allow specifying certain jwt options as configs w/ burnettk (#1459)

Co-authored-by: jasquat <jasquat@users.noreply.github.com> Co-authored-by: burnettk <burnettk@users.noreply.github.com>
2025-02-28 17:30:35 +00:00 · 2024-04-26 21:36:36 +00:00 · 2024-04-26 21:36:36 +00:00 · bd51222efe
commit bd51222efe
parent fbc97f5556
3 changed files with 13 additions and 6 deletions
--- a/.github/workflows/docker_image_for_main_builds.yml
+++ b/.github/workflows/docker_image_for_main_builds.yml
@ -30,9 +30,6 @@ on:
  push:
    branches:
      - main
-      - spiffdemo
-      - GSA-TTS-fix-path-routing-in-generated-openid-urls
-      - use-vite-to-build

 jobs:
  create_frontend_docker_image:
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@ -97,6 +97,9 @@ config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS", de
 # and store in the user table's tenant_specific_field_n columns. You can have up to three items in this
 # comma-separated list.
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_TENANT_SPECIFIC_FIELDS")
+config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_IAT", default=True)
+config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_NBF", default=True)
+config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_LEEWAY", default=5)

 # Open ID server
 # use "http://localhost:7000/openid" for running with simple openid
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@ -198,6 +198,13 @@ class AuthenticationService:
            algorithm = str(header.get("alg"))
            json_key_configs = cls.jwks_public_key_for_key_id(authentication_identifier, key_id)
            public_key: Any = None
+            jwt_decode_options = {
+                "verify_exp": False,
+                "verify_aud": False,
+                "verify_iat": current_app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_IAT"],
+                "verify_nbf": current_app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_NBF"],
+                "leeway": current_app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_LEEWAY"],
+            }

            if "x5c" not in json_key_configs:
                public_key = cls.public_key_from_rsa_public_numbers(json_key_configs)
@ -214,7 +221,7 @@ class AuthenticationService:
                public_key,
                algorithms=[algorithm],
                audience=cls.valid_audiences(authentication_identifier)[0],
-                options={"verify_exp": False, "verify_aud": False},
+                options=jwt_decode_options,
            )
        return cast(dict, parsed_token)

@ -303,8 +310,8 @@ class AuthenticationService:
        valid = True
        now = round(time.time())

-        # give a 5 second leeway to iat in case keycloak server time doesn't match backend server
-        iat_clock_skew_leeway = 5
+        # TODO: use verify_exp True in jwt decode to check this instead
+        iat_clock_skew_leeway = current_app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_LEEWAY"]

        iss = decoded_token["iss"]
        aud = decoded_token["aud"] if "aud" in decoded_token else None