Merge pull request #5624 from opsmill/pog-loosen-requirements-for-oic…

…d-IFC-1194

Loosen requirements of token verification for OIDC id_token groups

backend/infrahub/api/oidc.py

@@ -210,6 +210,7 @@ async def _get_id_token_groups(
         algorithms=oidc_config.id_token_signing_alg_values_supported,
         audience=client_id,
         issuer=str(oidc_config.issuer),
+        options={"verify_signature": False, "verify_aud": False, "verify_iss": False},
     )
 
     return decoded_token.get("groups", [])

backend/tests/unit/api/test_oidc.py

@@ -1,6 +1,7 @@
 import json
 import time
 import uuid
+from copy import deepcopy
 from typing import Any
 
 import httpx
@@ -40,6 +41,36 @@ async def test_get_id_token_groups_for_oidc() -> None:
     assert groups == ["operators"]
 
 
+async def test_get_id_token_groups_for_oidc_invalid_issuer() -> None:
+    memory_http = MemoryHTTP()
+    service = InfrahubServices(http=memory_http)
+    client_id = "testing-oicd-1234"
+
+    helper = OIDCTestHelper()
+    token_response = helper.generate_token_response(
+        username="testuser",
+        groups=["operators"],
+        client_id=client_id,
+        issuer=str(OIDC_CONFIG.issuer),
+    )
+
+    memory_http.add_get_response(
+        url=str(OIDC_CONFIG.jwks_uri),
+        response=httpx.Response(status_code=200, content=json.dumps(helper.jwks_payload)),
+    )
+    config = deepcopy(OIDC_CONFIG)
+    config.issuer = Url("https://something-incorrect.example.com")
+
+    groups = await _get_id_token_groups(
+        oidc_config=config,
+        service=service,
+        payload=token_response,
+        client_id=client_id,
+    )
+
+    assert groups == ["operators"]
+
+
 async def test_get_id_token_groups_for_oidc_no_id_token() -> None:
     memory_http = MemoryHTTP()
     service = InfrahubServices(http=memory_http)

changelog/5623.fixed.md

@@ -0,0 +1 @@
+Loosened requirement for group discovery using OIDC and id_token. This will probably be reverted or presented as a configuration option in the future.