chore: simplify the configuration a bit, the client id is always allowed

ctron · Jan 26, 2024 · a25828b · a25828b
1 parent a981e9b
commit a25828b
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/src/agent/client/openid.rs b/src/agent/client/openid.rs
@@ -43,7 +43,8 @@ pub struct OpenIdClient {
     after_logout_url: Option<String>,
     /// The name of the query parameter sent to the issuer, containing the post-logout redirect URL
     post_logout_redirect_name: Option<String>,
-    valid_audiences: Vec<String>,
+    /// Additional audiences of the ID token which are considered trustworthy
+    additional_trusted_audiences: Vec<String>,
 }
 
 /// Additional metadata read from the discovery endpoint
@@ -110,17 +111,13 @@ impl Client for OpenIdClient {
             ClientId::new(config.client_id.clone()),
             None,
         );
-        let valid_audiences = config
-            .additional
-            .valid_audiences
-            .unwrap_or(vec![config.client_id.clone()]);
 
         Ok(Self {
             client,
             end_session_url,
             after_logout_url,
             post_logout_redirect_name: config.additional.post_logout_redirect_name,
-            valid_audiences,
+            additional_trusted_audiences: config.additional.additional_trusted_audiences,
         })
     }
 
@@ -195,7 +192,9 @@ impl Client for OpenIdClient {
                     &self
                         .client
                         .id_token_verifier()
-                        .set_other_audience_verifier_fn(|aud| self.valid_audiences.contains(aud)),
+                        .set_other_audience_verifier_fn(|aud| {
+                            self.additional_trusted_audiences.contains(aud)
+                        }),
                     &Nonce::new(state.nonce),
                 )
                 .map_err(|err| {

diff --git a/src/config.rs b/src/config.rs
@@ -29,7 +29,10 @@ pub mod openid {
         /// The defaults to `post_logout_redirect_uri` for OpenID RP initiated logout.
         /// However, e.g. older Keycloak instances require this to be `redirect_uri`.
         pub post_logout_redirect_name: Option<String>,
-        pub valid_audiences: Option<Vec<String>>,
+        /// Additional audiences of the ID token which are considered trustworthy.
+        ///
+        /// Those audiences are allowed in addition to the client ID.
+        pub additional_trusted_audiences: Vec<String>,
     }
 }