feat: implement disabling oidc issuer checks

Emyrk · Emyrk · commit 961a9a95c676 · 2024-07-23T12:56:43.000-05:00
diff --git a/cli/server.go b/cli/server.go
@@ -114,6 +114,11 @@ func createOIDCConfig(ctx context.Context, vals *codersdk.DeploymentValues) (*co
 		return nil, xerrors.Errorf("OIDC issuer URL must be set!")
 	}
 
+	// Skipping issuer checks is not recommended.
+	if vals.OIDC.SkipIssuerChecks {
+		ctx = oidc.InsecureIssuerURLContext(ctx, vals.OIDC.IssuerURL.String())
+	}
+
 	oidcProvider, err := oidc.NewProvider(
 		ctx, vals.OIDC.IssuerURL.String(),
 	)
@@ -167,6 +172,9 @@ func createOIDCConfig(ctx context.Context, vals *codersdk.DeploymentValues) (*co
 		Provider:     oidcProvider,
 		Verifier: oidcProvider.Verifier(&oidc.Config{
 			ClientID: vals.OIDC.ClientID.String(),
+			// Enabling this skips checking the "iss" claim in the token
+			// matches the issuer URL. This is not recommended.
+			SkipIssuerCheck: vals.OIDC.SkipIssuerChecks.Value(),
 		}),
 		EmailDomain:         vals.OIDC.EmailDomain,
 		AllowSignups:        vals.OIDC.AllowSignups.Value(),
diff --git a/coderd/coderdtest/oidctest/idp_test.go b/coderd/coderdtest/oidctest/idp_test.go
@@ -102,8 +102,8 @@ func TestIDPIssuerMismatch(t *testing.T) {
 	ctx = oidc.ClientContext(ctx, cli)
 
 	// Allow the issuer mismatch
-	ctx = oidc.InsecureIssuerURLContext(ctx, "this field does not matter")
-	p, err := oidc.NewProvider(ctx, "https://proxy.com")
+	verifierContext := oidc.InsecureIssuerURLContext(ctx, "this field does not matter")
+	p, err := oidc.NewProvider(verifierContext, "https://proxy.com")
 	require.NoError(t, err, "failed to create OIDC provider")
 
 	oauthConfig := fake.OauthConfig(t, nil)
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -353,6 +353,7 @@ type OIDCConfig struct {
 	SignInText          serpent.String                      `json:"sign_in_text" typescript:",notnull"`
 	IconURL             serpent.URL                         `json:"icon_url" typescript:",notnull"`
 	SignupsDisabledText serpent.String                      `json:"signups_disabled_text" typescript:",notnull"`
+	SkipIssuerChecks    serpent.Bool                        `json:"skip_issuer_checks" typescript:",notnull"`
 }
 
 type TelemetryConfig struct {
@@ -1474,6 +1475,16 @@ when required by your organization's security policy.`,
 			Group:       &deploymentGroupOIDC,
 			YAML:        "signupsDisabledText",
 		},
+		{
+			Name: "Skip OIDC issuer checks (not recommended)",
+			Description: "OIDC issuer urls must match in the request, the id_token 'iss' claim, and in the well-known configuration. " +
+				"This flag disables that requirement, and can lead to an insecure OIDC configuration. It is not recommended to use this flag.",
+			Flag:  "oidc-skip-issuer-checks",
+			Env:   "CODER_OIDC_SKIP_ISSUER_CHECKS",
+			Value: &c.OIDC.SkipIssuerChecks,
+			Group: &deploymentGroupOIDC,
+			YAML:  "skipIssuerChecks",
+		},
 		// Telemetry settings
 		{
 			Name:        "Telemetry Enable",
