Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changes to make compatible with OAM #64

Merged
merged 18 commits into from
Jan 14, 2025
Merged

Changes to make compatible with OAM #64

merged 18 commits into from
Jan 14, 2025

Conversation

djay
Copy link
Member

@djay djay commented Dec 2, 2024
edited
Loading

  • set client.allow["issuer_mismatch"] = True to make more compatible
    • this is tested. decided to use for all since it shouldn't make a difference to non OAM?
  • add in changes to make work with OAM
    • new advanced setting for identity_domain_name which is used as a param and header which OAM needs apparently
    • add header
    • add extra params
    • test against live OAM

@djay djay marked this pull request as ready for review January 9, 2025 03:33
@djay
Copy link
Member Author

djay commented Jan 9, 2025

Ok, this has now been tested and works against OAM

@djay djay requested a review from mamico January 9, 2025 03:34
mamico
mamico reviewed Jan 12, 2025
View reviewed changes
src/pas/plugins/oidc/plugins.py
)
else:
client = Client(client_authn_method=CLIENT_AUTHN_METHOD)
client.allow["issuer_mismatch"] = (
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes! I noticed the same issue with the Microsoft implementation. However, in my opinion, it might be better to have this in a separate property, even though this plugin already seems to have too many configurations.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can put a toggle for it. It's not exactly clear what the implications are if allow mismatch. I guess its less secure? Could have a toggle that defaults mismatch allowed so it's less likely to trip up first timers?

mamico
mamico approved these changes Jan 12, 2025
View reviewed changes
Copy link
Collaborator

@mamico mamico left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have no way to test the modification, but I don't see anything that could interfere with the current implementation. So, it's fine by me. Thanks!

@djay
Copy link
Member Author

djay commented Jan 13, 2025

@mamico ideally I'd test with more than one OAM but I only have access to one :( But at least I can say that works.

@djay djay merged commit 03a8c3b into main Jan 14, 2025
5 checks passed
@djay djay deleted the oracle_compat branch January 14, 2025 14:07
@mamico
Copy link
Collaborator

mamico commented Jan 15, 2025

@djay do you need a pypi release ?

@djay
Copy link
Member Author

djay commented Jan 15, 2025

@mamico no rush

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mamico mamico mamico approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@djay @mamico