-
Notifications
You must be signed in to change notification settings - Fork 680
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: add ability to match any audience via '*' #6132
base: master
Are you sure you want to change the base?
Conversation
Thank you for opening this pull request! 🙌 These tips will help get your PR across the finish line:
|
Code Review Agent Run #a55e46Actionable Suggestions - 0Review Details
|
Signed-off-by: Tyler van Hensbergen <[email protected]>
Changelist by BitoThis pull request implements the following key changes.
|
Code Review Agent Run #34b05eActionable Suggestions - 1
Review Details
|
break | ||
} | ||
} | ||
|
||
if foundAudIndex < 0 { | ||
if foundAudIndex < 0 && !expectedAudience.Has("*") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider checking for empty audience list before checking for wildcard match. If claims.Audience
is empty and expectedAudience
has *
, we may want to allow that case.
Code suggestion
Check the AI-generated fix before applying
if foundAudIndex < 0 && !expectedAudience.Has("*") { | |
if foundAudIndex < 0 { | |
if len(claims.Audience) == 0 && expectedAudience.Has("*") { | |
return auth.NewIdentityContext("", claims.Subject, clientID, claims.IssuedAt, scopes, userInfo, claimsRaw) | |
} else if !expectedAudience.Has("*") { |
Code Review Run #34b05e
Is this a valid issue, or was it incorrectly flagged by the Agent?
- it was incorrectly flagged
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This case is covered and there is a test demonstrating this behavior.
Why are the changes needed?
This change unblocks using Amazon Cognito as an external auth provider.
Amazon Cognito does not include the
aud
claim in access tokens as it optional in the spec. It is possible to add an audience for user-flow tokens via a pre-token-generation lambda., however, machine-to-machine tokens generated with theclient_credentials
flow do not trigger the pre-token-generation lambda. This change allows operators to opt into making the audience claim optional by specifying*
for theallowedAudience
configuration.What changes were proposed in this pull request?
The ability to specify
*
forallowedAudience
to allow anyaud
claim or missingaud
claim.How was this patch tested?
Unit tests in
claims_verifier_test.go
Summary by Bito
Implementation of wildcard audience matching in authentication system, enabling '*' as a valid audience configuration. The changes enhance claims verification to support any audience claim or missing audience when '*' is configured. This update facilitates Amazon Cognito integration and includes configuration documentation updates.Unit tests added: False
Estimated effort to review (1-5, lower is better): 1