Allow for optional AZP validation in authentication_service

spiffworkflow-backend/src/spiffworkflow_backend/config/default.py

@@ -120,6 +120,7 @@ def config_from_env(variable_name: str, *, default: str | bool | int | None = No
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_TENANT_SPECIFIC_FIELDS")
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_IAT", default=True)
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_NBF", default=True)
+config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_AZP", default=True)
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_LEEWAY", default=5)
 
 # Open ID server

spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py

@@ -328,7 +328,7 @@ def get_auth_token_object(self, code: str, authentication_identifier: str, redir
     @classmethod
     def is_valid_azp(cls, authentication_identifier: str, azp: str | None) -> bool:
         # not all open id token include an azp so only check if present
-        if azp is None:
+        if azp is None or not current_app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_AZP"]:
             return True
 
         valid_client_ids = [cls.client_id(authentication_identifier)]