ExtJwtClient: Use user namespace for k8s allowed namespace (#93687)

* ExtJwtClient: Use user namespace for k8s allowed namespace

* fix test

pkg/services/authn/clients/ext_jwt.go

@@ -127,13 +127,6 @@ func (s *ExtendedJWT) authenticateAsUser(
 		return nil, errExtJWTInvalidSubject.Errorf("unexpected identity: %s", idTokenClaims.Subject)
 	}
 
-	// For use in service layer, allow higher privilege
-	namespace := accessTokenClaims.Rest.Namespace
-	if len(s.cfg.StackID) > 0 {
-		// For single-tenant cloud use, choose the lower of the two (id token will always have the specific namespace)
-		namespace = idTokenClaims.Rest.Namespace
-	}
-
 	return &authn.Identity{
 		ID:                id,
 		Type:              t,
@@ -142,7 +135,7 @@ func (s *ExtendedJWT) authenticateAsUser(
 		IDTokenClaims:     &idTokenClaims,
 		AuthenticatedBy:   login.ExtendedJWTModule,
 		AuthID:            accessTokenClaims.Subject,
-		Namespace:         namespace,
+		Namespace:         idTokenClaims.Rest.Namespace,
 		ClientParams: authn.ClientParams{
 			SyncPermissions: true,
 			FetchPermissionsParams: authn.FetchPermissionsParams{

pkg/services/authn/clients/ext_jwt_test.go

@@ -283,7 +283,7 @@ func TestExtendedJWT_Authenticate(t *testing.T) {
 			},
 		},
 		{
-			name:        "should authenticate as user using wildcard namespace for access token",
+			name:        "should authenticate as user in the user namespace",
 			accessToken: &validAccessTokenClaimsWildcard,
 			idToken:     &validIDTokenClaims,
 			orgID:       1,
@@ -293,7 +293,7 @@ func TestExtendedJWT_Authenticate(t *testing.T) {
 				OrgID:             1,
 				AccessTokenClaims: &validAccessTokenClaimsWildcard,
 				IDTokenClaims:     &validIDTokenClaims,
-				Namespace:         "*",
+				Namespace:         "default",
 				AuthenticatedBy:   "extendedjwt",
 				AuthID:            "access-policy:this-uid",
 				ClientParams: authn.ClientParams{