Skip to content

Commit

Permalink
Improve logic for determination of issuer (#57)
Browse files Browse the repository at this point in the history
  • Loading branch information
Cito authored Oct 18, 2023
1 parent b421451 commit f271612
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 8 deletions.
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,21 +30,21 @@ We recommend using the provided Docker container.

A pre-build version is available at [docker hub](https://hub.docker.com/repository/docker/ghga/auth-service):
```bash
docker pull ghga/auth-service:0.5.5
docker pull ghga/auth-service:0.5.6
```

Or you can build the container yourself from the [`./Dockerfile`](./Dockerfile):
```bash
# Execute in the repo's root dir:
docker build -t ghga/auth-service:0.5.5 .
docker build -t ghga/auth-service:0.5.6 .
```

For production-ready deployment, we recommend using Kubernetes, however,
for simple use cases, you could execute the service using docker
on a single server:
```bash
# The entrypoint is preconfigured:
docker run -p 8080:8080 ghga/auth-service:0.5.5 --help
docker run -p 8080:8080 ghga/auth-service:0.5.6 --help
```

If you prefer not to use containers, you may install the service from source:
Expand Down
2 changes: 1 addition & 1 deletion openapi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ info:
license:
name: Apache 2.0
title: User Management API
version: 0.5.5
version: 0.5.6
openapi: 3.0.2
paths:
/health:
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"

[project]
name = "auth_service"
version = "0.5.5"
version = "0.5.6"
description = "Authentication service for the GHGA data portal used by the API gateway via the ExtAuth protocol"
readme = "README.md"
authors = [
Expand Down
13 changes: 10 additions & 3 deletions src/auth_service/auth_adapter/core/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import logging
from functools import cached_property, lru_cache
from typing import Any, Optional, Union
from urllib.parse import urlparse

import httpx
from fastapi import status
Expand Down Expand Up @@ -203,9 +204,15 @@ def __init__(self, config: Config = CONFIG) -> None:
else:
log.warning("Allowed external signing algorithms not configured.")
self.external_algs = None
issuer = discovery.authority_url[:-1]
if not issuer.startswith("https://") or issuer.endswith((".dev", ".test")):
# this is a test OP, discover the real issuer
authority_url_parts = urlparse(discovery.authority_url)
if (
authority_url_parts.scheme == "https"
and not authority_url_parts.netloc.endswith((".dev", ".test"))
):
# this is a real OP, the issuer should match the authority URL
issuer = authority_url_parts.scheme + "://" + authority_url_parts.netloc
else:
# this is a test OP, discover its issuer, may not match the authority URL
log.warning("Using issuer from discovery instead of authority URL.")
issuer = discovery.issuer
self.check_at_claims["iss"] = issuer
Expand Down

0 comments on commit f271612

Please sign in to comment.