From 7445c95a707f10706d9fe2d36bf76411fa6bb1c7 Mon Sep 17 00:00:00 2001 From: Philip Gough Date: Fri, 31 Oct 2025 11:14:41 +0000 Subject: [PATCH] feat: Enable global disabling of verifying client id against aud on jwt --- README.md | 2 ++ authentication/oidc.go | 9 ++++++++- main.go | 10 +++++++++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8e32b351f..e811bcd74 100644 --- a/README.md +++ b/README.md @@ -151,6 +151,8 @@ Usage of ./observatorium-api: The gRPC Server Address against which to run rate limit checks when the rate limits are specified for a given tenant. If not specified, local, non-shared rate limiting will be used. Has precedence over other rate limiter options. -middleware.rate-limiter.type string The type of rate limiter to use when not using a gRPC rate limiter. Options: 'local' (default), 'redis' (leaky bucket algorithm). (default "local") + -oidc.skip-client-id-check + Skip checking audience field against client ID on tokens. -probes.dial-timeout duration The timeout for establishing connections to the probes upstream. (default 30s) -probes.endpoint string diff --git a/authentication/oidc.go b/authentication/oidc.go index 60d88fa45..1ff4e93d6 100644 --- a/authentication/oidc.go +++ b/authentication/oidc.go @@ -33,6 +33,7 @@ import ( // OIDCAuthenticatorType represents the oidc authentication provider type. const OIDCAuthenticatorType = "oidc" +const SkipClientIDCheckConfigKey = "skipClientIDCheck" func init() { onboardNewProvider(OIDCAuthenticatorType, newOIDCAuthenticator) @@ -144,7 +145,13 @@ func newOIDCAuthenticator(c map[string]interface{}, tenant string, Scopes: []string{"openid", "profile", "email", "groups"}, } - verifier := provider.Verifier(&oidc.Config{ClientID: config.ClientID}) + var skipIDResult bool + skipClientIDCheck := c[SkipClientIDCheckConfigKey] + if skipClientIDCheckBool, ok := skipClientIDCheck.(bool); ok { + skipIDResult = skipClientIDCheckBool + } + + verifier := provider.Verifier(&oidc.Config{ClientID: config.ClientID, SkipClientIDCheck: skipIDResult}) oidcProvider := &oidcAuthenticator{ tenant: tenant, diff --git a/main.go b/main.go index 33111f606..8fdecec94 100644 --- a/main.go +++ b/main.go @@ -97,6 +97,7 @@ type config struct { rbacConfigPath string tenantsConfigPath string + auth authConfig debug debugConfig server serverConfig tls tlsConfig @@ -108,6 +109,10 @@ type config struct { internalTracing internalTracingConfig } +type authConfig struct { + skipClientIDCheck bool +} + type debugConfig struct { mutexProfileFraction int blockProfileRate int @@ -360,8 +365,10 @@ func main() { tenantsCfg.Tenants[i] = nil continue } - t.OIDC.config = oidcConfig + if cfg.auth.skipClientIDCheck { + t.OIDC.config[authentication.SkipClientIDCheckConfigKey] = true + } } if t.MTLS != nil { @@ -1136,6 +1143,7 @@ func parseFlags() (config, error) { "The log filtering level. Options: 'error', 'warn', 'info', 'debug'.") flag.StringVar(&cfg.logFormat, "log.format", logger.LogFormatLogfmt, "The log format to use. Options: 'logfmt', 'json'.") + flag.BoolVar(&cfg.auth.skipClientIDCheck, "oidc.skip-client-id-check", false, "Skip checking audience field against client ID on tokens.") flag.StringVar(&cfg.internalTracing.serviceName, "internal.tracing.service-name", "observatorium_api", "The service name to report to the tracing backend.") flag.StringVar(&cfg.internalTracing.endpoint, "internal.tracing.otlp-http-endpoint", "",