diff --git a/flyteadmin/auth/auth_context.go b/flyteadmin/auth/auth_context.go index 0e21efacde..7734fc30df 100644 --- a/flyteadmin/auth/auth_context.go +++ b/flyteadmin/auth/auth_context.go @@ -141,6 +141,12 @@ func NewAuthenticationContext(ctx context.Context, sm core.SecretManager, oauth2 // Construct an oidc Provider, which needs its own http Client. oidcCtx := oidc.ClientContext(ctx, httpClient) baseURL := options.UserAuth.OpenID.BaseURL.String() + // use a different issuer for token validation if configured + // this allows discovery to work when issuer_url from upstream is mismatched + // see https://github.com/coreos/go-oidc/pull/315 + if iss := options.UserAuth.OpenID.IssuerURL.String(); iss != "" { + oidcCtx = oidc.InsecureIssuerURLContext(oidcCtx, iss) + } provider, err := oidc.NewProvider(oidcCtx, baseURL) if err != nil { return Context{}, errors.Wrapf(ErrauthCtx, err, "Error creating oidc provider w/ issuer [%v]", baseURL) diff --git a/flyteadmin/auth/config/config.go b/flyteadmin/auth/config/config.go index f96c5cf0ae..f68b20fc4d 100644 --- a/flyteadmin/auth/config/config.go +++ b/flyteadmin/auth/config/config.go @@ -267,6 +267,12 @@ type OpenIDOptions struct { // will look something like https://company.okta.com/oauth2/abcdef123456789/ BaseURL config.URL `json:"baseUrl"` + // Allows discovery to work when the issuer_url reported by upstream is mismatched with baseUrl. This may be the + // case with Azure *or* when baseUrl refers to an in-cluster service like https://keycloak/auth/realms/MyRealm but + // the issuer is a public ingress address accessible to the OIDC client + // Refer to https://github.com/coreos/go-oidc/pull/315 for additional details + IssuerURL config.URL `json:"issuerUrl" pflag:",OPTIONAL: Use this issuer URL for request validation rather than baseUrl."` + // Provides a list of scopes to request from the IDP when authenticating. Default value requests claims that should // be supported by any OIdC server. Refer to https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for // a complete list. Other providers might support additional scopes that you can define in a config. diff --git a/flyteadmin/auth/config/config_test.go b/flyteadmin/auth/config/config_test.go index fa06506ee5..4476e1d9da 100644 --- a/flyteadmin/auth/config/config_test.go +++ b/flyteadmin/auth/config/config_test.go @@ -50,6 +50,9 @@ func TestParseClientSecretConfig(t *testing.T) { func TestDefaultConfig(t *testing.T) { assert.Equal(t, len(DefaultConfig.AppAuth.SelfAuthServer.StaticClients), 3) assert.Equal(t, DefaultConfig.AppAuth.SelfAuthServer.StaticClients["flyte-cli"].ID, "flyte-cli") + + // oidc issuer config should only be used when baseUrl is mismatched + assert.Equal(t, DefaultConfig.UserAuth.OpenID.IssuerURL.String(), "") } func TestCompare(t *testing.T) {