From 75a2b8c5c6eb1a01014539e424cf2c6186e70350 Mon Sep 17 00:00:00 2001 From: Eugene Date: Sat, 13 Jan 2024 11:07:26 +0100 Subject: [PATCH] fixed #929 - support additional trusted OIDC audiences --- warpgate-sso/src/config.rs | 12 ++++++++++++ warpgate-sso/src/sso.rs | 14 ++++++++++++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/warpgate-sso/src/config.rs b/warpgate-sso/src/config.rs index 837838f6..c4470cbf 100644 --- a/warpgate-sso/src/config.rs +++ b/warpgate-sso/src/config.rs @@ -59,6 +59,7 @@ pub enum SsoInternalProviderConfig { client_secret: ClientSecret, issuer_url: IssuerUrl, scopes: Vec, + additional_trusted_audiences: Option>, }, } @@ -199,4 +200,15 @@ impl SsoInternalProviderConfig { SsoInternalProviderConfig::Apple { .. } => false, } } + + #[inline] + pub fn additional_trusted_audiences(&self) -> Option<&Vec> { + match self { + SsoInternalProviderConfig::Custom { + additional_trusted_audiences, + .. + } => additional_trusted_audiences.as_ref(), + _ => None, + } + } } diff --git a/warpgate-sso/src/sso.rs b/warpgate-sso/src/sso.rs index 96df19d3..e789daf1 100644 --- a/warpgate-sso/src/sso.rs +++ b/warpgate-sso/src/sso.rs @@ -1,4 +1,5 @@ use std::borrow::Cow; +use std::ops::Deref; use openidconnect::core::{CoreAuthenticationFlow, CoreClient, CoreProviderMetadata}; use openidconnect::reqwest::async_http_client; @@ -21,12 +22,21 @@ pub async fn make_client(config: &SsoInternalProviderConfig) -> Result format!("{e}"), }) })?; - Ok(CoreClient::from_provider_metadata( + + let client = CoreClient::from_provider_metadata( metadata, config.client_id().clone(), Some(config.client_secret()?), ) - .set_auth_type(config.auth_type())) + .set_auth_type(config.auth_type()); + + if let Some(trusted_audiences) = config.additional_trusted_audiences() { + client.id_token_verifier().set_other_audience_verifier_fn(|aud| { + trusted_audiences.contains(aud.deref()) + }); + } + + Ok(client) } impl SsoClient {