From ee70db6fc9cb22918240df88f966399a9947f537 Mon Sep 17 00:00:00 2001
From: Ben Moskovitz <ben.m@buildkite.com>
Date: Wed, 2 Oct 2024 10:33:21 +1000
Subject: [PATCH 1/2] Strip whitespace on optional claim names

This allows users to use:
    buildkite-agent oidc request-token --claim 'this, that, the-other'
where previously, even if `that` and `the-other` were allowed optional claims, they'd be rejected, as they'd be sent to buildkite with their preceeding whitespace
---
 clicommand/oidc_request_token.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/clicommand/oidc_request_token.go b/clicommand/oidc_request_token.go
index aa5e1ab106..3c7d7e4a24 100644
--- a/clicommand/oidc_request_token.go
+++ b/clicommand/oidc_request_token.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/buildkite/agent/v3/api"
@@ -110,6 +111,10 @@ var OIDCRequestTokenCommand = cli.Command{
 			return fmt.Errorf("lifetime %d must be a non-negative integer.", cfg.Lifetime)
 		}
 
+		for i, claim := range cfg.Claims {
+			cfg.Claims[i] = strings.TrimSpace(claim)
+		}
+
 		// Create the API client
 		client := api.NewClient(l, loadAPIClientConfig(cfg, "AgentAccessToken"))
 

From fe814e27b7b0130e7878030627db780a063462f5 Mon Sep 17 00:00:00 2001
From: Ben Moskovitz <ben.m@buildkite.com>
Date: Wed, 2 Oct 2024 13:20:23 +1000
Subject: [PATCH 2/2] Ensure all string slice args get whitespace cleaned

---
 clicommand/oidc_request_token.go | 5 -----
 cliconfig/loader.go              | 2 ++
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/clicommand/oidc_request_token.go b/clicommand/oidc_request_token.go
index 3c7d7e4a24..aa5e1ab106 100644
--- a/clicommand/oidc_request_token.go
+++ b/clicommand/oidc_request_token.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"strings"
 	"time"
 
 	"github.com/buildkite/agent/v3/api"
@@ -111,10 +110,6 @@ var OIDCRequestTokenCommand = cli.Command{
 			return fmt.Errorf("lifetime %d must be a non-negative integer.", cfg.Lifetime)
 		}
 
-		for i, claim := range cfg.Claims {
-			cfg.Claims[i] = strings.TrimSpace(claim)
-		}
-
 		// Create the API client
 		client := api.NewClient(l, loadAPIClientConfig(cfg, "AgentAccessToken"))
 
diff --git a/cliconfig/loader.go b/cliconfig/loader.go
index 1f5b47e5e7..fb8f660324 100644
--- a/cliconfig/loader.go
+++ b/cliconfig/loader.go
@@ -421,6 +421,8 @@ func (l Loader) normalizeField(fieldName string, normalization string) error {
 						continue
 					}
 
+					normalized = strings.TrimSpace(normalized)
+
 					normalizedSlice = append(normalizedSlice, normalized)
 				}
 			}