Skip to content

feat(oidc): make audience claim configurable via environment variable#687

Merged
maany merged 2 commits intomasterfrom
oidc_audience_claims
Jan 13, 2026
Merged

feat(oidc): make audience claim configurable via environment variable#687
maany merged 2 commits intomasterfrom
oidc_audience_claims

Conversation

@maany
Copy link
Member

@maany maany commented Jan 13, 2026
edited by bari12
Loading

Summary

Replaces the hardcoded OIDC audience value with a configurable OIDC_EXPECTED_AUDIENCE_CLAIM environment variable.

Changes

  • Added oidcExpectedAudience() method to EnvConfigGateway (defaults to rucio)
  • Updated OIDC provider configuration to fetch audience from environment
  • Implemented JWT audience validation with non-blocking warnings
  • Updated development template to use atlas-rucio-oidc-client
  • Added documentation to README and env-generator README

Backward Compatibility

  • Defaults to rucio if not configured
  • Validation logs warnings but doesn't block authentication
  • Production environments get rucio default via env-generator
Reviewer Checklist

Reviewer Checklist (Required)

  • Reviewer competence: I am sufficiently familiar with this domain/system to review this PR

    (If not, a subject-matter expert has been involved.)

  • Problem fit: I understand the issue being addressed, and this PR solves the actual root problem

  • Solution quality: The approach is sound, maintainable, and appropriate for this codebase

  • Security: No new security risks are introduced

  • Backward compatibility & performance: No unintended breaking changes or unacceptable regressions

  • Documentation: Relevant documentation or comments are updated or explicitly not required

---
Approval Notes

When approving, briefly explain what this PR does, why the approach is correct, and anything the merger should pay attention to.

Example guidance (not to be deleted):

  • What problem is solved?
  • Why is this approach acceptable?
  • Any trade-offs, risks, or follow-ups?
  • Anything non-obvious for the merger or future maintainers?
Approval summary:
- Problem:
- Solution:
- Risks / trade-offs:
- Notes for merger:

@maany
feat(oidc): make audience claim configurable via environment variable
1a31cf2 
Add OIDC_EXPECTED_AUDIENCE_CLAIM environment variable to configure the expected audience claim in JWT tokens. This replaces the hardcoded 'atlas-rucio-oidc-client' value with a configurable option.

Changes:
- Add oidcExpectedAudience() method to EnvConfigGateway with default 'rucio'
- Update OIDC provider configuration to use audience from environment
- Add JWT audience validation in auth callback (non-blocking warnings)
- Set default to 'rucio' in env-generator, 'atlas-rucio-oidc-client' in dev template
- Update documentation in README and env-generator README

The validation logs warnings for mismatched audience claims but does not block authentication, ensuring backward compatibility.
@maany maany mentioned this pull request Jan 13, 2026
Closed
@maany maany linked an issue Jan 13, 2026 that may be closed by this pull request
OIDC audience claim was hardcoded as rucio #688
Closed
@maany maany merged commit 36fd708 into master Jan 13, 2026
8 checks passed
@maany maany deleted the oidc_audience_claims branch January 13, 2026 17:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OIDC audience claim was hardcoded as rucio

1 participant

@maany