add-more-custom-config-vars

Author: WhammyLeaf

config.go

@@ -31,6 +31,11 @@ type Config struct {
 	// Implement the Logger interface (Debug, Info, Warn, Error methods) to
 	// integrate with your application's logging system (e.g., zap, logrus).
 	Logger Logger
+
+	// Validation skip configuration
+	SkipIssuerCheck   bool
+	SkipAudienceCheck bool
+	SkipExpiryCheck   bool
 }
 
 // Validate validates the configuration
@@ -119,11 +124,14 @@ func SetupOAuth(cfg *Config) (provider.TokenValidator, error) {
 func createValidator(cfg *Config, logger Logger) (provider.TokenValidator, error) {
 	// Convert root Config to provider.Config
 	providerCfg := &provider.Config{
-		Provider:  cfg.Provider,
-		Issuer:    cfg.Issuer,
-		Audience:  cfg.Audience,
-		JWTSecret: cfg.JWTSecret,
-		Logger:    logger,
+		Provider:          cfg.Provider,
+		Issuer:            cfg.Issuer,
+		Audience:          cfg.Audience,
+		JWTSecret:         cfg.JWTSecret,
+		Logger:            logger,
+		SkipIssuerCheck:   cfg.SkipIssuerCheck,
+		SkipAudienceCheck: cfg.SkipAudienceCheck,
+		SkipExpiryCheck:   cfg.SkipAudienceCheck,
 	}
 
 	var validator provider.TokenValidator
@@ -223,6 +231,24 @@ func (b *ConfigBuilder) WithLogger(logger Logger) *ConfigBuilder {
 	return b
 }
 
+// WithSkipIssuerCheck sets issuer check toogle
+func (b *ConfigBuilder) WithSkipIssuerCheck(skipIssuerCheck bool) *ConfigBuilder {
+	b.config.SkipIssuerCheck = skipIssuerCheck
+	return b
+}
+
+// WithSkipAudienceCheck sets audience check toggle
+func (b *ConfigBuilder) WithSkipAudienceCheck(skipAudienceCheck bool) *ConfigBuilder {
+	b.config.SkipAudienceCheck = skipAudienceCheck
+	return b
+}
+
+// WithSkipAudienceCheck sets expiry check toggle
+func (b *ConfigBuilder) WithSkipExpiryCheck(skipExpiryCheck bool) *ConfigBuilder {
+	b.config.SkipExpiryCheck = skipExpiryCheck
+	return b
+}
+
 // WithServerURL sets the full server URL directly
 func (b *ConfigBuilder) WithServerURL(url string) *ConfigBuilder {
 	b.config.ServerURL = url
@@ -289,6 +315,9 @@ func FromEnv() (*Config, error) {
 		WithAudience(getEnv("OIDC_AUDIENCE", "")).
 		WithClientID(getEnv("OIDC_CLIENT_ID", "")).
 		WithClientSecret(getEnv("OIDC_CLIENT_SECRET", "")).
+		WithSkipAudienceCheck(getEnv("OIDC_SKIP_AUDIENCE_CHECK", "") != "").
+		WithSkipIssuerCheck(getEnv("OIDC_SKIP_ISSUER_CHECK", "") != "").
+		WithSkipExpiryCheck(getEnv("OIDC_SKIP_EXPIRY_CHECK", "") != "").
 		WithServerURL(serverURL).
 		WithJWTSecret([]byte(jwtSecret)).
 		Build()

provider/provider.go

@@ -30,11 +30,14 @@ type Logger interface {
 
 // Config holds OAuth configuration (subset needed by provider)
 type Config struct {
-	Provider  string
-	Issuer    string
-	Audience  string
-	JWTSecret []byte
-	Logger    Logger
+	Provider          string
+	Issuer            string
+	Audience          string
+	JWTSecret         []byte
+	Logger            Logger
+	SkipIssuerCheck   bool
+	SkipAudienceCheck bool
+	SkipExpiryCheck   bool
 }
 
 // TokenValidator interface for OAuth token validation
@@ -90,7 +93,6 @@ func (v *HMACValidator) ValidateToken(ctx context.Context, tokenString string) (
 		}
 		return []byte(v.secret), nil
 	})
-
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse and validate token: %w", err)
 	}
@@ -204,9 +206,9 @@ func (v *OIDCValidator) Initialize(cfg *Config) error {
 	verifier := provider.Verifier(&oidc.Config{
 		ClientID:             cfg.Audience, // Note: go-oidc uses ClientID field for audience validation - see https://github.com/coreos/go-oidc/blob/v3/oidc/verify.go#L85
 		SupportedSigningAlgs: []string{oidc.RS256, oidc.ES256},
-		SkipClientIDCheck:    false, // Always validate if ClientID is provided
-		SkipExpiryCheck:      false, // Verify expiration
-		SkipIssuerCheck:      false, // Verify issuer
+		SkipClientIDCheck:    cfg.SkipAudienceCheck,
+		SkipExpiryCheck:      cfg.SkipExpiryCheck,
+		SkipIssuerCheck:      cfg.SkipIssuerCheck,
 	})
 
 	v.logger.Info("OAuth: OIDC validator initialized with audience validation: %s", cfg.Audience)