Auth: Use OpenID Connect Discovery rucio#6414

Previously, the implementation would assume that the token endpoint be the issuer URL concatenated with the hard-coded ‘/token’ path. With this commit, the OpenID Connect Discovery specification is used instead. The mechanism is used exactly once, when the configuration is first loaded.
dchristidis · Jun 27, 2024 · 14fc83f · 14fc83f
1 parent 0bbc069
commit 14fc83f
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/lib/rucio/core/oidc.py b/lib/rucio/core/oidc.py
@@ -243,13 +243,22 @@ def __load_oidc_configuration() -> bool:
             data = json.load(f)
             OIDC_CLIENT_ID = data[ADMIN_ISSUER_ID]['client_id']
             OIDC_CLIENT_SECRET = data[ADMIN_ISSUER_ID]['client_secret']
-            OIDC_PROVIDER_ENDPOINT = urljoin(data[ADMIN_ISSUER_ID]['issuer'], 'token')
+            issuer = data[ADMIN_ISSUER_ID]['issuer']
     except Exception:
         logging.error('Failed to parse configuration file "%s"', IDPSECRETS,
                       exc_info=True)
         return False
-    else:
-        return True
+    try:
+        oidc_discover_url = urljoin(issuer, '.well-known/openid-configuration')
+        response = requests.get(oidc_discover_url)
+        response.raise_for_status()
+        payload = response.json()
+        OIDC_PROVIDER_ENDPOINT = payload['token_endpoint']
+    except (requests.HTTPError, requests.JSONDecodeError, KeyError):
+        logging.error('Failed to discover token endpoint', exc_info=True)
+        return False
+
+    return True
 
 
 def __get_init_oidc_client(token_object: models.Token = None, token_type: str = None, **kwargs) -> dict[Any, Any]: