fixed #929 - support additional trusted OIDC audiences

warp-tech · Jan 13, 2024 · 75a2b8c · 75a2b8c
1 parent 92dc885
commit 75a2b8c
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/warpgate-sso/src/config.rs b/warpgate-sso/src/config.rs
@@ -59,6 +59,7 @@ pub enum SsoInternalProviderConfig {
         client_secret: ClientSecret,
         issuer_url: IssuerUrl,
         scopes: Vec<String>,
+        additional_trusted_audiences: Option<Vec<String>>,
     },
 }
 
@@ -199,4 +200,15 @@ impl SsoInternalProviderConfig {
             SsoInternalProviderConfig::Apple { .. } => false,
         }
     }
+
+    #[inline]
+    pub fn additional_trusted_audiences(&self) -> Option<&Vec<String>> {
+        match self {
+            SsoInternalProviderConfig::Custom {
+                additional_trusted_audiences,
+                ..
+            } => additional_trusted_audiences.as_ref(),
+            _ => None,
+        }
+    }
 }
diff --git a/warpgate-sso/src/sso.rs b/warpgate-sso/src/sso.rs
@@ -1,4 +1,5 @@
 use std::borrow::Cow;
+use std::ops::Deref;
 
 use openidconnect::core::{CoreAuthenticationFlow, CoreClient, CoreProviderMetadata};
 use openidconnect::reqwest::async_http_client;
@@ -21,12 +22,21 @@ pub async fn make_client(config: &SsoInternalProviderConfig) -> Result<CoreClien
                 e => format!("{e}"),
             })
         })?;
-    Ok(CoreClient::from_provider_metadata(
+
+    let client = CoreClient::from_provider_metadata(
         metadata,
         config.client_id().clone(),
         Some(config.client_secret()?),
     )
-    .set_auth_type(config.auth_type()))
+    .set_auth_type(config.auth_type());
+
+    if let Some(trusted_audiences) = config.additional_trusted_audiences() {
+        client.id_token_verifier().set_other_audience_verifier_fn(|aud| {
+            trusted_audiences.contains(aud.deref())
+        });
+    }
+
+    Ok(client)
 }
 
 impl SsoClient {