Skip to content

Commit

Permalink
Allow for optional AZP validation in authentication_service (#2082)
Browse files Browse the repository at this point in the history
* add config for disabling azp validation

* skip azp verify if configured that way
  • Loading branch information
pitwegner authored Sep 16, 2024
1 parent 346eab8 commit 4ca1e53
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ def config_from_env(variable_name: str, *, default: str | bool | int | None = No
config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_TENANT_SPECIFIC_FIELDS")
config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_IAT", default=True)
config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_NBF", default=True)
config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_AZP", default=True)
config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_LEEWAY", default=5)

# Open ID server
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -328,7 +328,7 @@ def get_auth_token_object(self, code: str, authentication_identifier: str, redir
@classmethod
def is_valid_azp(cls, authentication_identifier: str, azp: str | None) -> bool:
# not all open id token include an azp so only check if present
if azp is None:
if azp is None or not current_app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_AZP"]:
return True

valid_client_ids = [cls.client_id(authentication_identifier)]
Expand Down

0 comments on commit 4ca1e53

Please sign in to comment.