HDFGroup / hsds

Cloud-native, service based access to HDF data
https://www.hdfgroup.org/solutions/hdf-kita/
Apache License 2.0
125 stars 52 forks source link

OpenID auth broken in jwtUtil #119

Open jjaraalm opened 2 years ago

jjaraalm commented 2 years ago

Moving from v0.6.3 to master, it looks like the OpenID auth was refactored into jwtUtil. However, this no longer works with providers that do not use unique_name by default such as Google. In v0.6.3, any valid claim was used as the username, while in v0.7.0 only the claim unique_name is allowed to be the username. See,

https://github.com/HDFGroup/hsds/blob/9e1f08183f6f5e7ad51c57a6d2e7ba0ecfd95f02/hsds/util/jwtUtil.py#L177-L191

The v0.6.3 behavior wasn't great so I understand why it was changed, but this needs to be configurable. Possible options:

jreadey commented 2 years ago

@jjaraalm - thanks for reporting this!
I don't have an easy way right now to test with OpenID auth - would you be willing to create a PR for the fix? I can verify against Azure AD.
Slightly favor the first approach to have less tweaking of config settings needed by deployers.

jjaraalm commented 2 years ago

I'll think about putting a PR in, but it's not the highest priority for me right now.