1.15.2 Pass KOMODO_OIDC_ADDITIONAL_AUDIENCES

Cargo.lock

@@ -41,7 +41,7 @@ dependencies = [
 
 [[package]]
 name = "alerter"
-version = "1.15.1"
+version = "1.15.2"
 dependencies = [
  "anyhow",
  "axum",
@@ -943,7 +943,7 @@ dependencies = [
 
 [[package]]
 name = "command"
-version = "1.15.1"
+version = "1.15.2"
 dependencies = [
  "komodo_client",
  "run_command",
@@ -1355,7 +1355,7 @@ dependencies = [
 
 [[package]]
 name = "environment_file"
-version = "1.15.1"
+version = "1.15.2"
 dependencies = [
  "thiserror",
 ]
@@ -1439,7 +1439,7 @@ dependencies = [
 
 [[package]]
 name = "formatting"
-version = "1.15.1"
+version = "1.15.2"
 dependencies = [
  "serror",
 ]
@@ -1571,7 +1571,7 @@ checksum = "40ecd4077b5ae9fd2e9e169b102c6c330d0605168eb0e8bf79952b256dbefffd"
 
 [[package]]
 name = "git"
-version = "1.15.1"
+version = "1.15.2"
 dependencies = [
  "anyhow",
  "command",
@@ -2192,7 +2192,7 @@ dependencies = [
 
 [[package]]
 name = "komodo_cli"
-version = "1.15.1"
+version = "1.15.2"
 dependencies = [
  "anyhow",
  "clap",
@@ -2208,7 +2208,7 @@ dependencies = [
 
 [[package]]
 name = "komodo_client"
-version = "1.15.1"
+version = "1.15.2"
 dependencies = [
  "anyhow",
  "async_timing_util",
@@ -2239,7 +2239,7 @@ dependencies = [
 
 [[package]]
 name = "komodo_core"
-version = "1.15.1"
+version = "1.15.2"
 dependencies = [
  "anyhow",
  "async_timing_util",
@@ -2296,7 +2296,7 @@ dependencies = [
 
 [[package]]
 name = "komodo_periphery"
-version = "1.15.1"
+version = "1.15.2"
 dependencies = [
  "anyhow",
  "async_timing_util",
@@ -2382,7 +2382,7 @@ dependencies = [
 
 [[package]]
 name = "logger"
-version = "1.15.1"
+version = "1.15.2"
 dependencies = [
  "anyhow",
  "komodo_client",
@@ -2446,7 +2446,7 @@ dependencies = [
 
 [[package]]
 name = "migrator"
-version = "1.15.1"
+version = "1.15.2"
 dependencies = [
  "anyhow",
  "dotenvy",
@@ -3101,7 +3101,7 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
 
 [[package]]
 name = "periphery_client"
-version = "1.15.1"
+version = "1.15.2"
 dependencies = [
  "anyhow",
  "komodo_client",
@@ -4879,7 +4879,7 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
 [[package]]
 name = "update_logger"
-version = "1.15.1"
+version = "1.15.2"
 dependencies = [
  "anyhow",
  "komodo_client",

Cargo.toml

@@ -3,7 +3,7 @@ resolver = "2"
 members = ["bin/*", "lib/*", "client/core/rs", "client/periphery/rs"]
 
 [workspace.package]
-version = "1.15.1"
+version = "1.15.2"
 edition = "2021"
 authors = ["mbecker20 <becker.maxh@gmail.com>"]
 license = "GPL-3.0-or-later"

bin/core/src/auth/oidc/mod.rs

@@ -152,8 +152,21 @@ async fn callback(
   let id_token = token_response
     .id_token()
     .context("OIDC Server did not return an ID token")?;
+
+  // Some providers attach additional audiences, they must be added here
+  // so token verification succeeds.
+  let verifier = client.id_token_verifier();
+  let additional_audiences = &core_config().oidc_additional_audiences;
+  let verifier = if additional_audiences.is_empty() {
+    verifier
+  } else {
+    verifier.set_other_audience_verifier_fn(|aud| {
+      additional_audiences.contains(aud)
+    })
+  };
+
   let claims = id_token
-    .claims(&client.id_token_verifier(), &nonce)
+    .claims(&verifier, &nonce)
     .context("Failed to verify token claims")?;
 
   // Verify the access token hash to ensure that the access token hasn't been substituted for

bin/core/src/config.rs

@@ -87,6 +87,9 @@ pub fn core_config() -> &'static CoreConfig {
         .unwrap_or(config.oidc_client_secret),
       oidc_use_full_email: env.komodo_oidc_use_full_email
         .unwrap_or(config.oidc_use_full_email),
+      oidc_additional_audiences: maybe_read_list_from_file(env.komodo_oidc_additional_audiences_file,env
+        .komodo_oidc_additional_audiences)
+        .unwrap_or(config.oidc_additional_audiences),
       google_oauth: OauthCredentials {
         enabled: env
           .komodo_google_oauth_enabled

client/core/rs/src/entities/config/core.rs

@@ -116,6 +116,10 @@ pub struct Env {
   pub komodo_oidc_client_secret_file: Option<PathBuf>,
   /// Override `oidc_use_full_email`
   pub komodo_oidc_use_full_email: Option<bool>,
+  /// Override `oidc_additional_audiences`
+  pub komodo_oidc_additional_audiences: Option<Vec<String>>,
+  /// Override `oidc_additional_audiences` from file
+  pub komodo_oidc_additional_audiences_file: Option<PathBuf>,
 
   /// Override `google_oauth.enabled`
   pub komodo_google_oauth_enabled: Option<bool>,
@@ -344,6 +348,11 @@ pub struct CoreConfig {
   #[serde(default)]
   pub oidc_use_full_email: bool,
 
+  /// Your OIDC provider may set additional audiences other than `client_id`,
+  /// they must be added here to make claims verification work.
+  #[serde(default)]
+  pub oidc_additional_audiences: Vec<String>,
+
   // =========
   // = Oauth =
   // =========
@@ -548,6 +557,11 @@ impl CoreConfig {
         &config.oidc_client_secret,
       ),
       oidc_use_full_email: config.oidc_use_full_email,
+      oidc_additional_audiences: config
+        .oidc_additional_audiences
+        .iter()
+        .map(|aud| empty_or_redacted(aud))
+        .collect(),
       google_oauth: OauthCredentials {
         enabled: config.google_oauth.enabled,
         id: empty_or_redacted(&config.google_oauth.id),

compose/compose.env

@@ -82,6 +82,9 @@ KOMODO_OIDC_ENABLED=false
 # KOMODO_OIDC_CLIENT_SECRET= # Alt: KOMODO_OIDC_CLIENT_SECRET_FILE
 ## Make usernames the full email.
 # KOMODO_OIDC_USE_FULL_EMAIL=true
+## Add additional trusted audiences for token claims verification.
+## Supports comma separated list, and passing with _FILE (for compose secrets).
+# KOMODO_OIDC_ADDITIONAL_AUDIENCES=abc,123 # Alt: KOMODO_OIDC_ADDITIONAL_AUDIENCES_FILE
 
 ## Github Oauth
 KOMODO_GITHUB_OAUTH_ENABLED=false

config/core.config.toml

@@ -161,10 +161,17 @@ oidc_client_secret = ""
 ## If true, use the full email for usernames.
 ## Otherwise, the @address will be stripped,
 ## making usernames more concise.
-## Default: false.
 ## Env: KOMODO_OIDC_USE_FULL_EMAIL
+## Default: false.
 oidc_use_full_email = false
 
+## Some providers attach other audiences in addition to the client_id.
+## If you have this issue, `Invalid audiences: `...` is not a trusted audience"`,
+## you can add the audience `...` to the list here (assuming it should be trusted).
+## Env: KOMODO_OIDC_ADDITIONAL_AUDIENCES or KOMODO_OIDC_ADDITIONAL_AUDIENCES_FILE
+## Default: empty
+oidc_additional_audiences = []
+
 #########
 # OAUTH #
 #########