 2025 15:05:36 +0100
Subject: [PATCH 20/29] Use empty time.Time for token expiry (`POST
 /webapi/tokens`)

---
 lib/web/join_tokens.go      |  48 ++++++----
 lib/web/join_tokens_test.go | 180 ++++++++++++++++++++++++++++++++++++
 2 files changed, 211 insertions(+), 17 deletions(-)

diff --git a/lib/web/join_tokens.go b/lib/web/join_tokens.go
index b517b1f9fda30..e7c852981537c 100644
--- a/lib/web/join_tokens.go
+++ b/lib/web/join_tokens.go
@@ -184,29 +184,43 @@ type upsertTokenHandleRequest struct {
 	Name string `json:"name"`
 }
 
-func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, params httprouter.Params, ctx *SessionContext) (interface{}, error) {
-	// if using the PUT route, tokenId will be present
-	// in the X-Teleport-TokenName header
-	editing := r.Method == "PUT"
-	tokenId := r.Header.Get(HeaderTokenName)
-	if editing && tokenId == "" {
-		return nil, trace.BadParameter("requires a token name to edit")
-	}
-
+func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, params httprouter.Params, ctx *SessionContext) (any, error) {
 	var req upsertTokenHandleRequest
 	if err := httplib.ReadResourceJSON(r, &req); err != nil {
 		return nil, trace.Wrap(err)
 	}
 
-	if editing && tokenId != req.Name {
-		return nil, trace.BadParameter("renaming tokens is not supported")
+	var tokenId string
+	if r.Method == "PUT" {
+		// if using the PUT route, tokenId will be present
+		// in the X-Teleport-TokenName header
+		tokenId = r.Header.Get(HeaderTokenName)
+
+		if tokenId != "" && tokenId != req.Name {
+			return nil, trace.BadParameter("renaming tokens is not supported")
+		}
+	} else {
+		tokenId = req.Name
+	}
+
+	clt, err := ctx.GetClient()
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	var existingToken types.ProvisionToken
+	if tokenId != "" {
+		existingToken, err = clt.GetToken(r.Context(), tokenId)
+		if err != nil && !trace.IsNotFound(err) {
+			return nil, trace.Wrap(err)
+		}
 	}
 
 	var expires time.Time
 	switch req.JoinMethod {
-	case types.JoinMethodGCP, types.JoinMethodIAM, types.JoinMethodOracle:
-		// IAM, GCP, and Oracle tokens should never expire.
-		expires = time.Now().UTC().AddDate(1000, 0, 0)
+	case types.JoinMethodGCP, types.JoinMethodIAM, types.JoinMethodOracle, types.JoinMethodGitHub:
+		// IAM, GCP, Oracle and GitHub tokens should never expire.
+		expires = time.Time{}
 	default:
 		// Set expires time to default node join token TTL.
 		expires = time.Now().UTC().Add(defaults.NodeJoinTokenTTL)
@@ -226,9 +240,9 @@ func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, para
 		return nil, trace.Wrap(err)
 	}
 
-	clt, err := ctx.GetClient()
-	if err != nil {
-		return nil, trace.Wrap(err)
+	// If this is an edit, then overwrite the metadata to retain the existing fields
+	if existingToken != nil {
+		token.SetMetadata(existingToken.GetMetadata())
 	}
 
 	err = clt.UpsertToken(r.Context(), token)
diff --git a/lib/web/join_tokens_test.go b/lib/web/join_tokens_test.go
index 8dbbd72bc4133..457c4a34feaf8 100644
--- a/lib/web/join_tokens_test.go
+++ b/lib/web/join_tokens_test.go
@@ -417,6 +417,186 @@ func TestDeleteToken(t *testing.T) {
 	require.Empty(t, cmp.Diff(resp.Items, []ui.JoinToken{staticUIToken}, cmpopts.IgnoreFields(ui.JoinToken{}, "Content")))
 }
 
+func TestEditToken(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+	username := "test-user@example.com"
+	env := newWebPack(t, 1)
+	proxy := env.proxies[0]
+	pack := proxy.authPack(t, username, nil /* roles */)
+
+	// Setup an existing token
+	spec := types.ProvisionTokenSpecV2{
+		Roles:      types.SystemRoles{types.RoleBot},
+		BotName:    "test-bot",
+		JoinMethod: types.JoinMethodGitHub,
+
+		GitHub: &types.ProvisionTokenSpecV2GitHub{
+			Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
+				{
+					Repository: "gravitational/teleport",
+				},
+			},
+		},
+	}
+	token, err := types.NewProvisionTokenFromSpec("github-test-token", time.Time{}, spec)
+	require.NoError(t, err)
+	token.SetLabels(map[string]string{
+		"test-key": "test-value",
+	})
+	err = env.server.Auth().CreateToken(ctx, token)
+	require.NoError(t, err)
+
+	// Make a simple edit
+	spec.BotName = "test-bot_EDITED"
+	data := struct {
+		types.ProvisionTokenSpecV2
+		Name string `json:"name"`
+	}{
+		ProvisionTokenSpecV2: spec,
+		Name:                 "github-test-token",
+	}
+	endpointV1 := pack.clt.Endpoint("v1", "webapi", "tokens")
+	_, err = pack.clt.PostJSON(ctx, endpointV1, data)
+	require.NoError(t, err)
+
+	// Fetch the token and compare
+	editedToken, err := env.server.Auth().GetToken(ctx, "github-test-token")
+	require.NoError(t, err)
+	require.Equal(t, "test-bot_EDITED", editedToken.GetBotName())
+	require.Equal(t, map[string]string{
+		"test-key": "test-value",
+	}, editedToken.GetMetadata().Labels)
+}
+
+func TestCreateTokenExpiry(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+	username := "test-user@example.com"
+	env := newWebPack(t, 1)
+	proxy := env.proxies[0]
+	pack := proxy.authPack(t, username, nil /* roles */)
+
+	for _, method := range types.JoinMethods {
+		t.Run(string(method), func(t *testing.T) {
+			// Skip enterprise-only methods
+			if method == types.JoinMethodTPM || method == types.JoinMethodSpacelift {
+				t.Skipf("Skipping %s, as it's enterprise-only", method)
+			}
+
+			spec := types.ProvisionTokenSpecV2{
+				Roles:      []types.SystemRole{types.RoleNode},
+				JoinMethod: method,
+			}
+			setMinimalConfigForMethod(&spec, method)
+
+			var expectedExpiry time.Time
+			switch method {
+			case types.JoinMethodGCP, types.JoinMethodIAM, types.JoinMethodOracle, types.JoinMethodGitHub:
+				expectedExpiry = time.Time{}
+			default:
+				expectedExpiry = time.Now().UTC().Add(4 * time.Hour)
+			}
+
+			endpointV1 := pack.clt.Endpoint("v1", "webapi", "tokens")
+			re, err := pack.clt.PostJSON(ctx, endpointV1, spec)
+			require.NoError(t, err)
+
+			resp := nodeJoinToken{}
+			require.NoError(t, json.Unmarshal(re.Bytes(), &resp))
+			require.Equal(t, method, resp.Method)
+			require.WithinDuration(t, expectedExpiry, resp.Expiry, 100*time.Millisecond)
+		})
+	}
+}
+
+func setMinimalConfigForMethod(spec *types.ProvisionTokenSpecV2, method types.JoinMethod) {
+	switch method {
+	case types.JoinMethodIAM, types.JoinMethodEC2:
+		spec.Allow = []*types.TokenRule{
+			{
+				AWSAccount: "test-account",
+			},
+		}
+	case types.JoinMethodAzure:
+		spec.Azure = &types.ProvisionTokenSpecV2Azure{
+			Allow: []*types.ProvisionTokenSpecV2Azure_Rule{
+				{
+					Subscription: "test-sub",
+				},
+			},
+		}
+	case types.JoinMethodBitbucket:
+		spec.Bitbucket = &types.ProvisionTokenSpecV2Bitbucket{
+			Audience:            "test-audience",
+			IdentityProviderURL: "test-identity-provider-url",
+			Allow: []*types.ProvisionTokenSpecV2Bitbucket_Rule{
+				{
+					WorkspaceUUID: "test-workspace-uuid",
+				},
+			},
+		}
+	case types.JoinMethodOracle:
+		spec.Oracle = &types.ProvisionTokenSpecV2Oracle{
+			Allow: []*types.ProvisionTokenSpecV2Oracle_Rule{
+				{
+					Tenancy: "ocid1.tenancy.oc1..test",
+				},
+			},
+		}
+	case types.JoinMethodTerraformCloud:
+		spec.TerraformCloud = &types.ProvisionTokenSpecV2TerraformCloud{
+			Allow: []*types.ProvisionTokenSpecV2TerraformCloud_Rule{
+				{
+					OrganizationID: "test-org-id",
+					ProjectID:      "test-proj-id",
+				},
+			},
+		}
+	case types.JoinMethodKubernetes:
+		spec.Kubernetes = &types.ProvisionTokenSpecV2Kubernetes{
+			Allow: []*types.ProvisionTokenSpecV2Kubernetes_Rule{
+				{
+					ServiceAccount: "test:service-account",
+				},
+			},
+		}
+	case types.JoinMethodGitLab:
+		spec.GitLab = &types.ProvisionTokenSpecV2GitLab{
+			Allow: []*types.ProvisionTokenSpecV2GitLab_Rule{
+				{
+					Sub: "test-sub",
+				},
+			},
+		}
+	case types.JoinMethodGitHub:
+		spec.GitHub = &types.ProvisionTokenSpecV2GitHub{
+			Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
+				{
+					Sub: "test-sub",
+				},
+			},
+		}
+	case types.JoinMethodGCP:
+		spec.GCP = &types.ProvisionTokenSpecV2GCP{
+			Allow: []*types.ProvisionTokenSpecV2GCP_Rule{
+				{
+					ProjectIDs: []string{"test-project-id"},
+				},
+			},
+		}
+	case types.JoinMethodCircleCI:
+		spec.CircleCI = &types.ProvisionTokenSpecV2CircleCI{
+			Allow: []*types.ProvisionTokenSpecV2CircleCI_Rule{
+				{
+					ProjectID: "test-project-id",
+				},
+			},
+			OrganizationID: "test-org-id",
+		}
+	}
+}
+
 func TestCreateTokenForDiscovery(t *testing.T) {
 	ctx := context.Background()
 	username := "test-user@example.com"

From f985715151b1cae0f53a2b115fb22eeb1309e3ce Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Tue, 29 Apr 2025 10:44:02 +0100
Subject: [PATCH 21/29] Revert createTokenForDiscoveryHandle changes

---
 lib/web/join_tokens.go | 20 ++++----------------
 1 file changed, 4 insertions(+), 16 deletions(-)

diff --git a/lib/web/join_tokens.go b/lib/web/join_tokens.go
index 64bee7da06a24..e7c852981537c 100644
--- a/lib/web/join_tokens.go
+++ b/lib/web/join_tokens.go
@@ -260,7 +260,7 @@ func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, para
 
 // createTokenForDiscoveryHandle creates tokens used during guided discover flows.
 // V2 endpoint processes "suggestedLabels" field.
-func (h *Handler) createTokenForDiscoveryHandle(w http.ResponseWriter, r *http.Request, params httprouter.Params, ctx *SessionContext) (any, error) {
+func (h *Handler) createTokenForDiscoveryHandle(w http.ResponseWriter, r *http.Request, params httprouter.Params, ctx *SessionContext) (interface{}, error) {
 	clt, err := ctx.GetClient()
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -302,18 +302,9 @@ func (h *Handler) createTokenForDiscoveryHandle(w http.ResponseWriter, r *http.R
 		}
 
 		// IAM tokens should 'never' expire
-		expires = time.Time{}
-	case types.JoinMethodGitHub:
-		// GitHub tokens should 'never' expire
-		expires = time.Time{}
-	case types.JoinMethodOracle:
-		// Oracle tokens should 'never' expire
-		expires = time.Time{}
-	case types.JoinMethodGCP:
-		// GCP tokens should 'never' expire
-		expires = time.Time{}
+		expires = time.Now().UTC().AddDate(1000, 0, 0)
 	case types.JoinMethodAzure:
-		tokenName, err = generateAzureTokenName(req.Azure.Allow)
+		tokenName, err := generateAzureTokenName(req.Azure.Allow)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
@@ -340,14 +331,11 @@ func (h *Handler) createTokenForDiscoveryHandle(w http.ResponseWriter, r *http.R
 			}, nil
 		}
 	default:
-		expires = time.Now().UTC().Add(defaults.NodeJoinTokenTTL)
-	}
-
-	if tokenName == "" {
 		tokenName, err = utils.CryptoRandomHex(defaults.TokenLenBytes)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
+		expires = time.Now().UTC().Add(defaults.NodeJoinTokenTTL)
 	}
 
 	// If using the automatic method to add a Node, the `install.sh` will add the token's suggested labels

From 928c83e61c877c68fd9062554169817630df44a8 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Tue, 29 Apr 2025 14:08:50 +0100
Subject: [PATCH 22/29] Fix acronym casing

---
 .../teleport/src/JoinTokens/JoinTokenForms.tsx       |  8 ++++----
 .../teleport/src/JoinTokens/JoinTokenGithubForm.tsx  |  4 ++--
 .../src/JoinTokens/UpsertJoinTokenDialog.tsx         | 12 ++++++------
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
index e024237af1219..8b40e4288fd5e 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
@@ -130,11 +130,11 @@ export const JoinTokenIAMForm = ({
 const supportedFieldsIam = new Set(['.aws_account', '.aws_arn']);
 
 /**
- * `checkIAMYAMLData` determines if the provided value contains item/s that are not supported by the edit form.
+ * `checkIamYamlData` determines if the provided value contains item/s that are not supported by the edit form.
  * @param data a value representing the iam-specific config for a token
  * @returns a boolean indicating if the provided value contains unsupported items
  */
-export const checkIAMYAMLData = (data: unknown) => {
+export const checkIamYamlData = (data: unknown) => {
   const keys = collectKeys(data);
   return !keys || new Set(keys).isSubsetOf(supportedFieldsIam);
 };
@@ -261,11 +261,11 @@ const supportedFieldsGcp = new Set([
 ]);
 
 /**
- * `checkGCPYAMLData` determines if the provided value contains item/s that are not supported by the edit form.
+ * `checkGcpYamlData` determines if the provided value contains item/s that are not supported by the edit form.
  * @param data a value representing the gcp-specific config for a token
  * @returns a boolean indicating if the provided value contains unsupported items
  */
-export const checkGCPYAMLData = (data: unknown) => {
+export const checkGcpYamlData = (data: unknown) => {
   const keys = collectKeys(data);
   return !keys || new Set(keys).isSubsetOf(supportedFieldsGcp);
 };
diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
index 9f469bd6eaa0b..cc937f1c72399 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
@@ -304,11 +304,11 @@ const supportedFields = new Set([
 ]);
 
 /**
- * `checkGithubYAMLData` determines if the provided value contains item/s that are not supported by the edit form.
+ * `checkGithubYamlData` determines if the provided value contains item/s that are not supported by the edit form.
  * @param data a value representing the github-specific config for a token
  * @returns a boolean indicating if the provided value contains unsupported items
  */
-export const checkGithubYAMLData = (data: unknown) => {
+export const checkGithubYamlData = (data: unknown) => {
   const keys = collectKeys(data);
   return !keys || new Set(keys).isSubsetOf(supportedFields);
 };
diff --git a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
index 1abc7d9373bd3..8d0628184f83e 100644
--- a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
+++ b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
@@ -55,14 +55,14 @@ import { Info } from 'design/Alert/Alert';
 import { YamlSupportedResourceKind } from 'teleport/services/yaml/types';
 
 import {
-  checkGCPYAMLData,
-  checkIAMYAMLData,
+  checkGcpYamlData,
+  checkIamYamlData,
   JoinTokenGCPForm,
   JoinTokenIAMForm,
   JoinTokenOracleForm,
 } from './JoinTokenForms';
 import {
-  checkGithubYAMLData,
+  checkGithubYamlData,
   JoinTokenGithubForm,
 } from './JoinTokenGithubForm';
 
@@ -259,11 +259,11 @@ export const UpsertJoinTokenDialog = ({
 
     switch (data.object.spec.join_method) {
       case 'iam':
-        return !checkIAMYAMLData(data.object.spec.allow);
+        return !checkIamYamlData(data.object.spec.allow);
       case 'gcp':
-        return !checkGCPYAMLData(data.object.spec.gcp);
+        return !checkGcpYamlData(data.object.spec.gcp);
       case 'github':
-        return !checkGithubYAMLData(data.object.spec.github);
+        return !checkGithubYamlData(data.object.spec.github);
     }
 
     return false;

From 2b90f08d46c6ce1cacf4f53c3820f84ba7e3590c Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Wed, 30 Apr 2025 09:37:45 +0100
Subject: [PATCH 23/29] Cover enterprise token types in tests

---
 lib/web/join_tokens_test.go | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/lib/web/join_tokens_test.go b/lib/web/join_tokens_test.go
index 457c4a34feaf8..952dec11e3d50 100644
--- a/lib/web/join_tokens_test.go
+++ b/lib/web/join_tokens_test.go
@@ -470,7 +470,15 @@ func TestEditToken(t *testing.T) {
 }
 
 func TestCreateTokenExpiry(t *testing.T) {
-	t.Parallel()
+	// Can't t.Parallel because of modules.SetTestModules.
+	// Use enterprise build to access token types such as TPM and Spacelift
+	modules.SetTestModules(t, &modules.TestModules{
+		TestBuildType: modules.BuildEnterprise,
+		TestFeatures: modules.Features{
+			Cloud: false,
+		},
+	})
+
 	ctx := context.Background()
 	username := "test-user@example.com"
 	env := newWebPack(t, 1)
@@ -479,11 +487,6 @@ func TestCreateTokenExpiry(t *testing.T) {
 
 	for _, method := range types.JoinMethods {
 		t.Run(string(method), func(t *testing.T) {
-			// Skip enterprise-only methods
-			if method == types.JoinMethodTPM || method == types.JoinMethodSpacelift {
-				t.Skipf("Skipping %s, as it's enterprise-only", method)
-			}
-
 			spec := types.ProvisionTokenSpecV2{
 				Roles:      []types.SystemRole{types.RoleNode},
 				JoinMethod: method,
@@ -594,6 +597,23 @@ func setMinimalConfigForMethod(spec *types.ProvisionTokenSpecV2, method types.Jo
 			},
 			OrganizationID: "test-org-id",
 		}
+	case types.JoinMethodTPM:
+		spec.TPM = &types.ProvisionTokenSpecV2TPM{
+			Allow: []*types.ProvisionTokenSpecV2TPM_Rule{
+				{
+					EKPublicHash: "test-hash",
+				},
+			},
+		}
+	case types.JoinMethodSpacelift:
+		spec.Spacelift = &types.ProvisionTokenSpecV2Spacelift{
+			Hostname: "test-hostname",
+			Allow: []*types.ProvisionTokenSpecV2Spacelift_Rule{
+				{
+					SpaceID: "test-space-id",
+				},
+			},
+		}
 	}
 }
 

From e7fd9a564f78315c758dbc68df7d451f49acdefb Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Wed, 30 Apr 2025 09:38:47 +0100
Subject: [PATCH 24/29] Cover github tokens in existing tests

---
 lib/web/join_tokens_test.go | 169 ++++++++++++++++--------------------
 1 file changed, 75 insertions(+), 94 deletions(-)

diff --git a/lib/web/join_tokens_test.go b/lib/web/join_tokens_test.go
index 952dec11e3d50..a6bbeecb62c9c 100644
--- a/lib/web/join_tokens_test.go
+++ b/lib/web/join_tokens_test.go
@@ -27,7 +27,6 @@ import (
 	"net/http"
 	"net/url"
 	"regexp"
-	"slices"
 	"strconv"
 	"testing"
 	"time"
@@ -96,8 +95,8 @@ func TestGenerateIAMTokenName(t *testing.T) {
 
 type tokenData struct {
 	name   string
-	roles  types.SystemRoles
 	expiry time.Time
+	spec   types.ProvisionTokenSpecV2
 }
 
 func TestGetTokens(t *testing.T) {
@@ -149,25 +148,31 @@ func TestGetTokens(t *testing.T) {
 			tokenData: []tokenData{
 				{
 					name: "test-token",
-					roles: types.SystemRoles{
-						types.RoleNode,
+					spec: types.ProvisionTokenSpecV2{
+						Roles: types.SystemRoles{
+							types.RoleNode,
+						},
 					},
 					expiry: expiry,
 				},
 				{
 					name: "test-token-2",
-					roles: types.SystemRoles{
-						types.RoleNode,
-						types.RoleDatabase,
+					spec: types.ProvisionTokenSpecV2{
+						Roles: types.SystemRoles{
+							types.RoleNode,
+							types.RoleDatabase,
+						},
 					},
 					expiry: expiry,
 				},
 				{
 					name: "test-token-3-and-super-duper-long",
-					roles: types.SystemRoles{
-						types.RoleNode,
-						types.RoleKube,
-						types.RoleDatabase,
+					spec: types.ProvisionTokenSpecV2{
+						Roles: types.SystemRoles{
+							types.RoleNode,
+							types.RoleKube,
+							types.RoleDatabase,
+						},
 					},
 					expiry: expiry,
 				},
@@ -209,6 +214,64 @@ func TestGetTokens(t *testing.T) {
 				staticUIToken,
 			},
 		},
+		{
+			name: "github token",
+			tokenData: []tokenData{
+				{
+					name: "github-test-token",
+					spec: types.ProvisionTokenSpecV2{
+						Roles: types.SystemRoles{
+							types.RoleBot,
+						},
+						BotName:    "test-bot",
+						JoinMethod: types.JoinMethodGitHub,
+						GitHub: &types.ProvisionTokenSpecV2GitHub{
+							EnterpriseServerHost: "github.example.com",
+							StaticJWKS:           "{\"keys\":[]}",
+							Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
+								{
+									Repository:      "gravitational/teleport",
+									RepositoryOwner: "gravitational",
+									Sub:             "test-sub",
+									Workflow:        "test-workflow",
+									Environment:     "test-environment",
+									Actor:           "octocat",
+									Ref:             "ref/heads/main",
+									RefType:         "branch",
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: []ui.JoinToken{
+				{
+					ID:       "github-test-token",
+					SafeName: "github-test-token",
+					BotName:  "test-bot",
+					Expiry:   time.Time{},
+					Roles:    types.SystemRoles{"Bot"},
+					Method:   types.JoinMethodGitHub,
+					Github: &types.ProvisionTokenSpecV2GitHub{
+						EnterpriseServerHost: "github.example.com",
+						StaticJWKS:           "{\"keys\":[]}",
+						Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
+							{
+								Repository:      "gravitational/teleport",
+								RepositoryOwner: "gravitational",
+								Sub:             "test-sub",
+								Workflow:        "test-workflow",
+								Environment:     "test-environment",
+								Actor:           "octocat",
+								Ref:             "ref/heads/main",
+								RefType:         "branch",
+							},
+						},
+					},
+				},
+				staticUIToken,
+			},
+		},
 	}
 
 	for _, tc := range tt {
@@ -249,9 +312,7 @@ func TestGetTokens(t *testing.T) {
 			}
 
 			for _, td := range tc.tokenData {
-				token, err := types.NewProvisionTokenFromSpec(td.name, td.expiry, types.ProvisionTokenSpecV2{
-					Roles: td.roles,
-				})
+				token, err := types.NewProvisionTokenFromSpec(td.name, td.expiry, td.spec)
 				require.NoError(t, err)
 				err = env.server.Auth().CreateToken(ctx, token)
 				require.NoError(t, err)
@@ -269,86 +330,6 @@ func TestGetTokens(t *testing.T) {
 	}
 }
 
-func TestGetGithubTokens(t *testing.T) {
-	t.Parallel()
-	ctx := context.Background()
-
-	username := "test-user@example.com"
-	expiry := time.Now().UTC().Add(30 * time.Minute)
-
-	env := newWebPack(t, 1)
-	proxy := env.proxies[0]
-	pack := proxy.authPack(t, username, nil /* roles */)
-
-	td := tokenData{
-		name:   "github-test-token",
-		expiry: expiry,
-		roles:  types.SystemRoles{types.RoleBot},
-	}
-
-	token, err := types.NewProvisionTokenFromSpec(td.name, td.expiry, types.ProvisionTokenSpecV2{
-		Roles:      td.roles,
-		BotName:    "test-bot",
-		JoinMethod: types.JoinMethodGitHub,
-
-		GitHub: &types.ProvisionTokenSpecV2GitHub{
-			EnterpriseServerHost: "github.example.com",
-			StaticJWKS:           "{\"keys\":[]}",
-			Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
-				{
-					Repository:      "gravitational/teleport",
-					RepositoryOwner: "gravitational",
-					Sub:             "test-sub",
-					Workflow:        "test-workflow",
-					Environment:     "test-environment",
-					Actor:           "octocat",
-					Ref:             "ref/heads/main",
-					RefType:         "branch",
-				},
-			},
-		},
-	})
-	require.NoError(t, err)
-	err = env.server.Auth().CreateToken(ctx, token)
-	require.NoError(t, err)
-
-	endpoint := pack.clt.Endpoint("webapi", "tokens")
-	re, err := pack.clt.Get(ctx, endpoint, url.Values{})
-	require.NoError(t, err)
-
-	resp := GetTokensResponse{}
-	require.NoError(t, json.Unmarshal(re.Bytes(), &resp))
-
-	require.Len(t, resp.Items, 2) // Including a static token
-
-	githubTokenIndex := slices.IndexFunc(resp.Items, func(item ui.JoinToken) bool { return item.Method == types.JoinMethodGitHub })
-	require.NotEqual(t, githubTokenIndex, -1)
-	require.Empty(t, cmp.Diff(resp.Items[githubTokenIndex], ui.JoinToken{
-		ID:       "github-test-token",
-		SafeName: "github-test-token",
-		BotName:  "test-bot",
-		Expiry:   expiry,
-		Roles:    types.SystemRoles{"Bot"},
-		Method:   types.JoinMethodGitHub,
-		Github: &types.ProvisionTokenSpecV2GitHub{
-			EnterpriseServerHost: "github.example.com",
-			StaticJWKS:           "{\"keys\":[]}",
-			Allow: []*types.ProvisionTokenSpecV2GitHub_Rule{
-				{
-					Repository:      "gravitational/teleport",
-					RepositoryOwner: "gravitational",
-					Sub:             "test-sub",
-					Workflow:        "test-workflow",
-					Environment:     "test-environment",
-					Actor:           "octocat",
-					Ref:             "ref/heads/main",
-					RefType:         "branch",
-				},
-			},
-		},
-	}, cmpopts.IgnoreFields(ui.JoinToken{}, "Content")))
-}
-
 func TestDeleteToken(t *testing.T) {
 	ctx := context.Background()
 	username := "test-user@example.com"

From 98c1c72d143401eb89c1df0f631b725985e126f8 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Wed, 30 Apr 2025 10:18:35 +0100
Subject: [PATCH 25/29] Tweak handling of `tokenId`

---
 lib/web/join_tokens.go | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/lib/web/join_tokens.go b/lib/web/join_tokens.go
index e7c852981537c..c4a7431a85f9e 100644
--- a/lib/web/join_tokens.go
+++ b/lib/web/join_tokens.go
@@ -190,7 +190,7 @@ func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, para
 		return nil, trace.Wrap(err)
 	}
 
-	var tokenId string
+	var tokenId string = req.Name
 	if r.Method == "PUT" {
 		// if using the PUT route, tokenId will be present
 		// in the X-Teleport-TokenName header
@@ -199,8 +199,6 @@ func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, para
 		if tokenId != "" && tokenId != req.Name {
 			return nil, trace.BadParameter("renaming tokens is not supported")
 		}
-	} else {
-		tokenId = req.Name
 	}
 
 	clt, err := ctx.GetClient()
@@ -209,11 +207,9 @@ func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, para
 	}
 
 	var existingToken types.ProvisionToken
-	if tokenId != "" {
-		existingToken, err = clt.GetToken(r.Context(), tokenId)
-		if err != nil && !trace.IsNotFound(err) {
-			return nil, trace.Wrap(err)
-		}
+	existingToken, err = clt.GetToken(r.Context(), tokenId)
+	if err != nil && !trace.IsNotFound(err) {
+		return nil, trace.Wrap(err)
 	}
 
 	var expires time.Time

From 1311d912b107109a445c7511a4241a2b96da5711 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Wed, 30 Apr 2025 10:19:24 +0100
Subject: [PATCH 26/29] Check expiry is not overwritten

---
 lib/web/join_tokens_test.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/web/join_tokens_test.go b/lib/web/join_tokens_test.go
index a6bbeecb62c9c..50762a048199f 100644
--- a/lib/web/join_tokens_test.go
+++ b/lib/web/join_tokens_test.go
@@ -406,6 +406,8 @@ func TestEditToken(t *testing.T) {
 	proxy := env.proxies[0]
 	pack := proxy.authPack(t, username, nil /* roles */)
 
+	expiry := time.Now().UTC()
+
 	// Setup an existing token
 	spec := types.ProvisionTokenSpecV2{
 		Roles:      types.SystemRoles{types.RoleBot},
@@ -422,6 +424,7 @@ func TestEditToken(t *testing.T) {
 	}
 	token, err := types.NewProvisionTokenFromSpec("github-test-token", time.Time{}, spec)
 	require.NoError(t, err)
+	token.SetExpiry(expiry)
 	token.SetLabels(map[string]string{
 		"test-key": "test-value",
 	})
@@ -445,6 +448,7 @@ func TestEditToken(t *testing.T) {
 	editedToken, err := env.server.Auth().GetToken(ctx, "github-test-token")
 	require.NoError(t, err)
 	require.Equal(t, "test-bot_EDITED", editedToken.GetBotName())
+	require.Equal(t, expiry, *editedToken.GetMetadata().Expires)
 	require.Equal(t, map[string]string{
 		"test-key": "test-value",
 	}, editedToken.GetMetadata().Labels)

From f0254a692340c137b95521aa33f8d08f391d6b05 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Wed, 30 Apr 2025 10:34:13 +0100
Subject: [PATCH 27/29] Revert removing tokenId check

---
 lib/web/join_tokens.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/web/join_tokens.go b/lib/web/join_tokens.go
index c4a7431a85f9e..5e1db8b0ed579 100644
--- a/lib/web/join_tokens.go
+++ b/lib/web/join_tokens.go
@@ -207,9 +207,11 @@ func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, para
 	}
 
 	var existingToken types.ProvisionToken
-	existingToken, err = clt.GetToken(r.Context(), tokenId)
-	if err != nil && !trace.IsNotFound(err) {
-		return nil, trace.Wrap(err)
+	if tokenId != "" {
+		existingToken, err = clt.GetToken(r.Context(), tokenId)
+		if err != nil && !trace.IsNotFound(err) {
+			return nil, trace.Wrap(err)
+		}
 	}
 
 	var expires time.Time

From 521b6291d87f19bb5debf446238606742fb8b500 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Wed, 30 Apr 2025 11:36:38 +0100
Subject: [PATCH 28/29] Refactor supported fields

---
 .../utils}/collectKeys.test.ts                |  0
 .../utils}/collectKeys.ts                     |  0
 .../src/JoinTokens/JoinTokenForms.tsx         | 29 -----------
 .../src/JoinTokens/JoinTokenGithubForm.tsx    | 23 --------
 .../src/JoinTokens/UpsertJoinTokenDialog.tsx  | 52 +++++++++++++++----
 5 files changed, 43 insertions(+), 61 deletions(-)
 rename web/packages/{teleport/src/JoinTokens => shared/utils}/collectKeys.test.ts (100%)
 rename web/packages/{teleport/src/JoinTokens => shared/utils}/collectKeys.ts (100%)

diff --git a/web/packages/teleport/src/JoinTokens/collectKeys.test.ts b/web/packages/shared/utils/collectKeys.test.ts
similarity index 100%
rename from web/packages/teleport/src/JoinTokens/collectKeys.test.ts
rename to web/packages/shared/utils/collectKeys.test.ts
diff --git a/web/packages/teleport/src/JoinTokens/collectKeys.ts b/web/packages/shared/utils/collectKeys.ts
similarity index 100%
rename from web/packages/teleport/src/JoinTokens/collectKeys.ts
rename to web/packages/shared/utils/collectKeys.ts
diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
index 8b40e4288fd5e..dc6604e8db544 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenForms.tsx
@@ -22,7 +22,6 @@ import FieldInput from 'shared/components/FieldInput';
 import { FieldSelectCreatable } from 'shared/components/FieldSelect';
 import { requiredField } from 'shared/components/Validation/rules';
 
-import { collectKeys } from './collectKeys';
 import {
   AllowOption,
   NewJoinTokenState,
@@ -127,18 +126,6 @@ export const JoinTokenIAMForm = ({
   );
 };
 
-const supportedFieldsIam = new Set(['.aws_account', '.aws_arn']);
-
-/**
- * `checkIamYamlData` determines if the provided value contains item/s that are not supported by the edit form.
- * @param data a value representing the iam-specific config for a token
- * @returns a boolean indicating if the provided value contains unsupported items
- */
-export const checkIamYamlData = (data: unknown) => {
-  const keys = collectKeys(data);
-  return !keys || new Set(keys).isSubsetOf(supportedFieldsIam);
-};
-
 export const JoinTokenGCPForm = ({
   tokenState,
   onUpdateState,
@@ -254,22 +241,6 @@ export const JoinTokenGCPForm = ({
   );
 };
 
-const supportedFieldsGcp = new Set([
-  '.allow.project_ids',
-  '.allow.locations',
-  '.allow.service_accounts',
-]);
-
-/**
- * `checkGcpYamlData` determines if the provided value contains item/s that are not supported by the edit form.
- * @param data a value representing the gcp-specific config for a token
- * @returns a boolean indicating if the provided value contains unsupported items
- */
-export const checkGcpYamlData = (data: unknown) => {
-  const keys = collectKeys(data);
-  return !keys || new Set(keys).isSubsetOf(supportedFieldsGcp);
-};
-
 export const JoinTokenOracleForm = ({
   tokenState,
   onUpdateState,
diff --git a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
index cc937f1c72399..8ae281c6f4c33 100644
--- a/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
+++ b/web/packages/teleport/src/JoinTokens/JoinTokenGithubForm.tsx
@@ -34,7 +34,6 @@ import { requiredField } from 'shared/components/Validation/rules';
 import cfg from 'teleport/config';
 import { SectionBox } from 'teleport/Roles/RoleEditor/StandardEditor/sections';
 
-import { collectKeys } from './collectKeys';
 import { NewJoinTokenState } from './UpsertJoinTokenDialog';
 
 export const JoinTokenGithubForm = ({
@@ -290,25 +289,3 @@ const RuleBox = styled(Box)`
 
   padding: ${props => props.theme.space[3]}px;
 `;
-
-const supportedFields = new Set([
-  '.enterprise_server_host',
-  '.static_jwks',
-  '.enterprise_slug',
-  '.allow.repository',
-  '.allow.repository_owner',
-  '.allow.workflow',
-  '.allow.environment',
-  '.allow.ref',
-  '.allow.ref_type',
-]);
-
-/**
- * `checkGithubYamlData` determines if the provided value contains item/s that are not supported by the edit form.
- * @param data a value representing the github-specific config for a token
- * @returns a boolean indicating if the provided value contains unsupported items
- */
-export const checkGithubYamlData = (data: unknown) => {
-  const keys = collectKeys(data);
-  return !keys || new Set(keys).isSubsetOf(supportedFields);
-};
diff --git a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
index 8d0628184f83e..bddda4d91de72 100644
--- a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
+++ b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
@@ -51,20 +51,16 @@ import {
 import 'teleport/services/resources';
 
 import { Info } from 'design/Alert/Alert';
+import { collectKeys } from 'shared/utils/collectKeys';
 
 import { YamlSupportedResourceKind } from 'teleport/services/yaml/types';
 
 import {
-  checkGcpYamlData,
-  checkIamYamlData,
   JoinTokenGCPForm,
   JoinTokenIAMForm,
   JoinTokenOracleForm,
 } from './JoinTokenForms';
-import {
-  checkGithubYamlData,
-  JoinTokenGithubForm,
-} from './JoinTokenGithubForm';
+import { JoinTokenGithubForm } from './JoinTokenGithubForm';
 
 const maxWidth = '550px';
 
@@ -259,11 +255,20 @@ export const UpsertJoinTokenDialog = ({
 
     switch (data.object.spec.join_method) {
       case 'iam':
-        return !checkIamYamlData(data.object.spec.allow);
+        return !checkYamlData(
+          data.object.spec.allow,
+          data.object.spec.join_method
+        );
       case 'gcp':
-        return !checkGcpYamlData(data.object.spec.gcp);
+        return !checkYamlData(
+          data.object.spec.gcp,
+          data.object.spec.join_method
+        );
       case 'github':
-        return !checkGithubYamlData(data.object.spec.github);
+        return !checkYamlData(
+          data.object.spec.github,
+          data.object.spec.join_method
+        );
     }
 
     return false;
@@ -625,3 +630,32 @@ export const RuleBox = styled(Box)`
 
   padding: ${props => props.theme.space[3]}px;
 `;
+
+const checkYamlData = (data: unknown, joinMethod: JoinMethod) => {
+  const supportedFields = supportedFieldsMap[joinMethod];
+  if (!supportedFields) {
+    return true;
+  }
+  const keys = collectKeys(data);
+  return !keys || new Set(keys).isSubsetOf(supportedFields);
+};
+
+const supportedFieldsMap: Partial<Record<JoinMethod, Set<string>>> = {
+  iam: new Set(['.aws_account', '.aws_arn']),
+  gcp: new Set([
+    '.allow.project_ids',
+    '.allow.locations',
+    '.allow.service_accounts',
+  ]),
+  github: new Set([
+    '.enterprise_server_host',
+    '.static_jwks',
+    '.enterprise_slug',
+    '.allow.repository',
+    '.allow.repository_owner',
+    '.allow.workflow',
+    '.allow.environment',
+    '.allow.ref',
+    '.allow.ref_type',
+  ]),
+};

From 0c27883a3504c7aca874c6928a7f2b486cd9c137 Mon Sep 17 00:00:00 2001
From: Nick Marais <nicholas.marais@goteleport.com>
Date: Thu, 1 May 2025 15:50:59 +0100
Subject: [PATCH 29/29] Remove use of `X-Teleport-TokenName`

---
 .../teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx      | 2 +-
 web/packages/teleport/src/services/joinToken/joinToken.ts  | 7 ++-----
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
index bddda4d91de72..62ccf938d46cc 100644
--- a/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
+++ b/web/packages/teleport/src/JoinTokens/UpsertJoinTokenDialog.tsx
@@ -212,7 +212,7 @@ export const UpsertJoinTokenDialog = ({
   const [createTokenAttempt, runCreateTokenAttempt] = useAsync(
     async (req: CreateJoinTokenRequest, isEdit: boolean) => {
       const token = isEdit
-        ? await ctx.joinTokenService.upsertJoinToken(req, editToken.id)
+        ? await ctx.joinTokenService.editJoinToken(req)
         : await ctx.joinTokenService.createJoinToken(req);
       updateTokenList(token);
       onClose();
diff --git a/web/packages/teleport/src/services/joinToken/joinToken.ts b/web/packages/teleport/src/services/joinToken/joinToken.ts
index e0cb556be41ac..a841553dd6117 100644
--- a/web/packages/teleport/src/services/joinToken/joinToken.ts
+++ b/web/packages/teleport/src/services/joinToken/joinToken.ts
@@ -102,11 +102,8 @@ class JoinTokenService {
     return api.post(cfg.getJoinTokensUrl(), req).then(makeJoinToken);
   }
 
-  async upsertJoinToken(req: CreateJoinTokenRequest, tokenName: string) {
-    const json = await api.putWithHeaders(cfg.getJoinTokensUrl(), req, {
-      [TeleportTokenNameHeader]: tokenName,
-      'Content-Type': 'application/json',
-    });
+  async editJoinToken(req: CreateJoinTokenRequest) {
+    const json = await api.put(cfg.getJoinTokensUrl(), req);
     return makeJoinToken(json);
   }