-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow the OIDC issuer verification to be skipped if desired. #467
Allow the OIDC issuer verification to be skipped if desired. #467
Conversation
How does this change relate to #458 (comment), there's a mention here that the OIDC issuer can be used with Azure without modification, is this a different Azure API? |
Just to clarify, I originally used the same URL for OIDC that I saw being used for So, technically the original URL for |
The "multi-tenant" endpoint, i.e. the ones that ends with either |
@chkohner Thanks for linking there, I can see we will need this if we want to support multi tenant, I need to re-review before we proceed any further though, I'll try review this by Monday, if I haven't, poke me |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, will need an entry in the changelog before it can be merged though, thanks @chkohner
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @chkohner, LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Currently, if the issuer URL differs from the one specified in the config (and indeed, used for discovery), the process will exit with an error. This is expected behavior, and the default. However some providers, namely Azure AADv2 do not correctly report their issuer.
For example: the issuer URL:
https://login.microsoftonline.com/organizations/v2.0
will incorrectly returnhttps://login.microsoftonline.com/{tenantid}/v2.0
, which while close, isn't a match so the verification fails. This flag allows you to explicitly disable that check.This idea originally came from #308, however that solution was incomplete because it didn't handle the NewProvider() call which does issuer verification.
How Has This Been Tested?
Tested in Windows, Go 1.14, vs Microsoft Identity platform (Azure AADv2 OIDC).
Checklist: