Walkthrough

The changes introduce support for multiple JWT audiences in the authentication system. The JWTConfig.Audience field (string) is replaced with Audiences ([]string) across SSH server configuration, proto definitions, and management server conversion logic, enabling token validation against multiple allowed audiences.

Changes

Sequence Diagram(s)

sequenceDiagram
    participant ProtoMgmt as Proto Definition<br/>(management.proto)
    participant Conversion as Management<br/>Conversion Logic
    participant SSHEngine as SSH Engine<br/>(engine_ssh.go)
    participant SSHServer as SSH Server<br/>(server.go)
    participant Validator as JWT Validator

    ProtoMgmt->>ProtoMgmt: Define Audiences field ([]string)
    Conversion->>Conversion: buildJWTConfig() constructs<br/>Audiences slice from<br/>AuthAudience + CLIAuthAudience
    SSHEngine->>SSHEngine: GetAudiences() retrieves<br/>audiences from proto config
    SSHEngine->>SSHServer: Initialize JWT config<br/>with Audiences slice
    SSHServer->>SSHServer: Validate Audiences<br/>not empty
    SSHServer->>Validator: Configure validator with<br/>multiple allowed audiences
    Validator->>Validator: Accept tokens matching<br/>any audience in slice

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• [management, client] Fix SSH server audience validator #5105: Implements identical code-level changes replacing JWTConfig.Audience with Audiences and updating engine_ssh.go to use proto audience methods.

Suggested reviewers

• lixmal
• mlsmaycon

Poem

🐰 Audiences multiply like carrots in spring,
No longer just one, but a list-ening thing!
From proto to server, the slice finds its way,
Multiple tokens now dance and play!
Hop hop, validate them all! 🎪

• 📝 Generate docstrings

Configuration used: defaults

Review profile: CHILL

Plan: Pro

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

• X
• Mastodon
• Reddit
• LinkedIn