feat: Enable global disabling of verifying client id against aud on jwt

philipgough · philipgough · commit 7445c95a707f · 2025-10-31T11:36:44.000Z
diff --git a/README.md b/README.md
@@ -151,6 +151,8 @@ Usage of ./observatorium-api:
     	The gRPC Server Address against which to run rate limit checks when the rate limits are specified for a given tenant. If not specified, local, non-shared rate limiting will be used. Has precedence over other rate limiter options.
   -middleware.rate-limiter.type string
     	The type of rate limiter to use when not using a gRPC rate limiter. Options: 'local' (default), 'redis' (leaky bucket algorithm). (default "local")
+  -oidc.skip-client-id-check
+    	Skip checking audience field against client ID on tokens.
   -probes.dial-timeout duration
     	The timeout for establishing connections to the probes upstream. (default 30s)
   -probes.endpoint string
diff --git a/authentication/oidc.go b/authentication/oidc.go
@@ -33,6 +33,7 @@ import (
 
 // OIDCAuthenticatorType represents the oidc authentication provider type.
 const OIDCAuthenticatorType = "oidc"
+const SkipClientIDCheckConfigKey = "skipClientIDCheck"
 
 func init() {
 	onboardNewProvider(OIDCAuthenticatorType, newOIDCAuthenticator)
@@ -144,7 +145,13 @@ func newOIDCAuthenticator(c map[string]interface{}, tenant string,
 		Scopes:       []string{"openid", "profile", "email", "groups"},
 	}
 
-	verifier := provider.Verifier(&oidc.Config{ClientID: config.ClientID})
+	var skipIDResult bool
+	skipClientIDCheck := c[SkipClientIDCheckConfigKey]
+	if skipClientIDCheckBool, ok := skipClientIDCheck.(bool); ok {
+		skipIDResult = skipClientIDCheckBool
+	}
+
+	verifier := provider.Verifier(&oidc.Config{ClientID: config.ClientID, SkipClientIDCheck: skipIDResult})
 
 	oidcProvider := &oidcAuthenticator{
 		tenant:       tenant,
diff --git a/main.go b/main.go
@@ -97,6 +97,7 @@ type config struct {
 	rbacConfigPath    string
 	tenantsConfigPath string
 
+	auth            authConfig
 	debug           debugConfig
 	server          serverConfig
 	tls             tlsConfig
@@ -108,6 +109,10 @@ type config struct {
 	internalTracing internalTracingConfig
 }
 
+type authConfig struct {
+	skipClientIDCheck bool
+}
+
 type debugConfig struct {
 	mutexProfileFraction int
 	blockProfileRate     int
@@ -360,8 +365,10 @@ func main() {
 					tenantsCfg.Tenants[i] = nil
 					continue
 				}
-
 				t.OIDC.config = oidcConfig
+				if cfg.auth.skipClientIDCheck {
+					t.OIDC.config[authentication.SkipClientIDCheckConfigKey] = true
+				}
 			}
 
 			if t.MTLS != nil {
@@ -1136,6 +1143,7 @@ func parseFlags() (config, error) {
 		"The log filtering level. Options: 'error', 'warn', 'info', 'debug'.")
 	flag.StringVar(&cfg.logFormat, "log.format", logger.LogFormatLogfmt,
 		"The log format to use. Options: 'logfmt', 'json'.")
+	flag.BoolVar(&cfg.auth.skipClientIDCheck, "oidc.skip-client-id-check", false, "Skip checking audience field against client ID on tokens.")
 	flag.StringVar(&cfg.internalTracing.serviceName, "internal.tracing.service-name", "observatorium_api",
 		"The service name to report to the tracing backend.")
 	flag.StringVar(&cfg.internalTracing.endpoint, "internal.tracing.otlp-http-endpoint", "",
