Skip to content

feat: implement disabling oidc issuer checks #13991

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Jul 24, 2024
Merged

feat: implement disabling oidc issuer checks #13991

merged 12 commits into from
Jul 24, 2024

Conversation

Emyrk
Copy link
Member

@Emyrk Emyrk commented Jul 23, 2024
edited
Loading

Requested feature. Most of the code changes is tests verifying the behavior.

Actual change is in cli/server.go with additional OIDC configuration field.

Enabling this skip will reduce the security of a deployment, but is required in some edge cases.

Validated locally as well, given the tests don't invoke the same oidc configuration path as production.

Emyrk added 2 commits July 23, 2024 12:48
@Emyrk
test: implement unit tests for skipping oidc issuer checks
a862bf1 
Unit tests build oidc config differently than production. These
test verify the approach
@Emyrk
feat: implement disabling oidc issuer checks
961a9a9
@Emyrk Emyrk marked this pull request as ready for review July 24, 2024 13:20
johnstcn
johnstcn reviewed Jul 24, 2024
View reviewed changes
Copy link
Member

@johnstcn johnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather not have to do this, but the presence of oidc.InsecureIssuerURLContext shows that there is at least precedence for this divergence from the OIDC spec.

I'm "approving", but we should also get buy-in from our security folks.

@johnstcn johnstcn requested review from coadler and deansheather July 24, 2024 14:33
@Emyrk Emyrk merged commit 4f01372 into main Jul 24, 2024
33 checks passed
@Emyrk Emyrk deleted the stevenmasley/mismatch_issuer_oidc branch July 24, 2024 21:45
@github-actions github-actions bot locked and limited conversation to collaborators Jul 24, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@johnstcn johnstcn johnstcn approved these changes

@coadler coadler Awaiting requested review from coadler

@deansheather deansheather Awaiting requested review from deansheather

Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Emyrk @johnstcn