I think that prj and org are also appropriate to add. As far as I can tell, proj is not included anywhere in current claims. And repo != project. Similarly it's nice to be able to get org without needing to deconstruct the sub claim.

Hi @colemickens, Thanks again for pushing this forward.

A couple of thoughts on the proposed org and proj claims:

• proj - We already include prj_id, which uniquely identifies the project (ref). Adding a separate proj (project name) claim would duplicate this information.

• org - The organization context is already present in the iss and aud claims , e.g., https://<organization-name>.semaphoreci.com (ref). While this isn't a clean organization name, it still conveys the organization identity. A standalone org claim would duplicate that context.

In general, we aim to keep tokens lean and avoid adding claims that duplicate existing data.

Do you have a specific use case in mind where these additional claims would provide value that the current ones cannot?

@dexyk Thanks for the response!

For the org name, that's fine, but not 100% ideal.

For the prj, I have some counter-thoughts:

1. You provide the repo name in the sub claim (albeit without a corresponding ID)
2. But, repo is non-unique and doesn't really identify the identity of the project/workflow.
3. We need to be able to derive/infer a project name on our side.

Without this, we will have to do something like use repo which would be quite incorrect in some scenarios I can easily imagine, and will cause further headaches for customers if they ever have multiple semaphore projects with the same repo in them.

Please note, GitHub and GitLab both offer both forms of these claims - their human readable (and mutable) names, as well as their immutable ids.

Additionally, I'm looking forward to BuildKite and they have quite an interesting offer in contrast, providing all of the claims I could hope for, then some, then with customization ability on top: https://buildkite.com/docs/agent/v3/cli-oidc