Skip to content

Commit

Permalink
feature: add ability to match any audience via '*'
Browse files Browse the repository at this point in the history
Signed-off-by: Tyler van Hensbergen <tvanhens@gmail.com>
  • Loading branch information
tvanhens committed Jan 1, 2025
1 parent 61838b4 commit 21f5458
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 3 deletions.
6 changes: 4 additions & 2 deletions flyteadmin/auth/authzserver/claims_verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,17 @@ import (
func verifyClaims(expectedAudience sets.String, claimsRaw map[string]interface{}) (interfaces.IdentityContext, error) {
claims := jwtx.ParseMapStringInterfaceClaims(claimsRaw)

audience := ""
foundAudIndex := -1
for audIndex, aud := range claims.Audience {
if expectedAudience.Has(aud) {
foundAudIndex = audIndex
audience = aud
break
}
}

if foundAudIndex < 0 {
if foundAudIndex < 0 && !expectedAudience.Has("*") {
return nil, fmt.Errorf("invalid audience [%v], wanted [%v]", claims, expectedAudience)
}

Expand Down Expand Up @@ -71,5 +73,5 @@ func verifyClaims(expectedAudience sets.String, claimsRaw map[string]interface{}
scopes.Insert(auth.ScopeAll)
}

return auth.NewIdentityContext(claims.Audience[foundAudIndex], claims.Subject, clientID, claims.IssuedAt, scopes, userInfo, claimsRaw)
return auth.NewIdentityContext(audience, claims.Subject, clientID, claims.IssuedAt, scopes, userInfo, claimsRaw)
}
14 changes: 14 additions & 0 deletions flyteadmin/auth/authzserver/claims_verifier_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,20 @@ func Test_verifyClaims(t *testing.T) {
assert.Error(t, err)
})

t.Run("ExpectedAudience == '*' allows any aud", func(t *testing.T) {
identityCtx, err := verifyClaims(sets.NewString("*"), map[string]interface{}{
"aud": []string{"https://myserver"},
})
assert.NoError(t, err)
assert.Equal(t, "", identityCtx.Audience())
})

t.Run("ExpectedAudience == '*' allows missing aud", func(t *testing.T) {
identityCtx, err := verifyClaims(sets.NewString("*"), map[string]interface{}{})
assert.NoError(t, err)
assert.Equal(t, "", identityCtx.Audience())
})

t.Run("All filled", func(t *testing.T) {
identityCtx, err := verifyClaims(sets.NewString("https://myserver"), map[string]interface{}{
"aud": []string{"https://myserver"},
Expand Down
2 changes: 1 addition & 1 deletion flyteadmin/auth/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ type ExternalAuthorizationServer struct {
// BaseURL should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/
// If not provided, the OpenID.BaseURL will be assumed instead.
BaseURL config.URL `json:"baseUrl" pflag:",This should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/"`
AllowedAudience []string `json:"allowedAudience" pflag:",Optional: A list of allowed audiences. If not provided, the audience is expected to be the public Uri of the service."`
AllowedAudience []string `json:"allowedAudience" pflag:",Optional: A list of allowed audiences. If not provided, the audience is expected to be the public Uri of the service. '*' can be used to allow any audience or missing aud claim."`
MetadataEndpointURL config.URL `json:"metadataUrl" pflag:",Optional: If the server doesn't support /.well-known/oauth-authorization-server, you can set a custom metadata url here.'"`
// HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy
HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."`
Expand Down

0 comments on commit 21f5458

Please sign in to comment.