Skip to content

feat: pass the issuer_url to manage jkws storage #18885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 16, 2025
Merged

feat: pass the issuer_url to manage jkws storage #18885

merged 3 commits into from
Oct 16, 2025

Conversation

@miketheman
Copy link
Member

@miketheman miketheman commented Oct 16, 2025

Previously using self.issuer_url didn't make a difference, as the
property is configured on the resolved Publisher class, and has nothing
to do with the inbound value.

Resolves #18845

Signed-off-by: Mike Fiedler miketheman@gmail.com

@miketheman
feat: pass the issuer_url to manage jkws storage
04a6671 
Previously using `self.issuer_url` didn't make a difference, as the
property is configured on the resolved Publisher class, and has nothing
to do with the inbound value.

Resolves pypi#18845

Signed-off-by: Mike Fiedler <miketheman@gmail.com>
@miketheman
refactor: raise instead of passing none
e6dcf18 
Raise an exception if the key isn't found, handled by the caller chain
in `verify_jwt_signature()` prior to trying to decode a value with `None`.

Signed-off-by: Mike Fiedler <miketheman@gmail.com>
@miketheman miketheman requested a review from a team as a code owner October 16, 2025 16:22
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 16, 2025
View reviewed changes
warehouse/oidc/views.py
)

return mint_token(oidc_service, unverified_jwt, request)
return mint_token(oidc_service, unverified_jwt, unverified_issuer, request)

Check warning

Code scanning / CodeQL

Information exposure through an exception Medium

Stack trace information
Loading
flows to this location and may be exposed to an external user.
Stack trace information
Loading
flows to this location and may be exposed to an external user.
@miketheman miketheman merged commit faf778f into pypi:main Oct 16, 2025
21 checks passed
@miketheman miketheman deleted the miketheman/18845-pass-around-issuer branch October 16, 2025 16:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ewdurbin ewdurbin ewdurbin approved these changes

Assignees

No one assigned

Labels

trusted-publishing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Store JWKS keys based on Issuer URL instead of publisher name

2 participants

@miketheman @ewdurbin