Using Token Metadata in Policy Template


First and foremost I’d like to thank the community for this wonderful secret service!

My Goal
I’m currently trying to work through a use-case in which I’m using Keycloak (and thus JWTs) to authenticate against different realms (multi-tenant). I configured my jwt backend to copy some claims to the metadata section, as I’d like to simply write a single policy which applies to all customers by using template variables which substitute a part of the resource path with metadata claim.

The Problem
However, I noticed I can only do this if I know the backend-id (since jwt metadata isn’t available in the identity metadata); however, since this is multi-tenant, and I’d like to prevent my provisioner to be able to create a policy for each tenant (as this could lead to my provisioner writing a policy which allows admin rights!

The solution?
But I also saw that , using /auth/token/lookup-self we see the metadata for my jwt, which looks as if there’s a way that I should be able to do this in my template as a substitution variable, without me actually having to know the auth backend. Not sure if anything like {{token.meta.claim}} exists or if anybody knows a workaround for this?

The hard alternative
If no such thing exists yet and there are no alternatives, I’m willing to give it a go by implementing it and posting a PR, but I’m not sure if this is allowed or if anybody see value in this use-case?

Kind regards,