Skip to content

fix(oidc): Az single tenant handling via oidc_jwks_uri #1015

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dbnsky wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(oidc): Az single tenant handling via oidc_jwks_uri #1015

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions source/app/configuration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -470,6 +470,7 @@ class Config:
OIDC_AUTH_ENDPOINT = config.load('OIDC', 'AUTH_ENDPOINT', fallback=None)
OIDC_TOKEN_ENDPOINT = config.load('OIDC', 'TOKEN_ENDPOINT', fallback=None)
OIDC_END_SESSION_ENDPOINT = config.load('OIDC', 'END_SESSION_ENDPOINT', fallback=None)
OIDC_JWKS_URI = config.load('OIDC', 'JWKS_URI', fallback=None)
OIDC_SCOPES = config.load('OIDC', 'SCOPES', fallback="openid email profile")
OIDC_MAPPING_USERNAME = config.load('OIDC', 'MAPPING_USERNAME', fallback='preferred_username')
OIDC_MAPPING_EMAIL = config.load('OIDC', 'MAPPING_EMAIL', fallback='email')
Expand Down
44 changes: 30 additions & 14 deletions source/app/iris_engine/access_control/oidc_handler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,24 +25,40 @@
def get_oidc_client(app) -> Client:
client = Client(client_authn_method=CLIENT_AUTHN_METHOD)

# retrieve provider configuration dynamically from metadata
# or fall back to env vars
# Normalize issuer URL - strip trailing slash to prevent "Unknown Issuer" errors
issuer_url = app.config.get("OIDC_ISSUER_URL", "").rstrip('/')
client_id = app.config.get("OIDC_CLIENT_ID")
client_secret = app.config.get("OIDC_CLIENT_SECRET")

# Check for explicit JWKS URI (e.g., Azure single-tenant with appid)
jwks_uri = app.config.get("OIDC_JWKS_URI")

try:
client.provider_config(app.config.get("OIDC_ISSUER_URL"))
except Exception as e:
app.logger.warning(f"Could not read OIDC metadata, using environment variables - error {e}")
op_info = ProviderConfigurationResponse(
issuer=app.config.get("OIDC_ISSUER_URL"),
authorization_endpoint=app.config.get("OIDC_AUTH_ENDPOINT"),
token_endpoint=app.config.get("OIDC_TOKEN_ENDPOINT"),
end_session_endpoint=app.config.get("OIDC_END_SESSION_ENDPOINT"),
)
if jwks_uri:
# Manual configuration with explicit JWKS URI
app.logger.info(f"Using explicit JWKS URI: {jwks_uri}")

client.handle_provider_config(op_info, op_info['issuer'])
op_info = ProviderConfigurationResponse(
issuer=issuer_url,
authorization_endpoint=app.config.get("OIDC_AUTH_ENDPOINT"),
token_endpoint=app.config.get("OIDC_TOKEN_ENDPOINT"),
end_session_endpoint=app.config.get("OIDC_END_SESSION_ENDPOINT"),
jwks_uri=jwks_uri
)
client.handle_provider_config(op_info, issuer_url)
else:
# Auto-discovery (standard OIDC flow)
app.logger.info("Using OIDC auto-discovery")
client.provider_config(issuer_url)

except Exception as e:
app.logger.error(f"OIDC configuration failed: {e}")
raise

# Client Registration
info = {
"client_id": app.config.get("OIDC_CLIENT_ID"),
"client_secret": app.config.get("OIDC_CLIENT_SECRET")
"client_id": client_id,
"client_secret": client_secret
}
client_reg = RegistrationResponse(**info)
client.store_registration_info(client_reg)
Expand Down