Skip to content

Commit 31b7df3

Browse files
WhammyLeafWhammyLeaf
committed
support skipping oidc validation checks
1 parent 14f9009 commit 31b7df3

File tree

2 files changed

+59
-14
lines changed

2 files changed

+59
-14
lines changed

config.go

Lines changed: 48 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ package oauth
22

33
import (
44
"fmt"
5+
"strconv"
56

67
"github.com/tuannvm/oauth-mcp-proxy/provider"
78
)
@@ -31,6 +32,11 @@ type Config struct {
3132
// Implement the Logger interface (Debug, Info, Warn, Error methods) to
3233
// integrate with your application's logging system (e.g., zap, logrus).
3334
Logger Logger
35+
36+
// Validation skip configuration
37+
SkipIssuerCheck bool
38+
SkipAudienceCheck bool
39+
SkipExpiryCheck bool
3440
}
3541

3642
// Validate validates the configuration
@@ -119,11 +125,14 @@ func SetupOAuth(cfg *Config) (provider.TokenValidator, error) {
119125
func createValidator(cfg *Config, logger Logger) (provider.TokenValidator, error) {
120126
// Convert root Config to provider.Config
121127
providerCfg := &provider.Config{
122-
Provider: cfg.Provider,
123-
Issuer: cfg.Issuer,
124-
Audience: cfg.Audience,
125-
JWTSecret: cfg.JWTSecret,
126-
Logger: logger,
128+
Provider: cfg.Provider,
129+
Issuer: cfg.Issuer,
130+
Audience: cfg.Audience,
131+
JWTSecret: cfg.JWTSecret,
132+
Logger: logger,
133+
SkipIssuerCheck: cfg.SkipIssuerCheck,
134+
SkipAudienceCheck: cfg.SkipAudienceCheck,
135+
SkipExpiryCheck: cfg.SkipExpiryCheck,
127136
}
128137

129138
var validator provider.TokenValidator
@@ -223,6 +232,24 @@ func (b *ConfigBuilder) WithLogger(logger Logger) *ConfigBuilder {
223232
return b
224233
}
225234

235+
// WithSkipIssuerCheck sets issuer check toggle
236+
func (b *ConfigBuilder) WithSkipIssuerCheck(skipIssuerCheck bool) *ConfigBuilder {
237+
b.config.SkipIssuerCheck = skipIssuerCheck
238+
return b
239+
}
240+
241+
// WithSkipAudienceCheck sets audience check toggle
242+
func (b *ConfigBuilder) WithSkipAudienceCheck(skipAudienceCheck bool) *ConfigBuilder {
243+
b.config.SkipAudienceCheck = skipAudienceCheck
244+
return b
245+
}
246+
247+
// WithSkipExpiryCheck sets expiry check toggle
248+
func (b *ConfigBuilder) WithSkipExpiryCheck(skipExpiryCheck bool) *ConfigBuilder {
249+
b.config.SkipExpiryCheck = skipExpiryCheck
250+
return b
251+
}
252+
226253
// WithServerURL sets the full server URL directly
227254
func (b *ConfigBuilder) WithServerURL(url string) *ConfigBuilder {
228255
b.config.ServerURL = url
@@ -289,7 +316,23 @@ func FromEnv() (*Config, error) {
289316
WithAudience(getEnv("OIDC_AUDIENCE", "")).
290317
WithClientID(getEnv("OIDC_CLIENT_ID", "")).
291318
WithClientSecret(getEnv("OIDC_CLIENT_SECRET", "")).
319+
WithSkipAudienceCheck(parseBoolEnv("OIDC_SKIP_AUDIENCE_CHECK", false)).
320+
WithSkipIssuerCheck(parseBoolEnv("OIDC_SKIP_ISSUER_CHECK", false)).
321+
WithSkipExpiryCheck(parseBoolEnv("OIDC_SKIP_EXPIRY_CHECK", false)).
292322
WithServerURL(serverURL).
293323
WithJWTSecret([]byte(jwtSecret)).
294324
Build()
295325
}
326+
327+
// parseBoolEnv parses a boolean environment variable
328+
func parseBoolEnv(key string, defaultVal bool) bool {
329+
val := getEnv(key, "")
330+
if val == "" {
331+
return defaultVal
332+
}
333+
parsed, err := strconv.ParseBool(val)
334+
if err != nil {
335+
return defaultVal
336+
}
337+
return parsed
338+
}

provider/provider.go

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -30,11 +30,14 @@ type Logger interface {
3030

3131
// Config holds OAuth configuration (subset needed by provider)
3232
type Config struct {
33-
Provider string
34-
Issuer string
35-
Audience string
36-
JWTSecret []byte
37-
Logger Logger
33+
Provider string
34+
Issuer string
35+
Audience string
36+
JWTSecret []byte
37+
Logger Logger
38+
SkipIssuerCheck bool
39+
SkipAudienceCheck bool
40+
SkipExpiryCheck bool
3841
}
3942

4043
// TokenValidator interface for OAuth token validation
@@ -90,7 +93,6 @@ func (v *HMACValidator) ValidateToken(ctx context.Context, tokenString string) (
9093
}
9194
return []byte(v.secret), nil
9295
})
93-
9496
if err != nil {
9597
return nil, fmt.Errorf("failed to parse and validate token: %w", err)
9698
}
@@ -204,9 +206,9 @@ func (v *OIDCValidator) Initialize(cfg *Config) error {
204206
verifier := provider.Verifier(&oidc.Config{
205207
ClientID: cfg.Audience, // Note: go-oidc uses ClientID field for audience validation - see https://github.com/coreos/go-oidc/blob/v3/oidc/verify.go#L85
206208
SupportedSigningAlgs: []string{oidc.RS256, oidc.ES256},
207-
SkipClientIDCheck: false, // Always validate if ClientID is provided
208-
SkipExpiryCheck: false, // Verify expiration
209-
SkipIssuerCheck: false, // Verify issuer
209+
SkipClientIDCheck: cfg.SkipAudienceCheck,
210+
SkipExpiryCheck: cfg.SkipExpiryCheck,
211+
SkipIssuerCheck: cfg.SkipIssuerCheck,
210212
})
211213

212214
v.logger.Info("OAuth: OIDC validator initialized with audience validation: %s", cfg.Audience)

0 commit comments

Comments
 (0)