feature: add ability to match any audience via '*'

flyteorg · Jan 1, 2025 · 724246c · 724246c
1 parent 61838b4
commit 724246c
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/flyteadmin/auth/authzserver/claims_verifier.go b/flyteadmin/auth/authzserver/claims_verifier.go
@@ -15,15 +15,17 @@ import (
 func verifyClaims(expectedAudience sets.String, claimsRaw map[string]interface{}) (interfaces.IdentityContext, error) {
 	claims := jwtx.ParseMapStringInterfaceClaims(claimsRaw)
 
+	audience := ""
 	foundAudIndex := -1
 	for audIndex, aud := range claims.Audience {
 		if expectedAudience.Has(aud) {
 			foundAudIndex = audIndex
+			audience = aud
 			break
 		}
 	}
 
-	if foundAudIndex < 0 {
+	if foundAudIndex < 0 && !expectedAudience.Has("*") {
 		return nil, fmt.Errorf("invalid audience [%v], wanted [%v]", claims, expectedAudience)
 	}
 
@@ -71,5 +73,5 @@ func verifyClaims(expectedAudience sets.String, claimsRaw map[string]interface{}
 		scopes.Insert(auth.ScopeAll)
 	}
 
-	return auth.NewIdentityContext(claims.Audience[foundAudIndex], claims.Subject, clientID, claims.IssuedAt, scopes, userInfo, claimsRaw)
+	return auth.NewIdentityContext(audience, claims.Subject, clientID, claims.IssuedAt, scopes, userInfo, claimsRaw)
 }
diff --git a/flyteadmin/auth/authzserver/claims_verifier_test.go b/flyteadmin/auth/authzserver/claims_verifier_test.go
@@ -13,6 +13,20 @@ func Test_verifyClaims(t *testing.T) {
 		assert.Error(t, err)
 	})
 
+	t.Run("ExpectedAudience == '*' allows any aud", func(t *testing.T) {
+		identityCtx, err := verifyClaims(sets.NewString("*"), map[string]interface{}{
+			"aud": []string{"https://myserver"},
+		})
+		assert.NoError(t, err)
+		assert.Equal(t, "", identityCtx.Audience())
+	})
+
+	t.Run("ExpectedAudience == '*' allows missing aud", func(t *testing.T) {
+		identityCtx, err := verifyClaims(sets.NewString("*"), map[string]interface{}{})
+		assert.NoError(t, err)
+		assert.Equal(t, "", identityCtx.Audience())
+	})
+
 	t.Run("All filled", func(t *testing.T) {
 		identityCtx, err := verifyClaims(sets.NewString("https://myserver"), map[string]interface{}{
 			"aud": []string{"https://myserver"},

diff --git a/flyteadmin/auth/config/config.go b/flyteadmin/auth/config/config.go
@@ -192,7 +192,7 @@ type ExternalAuthorizationServer struct {
 	// BaseURL should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/
 	// If not provided, the OpenID.BaseURL will be assumed instead.
 	BaseURL             config.URL `json:"baseUrl" pflag:",This should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/"`
-	AllowedAudience     []string   `json:"allowedAudience" pflag:",Optional: A list of allowed audiences. If not provided, the audience is expected to be the public Uri of the service."`
+	AllowedAudience     []string   `json:"allowedAudience" pflag:",Optional: A list of allowed audiences. If not provided, the audience is expected to be the public Uri of the service. '*' can be used to allow any audience or missing aud claim."`
 	MetadataEndpointURL config.URL `json:"metadataUrl" pflag:",Optional: If the server doesn't support /.well-known/oauth-authorization-server, you can set a custom metadata url here.'"`
 	// HTTPProxyURL allows operators to access external OAuth2 servers using an external HTTP Proxy
 	HTTPProxyURL  config.URL      `json:"httpProxyURL" pflag:",OPTIONAL: HTTP Proxy to be used for OAuth requests."`