commit
bcc6ed9a8c
2 changed files with 17 additions and 3 deletions
|
@ -11,6 +11,7 @@ import (
|
||||||
"net"
|
"net"
|
||||||
"reflect"
|
"reflect"
|
||||||
"testing"
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/smallstep/assert"
|
"github.com/smallstep/assert"
|
||||||
|
@ -82,6 +83,10 @@ func testAuthority(t *testing.T, opts ...Option) *Authority {
|
||||||
}
|
}
|
||||||
a, err := New(c, opts...)
|
a, err := New(c, opts...)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
|
// Avoid errors when test tokens are created before the test authority. This
|
||||||
|
// happens in some tests where we re-create the same authority to test
|
||||||
|
// special cases without re-creating the token.
|
||||||
|
a.startTime = a.startTime.Add(-1 * time.Minute)
|
||||||
return a
|
return a
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -37,6 +37,7 @@ func (p provisionerSlice) Swap(i, j int) { p[i], p[j] = p[j], p[i] }
|
||||||
// provisioner.
|
// provisioner.
|
||||||
type loadByTokenPayload struct {
|
type loadByTokenPayload struct {
|
||||||
jose.Claims
|
jose.Claims
|
||||||
|
Email string `json:"email"` // OIDC email
|
||||||
AuthorizedParty string `json:"azp"` // OIDC client id
|
AuthorizedParty string `json:"azp"` // OIDC client id
|
||||||
TenantID string `json:"tid"` // Microsoft Azure tenant id
|
TenantID string `json:"tid"` // Microsoft Azure tenant id
|
||||||
}
|
}
|
||||||
|
@ -129,12 +130,20 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims)
|
||||||
return p, ok
|
return p, ok
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// Try with tid (Azure)
|
// Try with tid (Azure, Azure OIDC)
|
||||||
if payload.TenantID != "" {
|
if payload.TenantID != "" {
|
||||||
|
// Try to load an OIDC provisioner first.
|
||||||
|
if payload.Email != "" {
|
||||||
|
if p, ok := c.LoadByTokenID(payload.Audience[0]); ok {
|
||||||
|
return p, ok
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// Try to load an Azure provisioner.
|
||||||
if p, ok := c.LoadByTokenID(payload.TenantID); ok {
|
if p, ok := c.LoadByTokenID(payload.TenantID); ok {
|
||||||
return p, ok
|
return p, ok
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Fallback to aud
|
// Fallback to aud
|
||||||
return c.LoadByTokenID(payload.Audience[0])
|
return c.LoadByTokenID(payload.Audience[0])
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue