Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
gplazma: oidc add suppress for audience claim verification
Motivation: Earlier versions of dCache did not support audience claim verification in the oidc plugin. Although audience claims should be verified, doing so risks breaking existing clients. Suppressing audience verification reproduces the earlier dCache behaviour, giving admins time to educate their users on correct audience claim values. Modification: Add support for the `-suppress=audience` option that disables the aud claim verification. Log a warning on start-up if audience checking is suppressed. Log when a token that should be rejected is accepted due to suppression of audience checking. Result: It is now possible to configure dCache so the oidc plugin does not check audience fields. This should be used where necessary and only for a short transition period. Target: master Request: 8.2 Request: 9.0 Require-notes: yes Require-book: no Patch: https://rb.dcache.org/r/13903/ Acked-by: Tigran Mkrtchyan
- Loading branch information
1 parent
1d41db5
commit 725eda7
Showing
3 changed files
with
112 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters