Skip to content

UID2-7271: add Role.CLAUDE_ACCESS for machine service-account access#649

Open
sophia-chen-ttd wants to merge 6 commits into
mainfrom
sch-UID2-7271-claude-access-role
Open

UID2-7271: add Role.CLAUDE_ACCESS for machine service-account access#649
sophia-chen-ttd wants to merge 6 commits into
mainfrom
sch-UID2-7271-claude-access-role

Conversation

@sophia-chen-ttd

@sophia-chen-ttd sophia-chen-ttd commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Introduces Role.CLAUDE_ACCESS (from uid2-shared 11.4.21-alpha-349-SNAPSHOT) and wires the Okta custom scope uid2.admin.claude-access to it via OktaCustomScope. The role is read-only — all GET endpoints except reveal endpoints. No write operations.

CLAUDE_ACCESS is a strict subset of MAINTAINER: every endpoint it can reach, MAINTAINER can also reach.

Endpoints granted CLAUDE_ACCESS

Endpoint Service
GET /api/client/metadata Client keys
GET /api/client/list Client keys
GET /api/client/list/:siteId Client keys
GET /api/client/keyId Client keys
GET /api/client/contact Client keys
GET /api/client_side_keypairs/list CSTG keypairs
GET /api/client_side_keypairs/:subscriptionId CSTG keypairs
GET /api/v2/sites/:siteId/client-side-keypairs CSTG keypairs
GET /api/cloud-encryption-key/metadata Cloud encryption keys
GET /api/cloud-encryption-key/list Cloud encryption keys
GET /api/enclave/metadata Enclaves
GET /api/enclave/list Enclaves
GET /api/key/list Encryption keys
GET /api/key/list_keyset_keys Encryption keys
GET /api/job-dispatcher/current-job Job dispatcher
GET /api/job-dispatcher/job-queue Job dispatcher
GET /api/keys_acl/list Key ACL
GET /api/operator/metadata Operator keys
GET /api/operator/list Operator keys
GET /api/partner_config/get Partner config
GET /api/salt/snapshots Salts
GET /api/service_link/list Service links
GET /api/service/list Services
GET /api/service/list/:service_id Services
GET /api/sharing/lists Sharing
GET /api/sharing/list/:siteId Sharing
GET /api/sharing/keysets Sharing
GET /api/sharing/keyset/:keyset_id Sharing
GET /api/sharing/keysets/related Sharing
GET /api/site/list Sites
GET /api/site/:siteId Sites

Explicitly excluded: GET /api/client/reveal, GET /api/operator/reveal (reveal endpoints). All POST/write operations excluded.

Test plan

  • CI passes (compile + unit tests)
  • A token with uid2.admin.claude-access scope can call a read endpoint (e.g. GET /api/site/list)
  • Token is rejected on a MAINTAINER-only endpoint (e.g. POST /api/site/add)
  • Token is rejected on reveal endpoints (GET /api/client/reveal, GET /api/operator/reveal)

Dependencies

  • uid2-shared PR for Role.CLAUDE_ACCESS: IABTechLab/uid2-shared (branch sch-UID2-7271-add-claude-access-role-to-admin)
  • Okta config: UnifiedID2/uid2-okta-configuration#203

Refs: UID2-7271

🤖 Generated with Claude Code

@sophia-chen-ttd @claude
feat(auth): add Role.CLAUDE_ACCESS for machine service-account access
b63e56f 
Introduces a new fine-grained role for Claude (and similar AI service
accounts) to authenticate against uid2-admin via the Okta custom scope
uid2.admin.claude-access. The role is intentionally more restrictive than
MAINTAINER — it grants read access to all non-reveal endpoints plus
add-only POST access, with no update, delete, or reveal operations.

- Add CLAUDE_ACCESS to OktaCustomScope, wiring uid2.admin.claude-access
  to the new Role.CLAUDE_ACCESS from uid2-shared 11.4.21-alpha-349-SNAPSHOT
- Add Role.CLAUDE_ACCESS to all applicable auth.handle() calls across
  13 service files and GetClientSideKeypairsBySite annotation
- Reveal endpoints (GET /api/client/reveal, GET /api/operator/reveal)
  explicitly excluded; enclave/add and service/add also excluded

CLAUDE_ACCESS is a strict subset of MAINTAINER: every endpoint it can
reach, MAINTAINER can also reach.

Refs: UID2-7271

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sophia-chen-ttd sophia-chen-ttd force-pushed the sch-UID2-7271-claude-access-role branch from 43fcf28 to b63e56f Compare June 11, 2026 05:31
sophia-chen-ttd and others added 5 commits June 11, 2026 16:33
@sophia-chen-ttd
Merge branch 'main' into sch-UID2-7271-claude-access-role
3fdb5fd
@sophia-chen-ttd @claude
refactor(auth): restrict CLAUDE_ACCESS to read-only endpoints
3e3c1f7 
Remove Role.CLAUDE_ACCESS from all add POST endpoints
(client/add, client_side_keypairs/add, key/add, operator/add,
service_link/add, site/add). CLAUDE_ACCESS is now read-only.

Refs: UID2-7271

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sophia-chen-ttd @claude
chore: remove accidentally added gson and lombok dependencies from po…
60b7827 
…m.xml

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sophia-chen-ttd @claude
fix(auth): remove CLAUDE_ACCESS from POST /api/partner_config/add
d4d787d 
Missed in the read-only restriction pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sophia-chen-ttd @claude
fix(test): update RouterConfigurationTest to expect CLAUDE_ACCESS on …
32a678c 
…GetClientSideKeypairsBySite

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sophia-chen-ttd