diff --git a/flyteadmin/auth/authzserver/claims_verifier.go b/flyteadmin/auth/authzserver/claims_verifier.go index c27ea06ee7..bdd24470a6 100644 --- a/flyteadmin/auth/authzserver/claims_verifier.go +++ b/flyteadmin/auth/authzserver/claims_verifier.go @@ -15,15 +15,17 @@ import ( func verifyClaims(expectedAudience sets.String, claimsRaw map[string]interface{}) (interfaces.IdentityContext, error) { claims := jwtx.ParseMapStringInterfaceClaims(claimsRaw) + audience := "" foundAudIndex := -1 for audIndex, aud := range claims.Audience { if expectedAudience.Has(aud) { foundAudIndex = audIndex + audience = aud break } } - if foundAudIndex < 0 { + if foundAudIndex < 0 && !expectedAudience.Has("*") { return nil, fmt.Errorf("invalid audience [%v], wanted [%v]", claims, expectedAudience) } @@ -71,5 +73,5 @@ func verifyClaims(expectedAudience sets.String, claimsRaw map[string]interface{} scopes.Insert(auth.ScopeAll) } - return auth.NewIdentityContext(claims.Audience[foundAudIndex], claims.Subject, clientID, claims.IssuedAt, scopes, userInfo, claimsRaw) + return auth.NewIdentityContext(audience, claims.Subject, clientID, claims.IssuedAt, scopes, userInfo, claimsRaw) } diff --git a/flyteadmin/auth/authzserver/claims_verifier_test.go b/flyteadmin/auth/authzserver/claims_verifier_test.go index 568b248ccd..9c727d44c4 100644 --- a/flyteadmin/auth/authzserver/claims_verifier_test.go +++ b/flyteadmin/auth/authzserver/claims_verifier_test.go @@ -13,6 +13,20 @@ func Test_verifyClaims(t *testing.T) { assert.Error(t, err) }) + t.Run("ExpectedAudience == '*' allows any aud", func(t *testing.T) { + identityCtx, err := verifyClaims(sets.NewString("*"), map[string]interface{}{ + "aud": []string{"https://myserver"}, + }) + assert.NoError(t, err) + assert.Equal(t, "", identityCtx.Audience()) + }) + + t.Run("ExpectedAudience == '*' allows missing aud", func(t *testing.T) { + identityCtx, err := verifyClaims(sets.NewString("*"), map[string]interface{}{}) + assert.NoError(t, err) + assert.Equal(t, "", identityCtx.Audience()) + }) + t.Run("All filled", func(t *testing.T) { identityCtx, err := verifyClaims(sets.NewString("https://myserver"), map[string]interface{}{ "aud": []string{"https://myserver"}, diff --git a/flyteadmin/auth/config/config.go b/flyteadmin/auth/config/config.go index f96c5cf0ae..db006d1985 100644 --- a/flyteadmin/auth/config/config.go +++ b/flyteadmin/auth/config/config.go @@ -192,7 +192,7 @@ type ExternalAuthorizationServer struct { // BaseURL should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/ // If not provided, the OpenID.BaseURL will be assumed instead. BaseURL config.URL `json:"baseUrl" pflag:",This should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/"` - AllowedAudience []string `json:"allowedAudience" pflag:",Optional: A list of allowed audiences. If not provided, the audience is expected to be the public Uri of the service."` + AllowedAudience []string `json:"allowedAudience" pflag:",Optional: A list of allowed audiences. If not provided, the audience is expected to be the public Uri of the service. '*' can be used to allow any audience or missing aud claim."` MetadataEndpointURL config.URL `json:"metadataUrl" pflag:",Optional: If the server doesn't support /.well-known/oauth-authorization-server, you can set a custom metadata url here.'"` // HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy HTTPProxyURL config.URL `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."`