VAULT-42859: surface authorization_details from inbound JWT into logical.Auth (#12750) (#12919)

Co-authored-by: Bianca <48203644+biazmoreira@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

sdk/logical/auth.go

@@ -124,6 +124,13 @@ type Auth struct {
 	// HTTPRequestPriority contains potential information about the request
 	// priority based on required path capabilities
 	HTTPRequestPriority *uint8 `json:"http_request_priority"`
+
+	// AuthorizationDetails holds fine-grained authorization constraints for the request.
+	// Each element is a JSON object with at minimum a "type" field.
+	// It is nil when the token does not carry authorization details.
+	// It is not included in plugin RPC serialization because it is only needed at request-routing
+	// time and not during plugin Renew or Revoke operations.
+	AuthorizationDetails []AuthorizationDetail `json:"authorization_details,omitempty"`
 }
 
 func (a *Auth) GoString() string {

vault/request_handling.go

@@ -587,6 +587,8 @@ func (c *Core) CheckToken(ctx context.Context, req *logical.Request, unauth bool
 		auth.ActorEntityID = req.Auth.ActorEntityID
 		auth.ActorEntityName = req.Auth.ActorEntityName
 	}
+	// Copy authorization details from the request to auth so plugins can access them.
+	auth.AuthorizationDetails = req.EnterpriseTokenAuthorizationDetails
 
 	twoStepRecover := req.Operation == logical.RecoverOperation && req.RecoverSourcePath != "" && req.RecoverSourcePath != req.Path
 	var alternateRecoverCapability *logical.Operation

vault/request_handling_test.go

@@ -641,3 +641,37 @@ func TestRequestHandling_fetchACLTokenEntryAndEntity_NilRequest(t *testing.T) {
 	require.Error(t, err)
 	require.Equal(t, ErrInternalError, err)
 }
+
+// TestAuth_AuthorizationDetails_CopiedFromRequest verifies that logical.Auth.AuthorizationDetails
+// matches the authorization details already carried on the request.
+func TestAuth_AuthorizationDetails_CopiedFromRequest(t *testing.T) {
+	t.Parallel()
+
+	details := []logical.AuthorizationDetail{
+		{"type": "account_information", "scope": "read"},
+		{"type": "payment_initiation", "amount": "100"},
+	}
+
+	auth := &logical.Auth{}
+	req := &logical.Request{
+		EnterpriseTokenAuthorizationDetails: details,
+	}
+
+	// Simulate the assignment performed in CheckToken.
+	auth.AuthorizationDetails = req.EnterpriseTokenAuthorizationDetails
+
+	require.Equal(t, details, auth.AuthorizationDetails, "auth.AuthorizationDetails must equal req.EnterpriseTokenAuthorizationDetails")
+}
+
+// TestAuth_AuthorizationDetails_NilWhenAbsent verifies that auth.AuthorizationDetails is nil
+// when the request does not carry authorization details.
+func TestAuth_AuthorizationDetails_NilWhenAbsent(t *testing.T) {
+	t.Parallel()
+
+	auth := &logical.Auth{}
+	req := &logical.Request{}
+
+	auth.AuthorizationDetails = req.EnterpriseTokenAuthorizationDetails
+
+	require.Nil(t, auth.AuthorizationDetails)
+}