auth: Support Issuers without Login Endpoints

Some issuers don't have all the provider metadata, that is required by the OpenID Connect Discovery specification. For example GitHub Actions doesn't have the `authorization_endpoint`. To validate a token, this endpoint is not necessary, so only require it for login, but not for validation.
holesch · Aug 10, 2024 · 4696c94 · 4696c94
1 parent e2cbf62
commit 4696c94
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/not_my_board/_auth/_openid.py b/not_my_board/_auth/_openid.py
@@ -12,10 +12,8 @@
 
 
 @dataclasses.dataclass
-class IdentityProvider:
+class IdentityProviderMinimal:
     issuer: str
-    authorization_endpoint: str
-    token_endpoint: str
     jwks_uri: str
 
     @classmethod
@@ -31,6 +29,12 @@ async def from_url(cls, issuer_url, http_client, cache=None):
         return cls(**init_args)
 
 
+@dataclasses.dataclass
+class IdentityProvider(IdentityProviderMinimal):
+    authorization_endpoint: str
+    token_endpoint: str
+
+
 @dataclasses.dataclass
 class AuthRequest:
     client_id: str
@@ -172,7 +176,7 @@ async def extract_claims(self, id_token, leeway=0):
         else:
             idp_cache = jwk_cache = None
 
-        identity_provider = await IdentityProvider.from_url(
+        identity_provider = await IdentityProviderMinimal.from_url(
             issuer, self._http, idp_cache
         )
         jwk_set_raw = await self._http.get_json(identity_provider.jwks_uri, jwk_cache)