Deprecate claim in the docs

Karakatiza666 · Karakatiza666 · commit 83ed093fb0c5 · 2025-11-17T12:06:02.000Z
Signed-off-by: Karakatiza666 &lt;bulakh.96@gmail.com&gt;
diff --git a/crates/pipeline-manager/src/auth.rs b/crates/pipeline-manager/src/auth.rs
@@ -563,6 +563,7 @@ struct OidcClaim {
     email: Option<String>,
 
     /// Tenant identifier for single-tenant deployments
+    /// TODO: Deprecated, remove when noone no longer uses it
     tenant: Option<String>,
 
     /// Tenant identifiers for multi-tenant access
@@ -641,6 +642,7 @@ struct AwsCognitoClaim {
     username: String,
 
     /// Tenant identifier for single-tenant deployments
+    /// TODO: Deprecated, remove when noone no longer uses it
     tenant: Option<String>,
 
     /// Tenant identifiers for multi-tenant access
diff --git a/docs.feldera.com/docs/get-started/enterprise/authentication/index.mdx b/docs.feldera.com/docs/get-started/enterprise/authentication/index.mdx
@@ -38,15 +38,12 @@ Users from the same organization share a tenant, derived from the issuer hostnam
 
 ### Managed Tenancy
 
-Multiple teams can use the same Feldera instance with complete tenant isolation. Each team's users should be assigned to corresponding tenant(s) with the proper configuration of a dynamic tenant claim in the OIDC Access token. The managed tenant claims are always respected if issued.
+Multiple teams can use the same Feldera instance with complete tenant isolation. Each team's users should be assigned to corresponding tenant(s) with the proper configuration of the dynamic `tenants` claim in the OIDC Access token.
 
-The supported, mutually exclusive claims are:
+The `tenants` claim authorizes the user to access any of the specified tenants. It is always respected if issued.
+`tenants` can contain either a list, or a string of comma-separated tenant names.
 
-   - `tenant` - authorizes the user to access a single tenant
-   - `tenants` - authorizes the user to access any of the tenants in a list.
-   `tenants` can contain either a list, or a string of comma-separated tenant names.
-
-The user can only interact with the API through a single tenant at a time. When using `tenants` claim, in Web Console the user can switch between the tenants they are authorized for.
+The user can only interact with the API through a single tenant at a time. When the user is authorized to multiple tenants, in Web Console they can switch between the current tenant.
 For HTTP API use, the current tenant name is specified in the `Feldera-Tenant` header.
 
 ## Tenant Assignment use cases
@@ -147,7 +144,7 @@ pipeline-manager ... --auth-provider=generic-oidc --authorized-groups=feldera_en
 
 ### Shared access within a user group (managed tenancy)
 
-Tenant assignment via `tenant` or `tenants` claims in JWT configured in your OIDC provider.
+Tenant assignment via `tenants` claim in JWT configured in your OIDC provider.
 
 **Helm Configuration:**
 ```yaml
@@ -196,16 +193,6 @@ Direct pipeline-manager configuration:
 pipeline-manager ... --auth-provider=generic-oidc --individual-tenant=true --authorized-groups=feldera_engineering,feldera_qa
 ```
 
-## Tenant Resolution Priority
-
-Feldera resolves tenant assignment using the following priority order:
-
-1. **`tenant` claim** - Explicit tenant assignment via OIDC provider
-2. **Issuer domain `iss` claim** (when `--issuer-tenant=true`)
-3. **User `sub` claim** (when `--individual-tenant=true`)
-
-If no valid tenant is found and `--individual-tenant=false` the user will be denied authorization.
-
 ## Configuration options
 
 ### Mapping Pipeline Manager Options to Helm Chart Values
@@ -281,6 +268,16 @@ AWS_COGNITO_LOGIN_URL=https://...
 AWS_COGNITO_LOGOUT_URL=https://...
 ```
 
+## Tenant Resolution Priority
+
+Feldera resolves tenant assignment using the following priority order:
+
+1. **`tenants` claim** - Explicit tenant assignment via OIDC provider
+2. **Issuer domain `iss` claim** (when `--issuer-tenant=true`)
+3. **User `sub` claim** (when `--individual-tenant=true`)
+
+If no valid tenant is found and `--individual-tenant=false` the user will be denied authorization.
+
 ## Provider-Specific Setup
 
 Feldera supports the following authentication providers:
diff --git a/docs.feldera.com/docs/get-started/enterprise/authentication/okta-sso.md b/docs.feldera.com/docs/get-started/enterprise/authentication/okta-sso.md
@@ -84,23 +84,21 @@ You can take advantage of the supported authorization models by properly configu
 
 Feldera supports multiple authorization use-cases through [managed tenancy](index.mdx#Managed%20Tenancy). You can choose between the supported tenant claims to implement the appropriate authorization scenario. Navigate to the **Claims** tab in the Custom Authorization Server to configure one of:
 
-### `tenant` claim
+### `tenants` claim
 
-Example configuration for the `tenant` claim that uses a randomly selected user group name prefixed with "feldera_" as the tenant name:
+Example configuration for the `tenants` claim that assigns a single (randomly selected) user group name prefixed with "feldera_" as the tenant name:
 
-   - **Name**: `tenant`
+   - **Name**: `tenants`
    - **Include in token type**: `Access Token`
    - **Value type**: `Expression`
-   - **Value**: `user.getGroups({"group.profile.name": "feldera_", "operator": "STARTS_WITH"})[0].name`
+   - **Value**: `{user.getGroups({"group.profile.name": "feldera_", "operator": "STARTS_WITH"})[0].name}`
    - **Include in**: `Any scope`
 
-When using this claim, each user should only have one user group assigned that satisfies the condition in the expression value.
-
-### `tenants` claim
+In the above example each user should only have one user group assigned to them that satisfies the condition in the expression value.
 
 Example configuration for the `tenants` claim that uses all user groups prefixed with "feldera_" as the list of tenants:
 
-   - **Name**: `tenant`
+   - **Name**: `tenants`
    - **Include in token type**: `Access Token`
    - **Value type**: `Expression`
    - **Value**: `user.getGroups({"group.profile.name": "feldera_", "operator": "STARTS_WITH"}).![name]`
@@ -117,33 +115,20 @@ Example configuration for the `groups` claim that communicates all groups that t
    - **Value**: Select appropriate group filter or use all-inclusive regex `.*`
    - **Include in**: `Any scope`
 
-Consult [the relevant documentation](index.mdx#) for the corresponding Feldera configuration.
-
 ## Configure Feldera
 
-### Helm Chart Configuration
+Consult the documentation for [configuring the authentication](index.mdx#Configuration%20options) and [examples for common use-cases](index.mdx#Tenant%20Assignment%20use%20cases) to configure Feldera to authorize users properly.
 
-Configure your Feldera Helm chart (`values.yaml`) with Okta settings:
+One example of the Feldera Helm chart configuration for managed tenancy with Okta:
 
 ```yaml
 auth:
   enabled: true
   provider: "okta"
-  clientId: "<your-client-id>"
-  issuer: "https://<your-okta-domain>/oauth2/<custom-auth-server-id>"
-
-# Tenant assignment strategy
-pipelineManager:
-  extraArgs:
-    - "--auth-provider=generic-oidc"
-    - "--issuer-tenant=true"        # Enable organization tenancy
-    - "--individual-tenant=false"   # Disable individual tenancy
-```
-
-Replace the placeholders:
+  clientId: "0oa1a2b3c4d5e6f7g8h9"
+  issuer: "https://dev-12345.okta.com/oauth2/aus1a2b3c4d5e6f7g8h9"
 
-| Placeholder | Description | Example |
-|------------|-------------|---------|
-| `<your-okta-domain>` | Your Okta organization domain | `dev-12345.okta.com` |
-| `<your-client-id>` | Application client ID from Okta | `0oa1a2b3c4d5e6f7g8h9` |
-| `<auth-server-id>` | Custom authorization server ID (optional) | `aus1a2b3c4d5e6f7g8h9` |
+authorization:
+  individualTenant: false
+  authAudience: "0oa1a2b3c4d5e6f7g8h9"
+```
