Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix!: Verify audience claim matches client ID for OpenID provider #290

Merged
merged 1 commit into from
Dec 19, 2024

Conversation

SanjayVas
Copy link
Member

This addresses a bug in #288

The client ID is generated by the OpenID provider on registration, so the OpenID provider configuration needs to include the client ID.

@wfa-reviewable
Copy link

This change is Reviewable

@SanjayVas SanjayVas force-pushed the sanjayvas-oidc-client-id branch from e56585d to 5e924e0 Compare December 17, 2024 22:27
Copy link
Contributor

@stevenwarejones stevenwarejones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 2 of 3 files at r1, all commit messages.
Reviewable status: 2 of 3 files reviewed, 1 unresolved discussion (waiting on @SanjayVas)


src/test/kotlin/org/wfanet/measurement/common/grpc/OpenIdConnectAuthenticationTest.kt line 78 at r1 (raw file):

  @Test
  fun `verifyAndDecodeBearerToken throws UNAUTHENTICATED when audience does not match`() {

why is this test not needed?

@SanjayVas SanjayVas force-pushed the sanjayvas-oidc-client-id branch from 5e924e0 to 5f65ec7 Compare December 18, 2024 18:13
Copy link
Member Author

@SanjayVas SanjayVas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: 2 of 3 files reviewed, 1 unresolved discussion (waiting on @stevenwarejones)


src/test/kotlin/org/wfanet/measurement/common/grpc/OpenIdConnectAuthenticationTest.kt line 78 at r1 (raw file):

Previously, stevenwarejones (Steven Ware Jones) wrote…

why is this test not needed?

Done. Figured out a different way to test it.

Copy link
Contributor

@stevenwarejones stevenwarejones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 1 of 1 files at r2, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved (waiting on @SanjayVas)

The client ID is generated by the OpenID provider on registration, so the OpenID provider configuration needs to include the client ID.
@SanjayVas SanjayVas force-pushed the sanjayvas-oidc-client-id branch from 5f65ec7 to b3944d0 Compare December 19, 2024 18:10
@SanjayVas SanjayVas enabled auto-merge (squash) December 19, 2024 18:10
@SanjayVas SanjayVas merged commit 8441ad2 into main Dec 19, 2024
3 checks passed
@SanjayVas SanjayVas deleted the sanjayvas-oidc-client-id branch December 19, 2024 18:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants