allow internal openid url as issuer

[burnettk]

set SPIFFWORKFLOW_BACKEND_OPEN_ID_INTERNAL_URL_IS_VALID_ISSUER=true in backend configuration to allow the url that backend uses to communicate with itself to be considered a valid openid token issuer. when backend through a browser looks different from backend as it sees itself from within the backend container, this configuration will likely to necessary.

Summary by CodeRabbit

• New Features

  • Introduced a new configuration option for OpenID settings to validate internal URLs as trusted issuers.

• Enhancements

  • Improved validation logic for issuer claims in token validation, allowing for multiple trusted issuer URLs and clearer error messages.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes in this pull request introduce a new configuration variable in the default.py file of the spiffworkflow_backend project, specifically for OpenID settings. This variable determines if the internal URL is a valid issuer. Additionally, modifications to the validate_decoded_token method in authentication_service.py enhance issuer validation by allowing multiple trusted URLs based on the new configuration. The overall structure of the existing functions remains unchanged, focusing on improving flexibility and clarity in authentication processes.

Changes

File	Change Summary
spiffworkflow-backend/src/spiffworkflow_backend/config/default.py	Added new configuration variable SPIFFWORKFLOW_BACKEND_OPEN_ID_INTERNAL_URL_IS_VALID_ISSUER with a default value of False.
spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py	Updated validate_decoded_token method to include a list of trusted issuer URLs, enhancing validation logic. Error logging message updated for clarity.

Possibly related PRs

• Allow for optional AZP validation in authentication_service #2082: The changes in this PR also introduce a new configuration variable in default.py, similar to the main PR, enhancing OpenID settings and allowing for more flexible authentication configurations.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

spiffworkflow-backend/src/spiffworkflow_backend/config/default.py (1)

125-125: LGTM! Consider adding a comment for clarity.

The new configuration variable SPIFFWORKFLOW_BACKEND_OPEN_ID_INTERNAL_URL_IS_VALID_ISSUER is correctly implemented and aligns with the PR objectives. It allows for flexible configuration of internal URL validation for OpenID.

Consider adding a brief comment above this line to explain the purpose of this configuration option, such as:

# Determines whether the internal OpenID URL should be considered a valid token issuer
config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_INTERNAL_URL_IS_VALID_ISSUER", default=False)

This would enhance code readability and make the configuration's purpose immediately clear to other developers.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 7d0e908 and a6abdd1.

📒 Files selected for processing (2)

• spiffworkflow-backend/src/spiffworkflow_backend/config/default.py (1 hunks)
• spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py (1 hunks)

🧰 Additional context used

🔇 Additional comments (2)

spiffworkflow-backend/src/spiffworkflow_backend/config/default.py (1)

Line range hint 1-268: Summary: New OpenID configuration option added successfully

The addition of the SPIFFWORKFLOW_BACKEND_OPEN_ID_INTERNAL_URL_IS_VALID_ISSUER configuration variable successfully implements the PR objective of introducing an option to recognize internal OpenID URLs as valid token issuers. This change enhances the flexibility of the OpenID configuration without disrupting the existing structure or other settings.

The default value of False maintains backwards compatibility, ensuring that existing setups won't be affected unless explicitly configured. This implementation allows for easy enabling of internal URL validation when needed, addressing the potential discrepancies in OpenID token validation mentioned in the PR objectives.

spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py (1)

366-375: Good implementation of configurable issuer validation

The changes enhance the issuer validation logic by including the internal server URL in the list of trusted issuers when SPIFFWORKFLOW_BACKEND_OPEN_ID_INTERNAL_URL_IS_VALID_ISSUER is set. This aligns with the PR objectives and is correctly implemented.