allow internal openid url as issuer (#2101)

Co-authored-by: burnettk <[email protected]>
sartography · Oct 7, 2024 · f88ec49 · f88ec49
1 parent 7d0e908
commit f88ec49
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -122,6 +122,7 @@ def config_from_env(variable_name: str, *, default: str | bool | int | None = No
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_NBF", default=True)
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_AZP", default=True)
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_LEEWAY", default=5)
+config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_INTERNAL_URL_IS_VALID_ISSUER", default=False)
 
 # Open ID server
 # use "http://localhost:7000/openid" for running with simple openid

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -363,9 +363,19 @@ def validate_decoded_token(cls, decoded_token: dict, authentication_identifier:
             audience_array_in_token = [aud]
         overlapping_aud_values = [x for x in audience_array_in_token if x in valid_audience_values]
 
-        if iss not in [cls.server_url(authentication_identifier), UserModel.spiff_generated_jwt_issuer()]:
+        internal_server_url = cls.server_url(authentication_identifier, internal=True)
+
+        trusted_issuer_urls = [
+            cls.server_url(authentication_identifier),
+            UserModel.spiff_generated_jwt_issuer(),
+        ]
+
+        if current_app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_INTERNAL_URL_IS_VALID_ISSUER"]:
+            trusted_issuer_urls.append(internal_server_url)
+
+        if iss not in trusted_issuer_urls:
             current_app.logger.error(
-                f"TOKEN INVALID because ISS '{iss}' does not match server url '{cls.server_url(authentication_identifier)}'"
+                f"TOKEN INVALID because ISS '{iss}' does not match any of the trusted issuer urls '{trusted_issuer_urls}'"
             )
             valid = False
         # aud could be an array or a string