Add an extra way to distinguish Azure and Azure OIDC tokens.

We used to distinguish these tokens using the azp claim, but this
claim does not appear on new azure oidc tokens, at least on some
configurations.

This change will try to load by audience (client id) if the token
contains an email, required for OIDC.
This commit is contained in:
Mariano Cano 2021-08-30 16:37:29 -07:00
parent 097a918da7
commit f919535475

View file

@ -37,6 +37,7 @@ func (p provisionerSlice) Swap(i, j int) { p[i], p[j] = p[j], p[i] }
// provisioner.
type loadByTokenPayload struct {
jose.Claims
Email string `json:"email"` // OIDC email
AuthorizedParty string `json:"azp"` // OIDC client id
TenantID string `json:"tid"` // Microsoft Azure tenant id
}
@ -129,12 +130,20 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims)
return p, ok
}
}
// Try with tid (Azure)
// Try with tid (Azure, Azure OIDC)
if payload.TenantID != "" {
// Try to load an OIDC provisioner first.
if payload.Email != "" {
if p, ok := c.LoadByTokenID(payload.Audience[0]); ok {
return p, ok
}
}
// Try to load an Azure provisioner.
if p, ok := c.LoadByTokenID(payload.TenantID); ok {
return p, ok
}
}
// Fallback to aud
return c.LoadByTokenID(payload.Audience[0])
}